]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1aae991) | patch
ima: force signature verification when CONFIG_KEXEC_SIG is configured
authorCoiby Xu <coxu@redhat.com>
Wed, 13 Jul 2022 07:21:11 +0000 (15:21 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 Jul 2022 19:24:29 +0000 (21:24 +0200)
commitc9f07b59ac417b93b253315eca8ad00221a109d9
tree281e9dda1894a252498c58f7249633d14604a8fetree | snapshot
parent1aae991da0c7c2a82bce93f71070376a435b6e48commit | diff
ima: force signature verification when CONFIG_KEXEC_SIG is configured

[ Upstream commit d89dd852583f9e0737a5d11165451a9899db4a85 ]

Currently, an unsigned kernel could be kexec'ed when IMA arch specific
policy is configured unless lockdown is enabled. Enforce kernel
signature verification check in the kexec_file_load syscall when IMA
arch specific policy is configured.

Fixes: 547fba32d066 ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")
Reported-and-suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
include/linux/kexec.h diff | blob | history
kernel/kexec_file.c diff | blob | history
security/integrity/ima/ima_efi.c diff | blob | history
Linux Kernel Source Tree.