From: Nayna Jain <na...@linux.ibm.com> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall requires the kexec'd kernel image to be signed. Distros are concerned about totally disabling the kexec_load syscall. As a compromise, the kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with secureboot enabled.
This patch disables the kexec_load syscall only for systems booted with secureboot enabled. Signed-off-by: Nayna Jain <na...@linux.ibm.com> Cc: David Howells <dhowe...@redhat.com> Cc: Eric Biederman <ebied...@xmission.com> Cc: Peter Jones <pjo...@redhat.com> Cc: Vivek Goyal <vgo...@redhat.com> Cc: Dave Young <dyo...@redhat.com> --- security/integrity/ima/ima_main.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dce0a8a217bb..9031c99e37a6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, */ int ima_load_data(enum kernel_load_data_id id) { - bool sig_enforce; + bool ima_enforce, sig_enforce; - if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE) - return 0; + ima_enforce = + (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; switch (id) { case LOADING_KEXEC_IMAGE: - if (ima_appraise & IMA_APPRAISE_KEXEC) { + if (IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) + && arch_ima_get_secureboot()) + return -EACCES; + + if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } break; case LOADING_FIRMWARE: - if (ima_appraise & IMA_APPRAISE_FIRMWARE) { + if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) { pr_err("Prevent firmware sysfs fallback loading.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } @@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id) case LOADING_MODULE: sig_enforce = is_module_sig_enforced(); - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) { + if (ima_enforce && (!sig_enforce + && (ima_appraise & IMA_APPRAISE_MODULES))) { pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } -- 2.13.6 _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec