On Fri, 21 Jun 2019, Matthew Garrett wrote: > From: Jiri Bohac <[email protected]> > > When KEXEC_SIG is not enabled, kernel should not load images through > kexec_file systemcall if the kernel is locked down.
This is not a criticism of the patch but a related issue which I haven't seen discussed (apologies if it has). If signed code is loaded into ring 0, verified by the kernel, then executed, you still lose your secure/trusted/verified boot state. If the currently running kernel has been runtime-compromised, any signature verification performed by the kernel cannot be trusted. This problem is out of scope for the lockdown threat model (which naturally cannot include a compromised kernel), but folk should be aware that signature-verified kexec does not provide equivalent assurance to a full reboot on a secure-boot system. Potential mitigations here include runtime integrity verification of the kernel via a separate security monitor (hypervisor, SMM, TEE etc.) or some kind of platform support for kexec verification. -- James Morris <[email protected]>
