summaryrefslogtreecommitdiff
path: root/kernel/kexec_file.c
diff options
context:
space:
mode:
authorMatthew Garrett <matthewgarrett@google.com>2019-08-19 17:18:01 -0700
committerJames Morris <jmorris@namei.org>2019-08-19 21:54:16 -0700
commit29d3c1c8dfe752c01b7115ecd5a3142b232a38e1 (patch)
tree9a42db9e64c08db645dcf9689344d4f718b4d518 /kernel/kexec_file.c
parentb0c8fdc7fdb77586c3d1937050925b960743306e (diff)
downloadlwn-29d3c1c8dfe752c01b7115ecd5a3142b232a38e1.tar.gz
lwn-29d3c1c8dfe752c01b7115ecd5a3142b232a38e1.zip
kexec: Allow kexec_file() with appropriate IMA policy when locked down
Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: linux-integrity@vger.kernel.org Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel/kexec_file.c')
-rw-r--r--kernel/kexec_file.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 43109ef4d6bf..7f4a618fc8c1 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -208,7 +208,15 @@ kimage_validate_signature(struct kimage *image)
return ret;
}
- return security_locked_down(LOCKDOWN_KEXEC);
+ /* If IMA is guaranteed to appraise a signature on the kexec
+ * image, permit it even if the kernel is otherwise locked
+ * down.
+ */
+ if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
+ security_locked_down(LOCKDOWN_KEXEC))
+ return -EPERM;
+
+ return 0;
/* All other errors are fatal, including nomem, unparseable
* signatures and signature check failures - even if signatures