From: Jiri Bohac <jbohac@suse.cz>
To: lijiang <lijiang@redhat.com>
Cc: linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
ebiederm@xmission.com, jmorris@namei.org, mjg59@google.com,
dyoung@redhat.com, bhe@redhat.com
Subject: Re: [PATCH] kexec: Do not verify the signature without the lockdown or mandatory signature
Date: Wed, 27 May 2020 12:16:18 +0200 [thread overview]
Message-ID: <20200527101618.jgbxbk5ooiaett43@dwarf.suse.cz> (raw)
In-Reply-To: <4da44e94-a839-2033-29d2-90bebd4ee1e2@redhat.com>
On Wed, May 27, 2020 at 12:08:12PM +0800, lijiang wrote:
> Or the following change looks better? What's your opinion?
>
> static int
> kimage_validate_signature(struct kimage *image)
> {
> int ret;
>
> ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
> image->kernel_buf_len);
> if (ret) {
>
> if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
> pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
> return ret;
> }
>
> /*
> * If IMA is guaranteed to appraise a signature on the kexec
> * image, permit it even if the kernel is otherwise locked
> * down.
> */
> if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
> security_locked_down(LOCKDOWN_KEXEC))
> return -EPERM;
>
> pr_debug("kernel signature verification failed (%d).\n", ret);
> }
>
> return 0;
> }
Looks good to me, thanks!
--
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, Prague, Czechia
WARNING: multiple messages have this Message-ID (diff)
From: Jiri Bohac <jbohac@suse.cz>
To: lijiang <lijiang@redhat.com>
Cc: bhe@redhat.com, kexec@lists.infradead.org, jmorris@namei.org,
mjg59@google.com, linux-kernel@vger.kernel.org,
ebiederm@xmission.com, dyoung@redhat.com
Subject: Re: [PATCH] kexec: Do not verify the signature without the lockdown or mandatory signature
Date: Wed, 27 May 2020 12:16:18 +0200 [thread overview]
Message-ID: <20200527101618.jgbxbk5ooiaett43@dwarf.suse.cz> (raw)
In-Reply-To: <4da44e94-a839-2033-29d2-90bebd4ee1e2@redhat.com>
On Wed, May 27, 2020 at 12:08:12PM +0800, lijiang wrote:
> Or the following change looks better? What's your opinion?
>
> static int
> kimage_validate_signature(struct kimage *image)
> {
> int ret;
>
> ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
> image->kernel_buf_len);
> if (ret) {
>
> if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
> pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
> return ret;
> }
>
> /*
> * If IMA is guaranteed to appraise a signature on the kexec
> * image, permit it even if the kernel is otherwise locked
> * down.
> */
> if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
> security_locked_down(LOCKDOWN_KEXEC))
> return -EPERM;
>
> pr_debug("kernel signature verification failed (%d).\n", ret);
> }
>
> return 0;
> }
Looks good to me, thanks!
--
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, Prague, Czechia
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2020-05-27 10:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-25 5:23 [PATCH] kexec: Do not verify the signature without the lockdown or mandatory signature Lianbo Jiang
2020-05-25 5:23 ` Lianbo Jiang
2020-05-26 5:04 ` Dave Young
2020-05-26 5:04 ` Dave Young
2020-05-26 13:59 ` Jiri Bohac
2020-05-26 13:59 ` Jiri Bohac
2020-05-27 3:15 ` lijiang
2020-05-27 3:15 ` lijiang
2020-05-27 4:08 ` lijiang
2020-05-27 4:08 ` lijiang
2020-05-27 10:16 ` Jiri Bohac [this message]
2020-05-27 10:16 ` Jiri Bohac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200527101618.jgbxbk5ooiaett43@dwarf.suse.cz \
--to=jbohac@suse.cz \
--cc=bhe@redhat.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=lijiang@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.