linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: jbohac@suse.cz (Jiri Bohac)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 08b/30] kexec_file: Restrict at runtime if the kernel is locked down
Date: Thu, 11 Jan 2018 13:02:56 +0100	[thread overview]
Message-ID: <20180111120256.oymjgfbndbofasp5@dwarf.suse.cz> (raw)
In-Reply-To: <20180111115915.dejachty3l7fwpmf@dwarf.suse.cz>

When KEXEC_VERIFY_SIG is not enabled, kernel should not load images through
kexec_file systemcall if the kernel is locked down unless IMA can be used
to validate the image.

Signed-off-by: Jiri Bohac <jbohac@suse.cz>

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -144,7 +144,13 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 		pr_debug("kernel signature verification successful.\n");
 #endif
 
-	if (sig_err && IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
+	/* Don't permit images to be loaded into trusted kernels without
+	 * a valid signature on them
+	 */
+	if (sig_err &&
+	    (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE) ||
+	     (!is_ima_appraise_enabled() &&
+	      kernel_is_locked_down("kexec of unsigned images")))) {
 		ret = sig_err;
 		goto out;
 	}

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, Prague, Czechia

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  parent reply	other threads:[~2018-01-11 12:02 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-09 17:30 [PATCH 00/30] security, efi: Add kernel lockdown David Howells
2017-11-09 17:30 ` [PATCH 01/30] Add the ability to lock down access to the running kernel image David Howells
2017-11-09 17:30 ` [PATCH 02/30] Add a SysRq option to lift kernel lockdown David Howells
2017-11-09 17:31 ` [PATCH 03/30] ima: require secure_boot rules in lockdown mode David Howells
2017-11-09 17:31 ` [PATCH 04/30] Enforce module signatures if the kernel is locked down David Howells
2017-11-09 17:31 ` [PATCH 05/30] Restrict /dev/{mem, kmem, port} when " David Howells
2017-11-09 17:31 ` [PATCH 06/30] kexec: Disable at runtime if " David Howells
2017-11-09 17:31 ` [PATCH 07/30] Copy secure_boot flag in boot params across kexec reboot David Howells
2017-11-09 17:31 ` [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down David Howells
2018-01-11 11:59   ` Jiri Bohac
2018-01-11 12:01     ` [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Jiri Bohac
2018-01-11 12:02     ` Jiri Bohac [this message]
2018-01-16 16:31     ` David Howells
2018-01-16 19:39       ` Jiri Bohac
2018-01-17 16:34       ` David Howells
2018-01-19 12:54         ` Jiri Bohac
2018-02-21 16:20         ` David Howells
2018-01-11 12:43   ` [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down David Howells
2018-01-11 12:47   ` David Howells
2018-01-11 15:44     ` Jiri Bohac
2018-01-17 16:16     ` David Howells
2017-11-09 17:31 ` [PATCH 09/30] hibernate: Disable when " David Howells
2017-11-09 17:31 ` [PATCH 10/30] uswsusp: " David Howells
2017-11-09 17:32 ` [PATCH 11/30] PCI: Lock down BAR access " David Howells
2017-11-09 17:32 ` [PATCH 12/30] x86: Lock down IO port " David Howells
2017-11-09 17:32 ` [PATCH 13/30] x86/msr: Restrict MSR " David Howells
2017-11-09 17:32 ` [PATCH 14/30] asus-wmi: Restrict debugfs interface " David Howells
2017-11-09 17:32 ` [PATCH 15/30] ACPI: Limit access to custom_method " David Howells
2017-11-09 17:32 ` [PATCH 16/30] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2017-11-09 17:32 ` [PATCH 17/30] acpi: Disable ACPI table override if the kernel is " David Howells
2017-11-09 17:32 ` [PATCH 18/30] acpi: Disable APEI error injection " David Howells
2019-11-07  8:21   ` Joey Lee
2022-05-28  0:11     ` joeyli
2017-11-09 17:33 ` [PATCH 19/30] scsi: Lock down the eata driver David Howells
2017-11-09 17:33 ` [PATCH 20/30] Prohibit PCMCIA CIS storage when the kernel is locked down David Howells
2017-11-09 17:33 ` [PATCH 21/30] Lock down TIOCSSERIAL David Howells
2017-11-09 17:33 ` [PATCH 22/30] Lock down module params that specify hardware parameters (eg. ioport) David Howells
2017-11-09 17:33 ` [PATCH 23/30] x86/mmiotrace: Lock down the testmmiotrace module David Howells
2017-11-09 17:33 ` [PATCH 24/30] debugfs: Disallow use of debugfs files when the kernel is locked down David Howells
2017-11-09 17:33 ` [PATCH 25/30] Lock down /proc/kcore David Howells
2017-11-09 17:33 ` [PATCH 26/30] Lock down ftrace David Howells
2017-11-10  9:23   ` Jiri Kosina
2017-11-10 10:07   ` David Howells
2017-11-10 10:15     ` Jiri Kosina
2017-11-10 10:21     ` David Howells
2017-11-10 10:23       ` Jiri Kosina
2017-11-10 11:06       ` David Howells
2017-11-09 17:34 ` [PATCH 27/30] Lock down kprobes David Howells
2017-11-09 17:34 ` [PATCH 28/30] bpf: Restrict kernel image access functions when the kernel is locked down David Howells
2017-11-09 17:34 ` [PATCH 29/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode David Howells
2017-11-09 17:34 ` [PATCH 30/30] efi: Lock down the kernel if booted in " David Howells
2018-02-22 13:07 ` [PATCH 04/30] Enforce module signatures if the kernel is locked down David Howells
2018-02-22 18:44   ` Jiri Bohac
2018-02-22 14:20 ` [PATCH 08/30] kexec_file: Restrict at runtime " David Howells
2018-02-22 19:08   ` Jiri Bohac
2018-02-22 14:21 ` David Howells
2018-02-22 19:14   ` Jiri Bohac
2018-03-03  1:18 ` [PATCH 00/30] security, efi: Add kernel lockdown Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180111120256.oymjgfbndbofasp5@dwarf.suse.cz \
    --to=jbohac@suse.cz \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).