diff options
author | Matthew Garrett <matthewgarrett@google.com> | 2019-08-20 02:18:01 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2019-08-20 06:54:16 +0200 |
commit | 29d3c1c8dfe752c01b7115ecd5a3142b232a38e1 (patch) | |
tree | 9a42db9e64c08db645dcf9689344d4f718b4d518 /kernel | |
parent | lockdown: Lock down perf when in confidentiality mode (diff) | |
download | linux-29d3c1c8dfe752c01b7115ecd5a3142b232a38e1.tar.xz linux-29d3c1c8dfe752c01b7115ecd5a3142b232a38e1.zip |
kexec: Allow kexec_file() with appropriate IMA policy when locked down
Systems in lockdown mode should block the kexec of untrusted kernels.
For x86 and ARM we can ensure that a kernel is trustworthy by validating
a PE signature, but this isn't possible on other architectures. On those
platforms we can use IMA digital signatures instead. Add a function to
determine whether IMA has or will verify signatures for a given event type,
and if so permit kexec_file() even if the kernel is otherwise locked down.
This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set
in order to prevent an attacker from loading additional keys at runtime.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-integrity@vger.kernel.org
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/kexec_file.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 43109ef4d6bf..7f4a618fc8c1 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -208,7 +208,15 @@ kimage_validate_signature(struct kimage *image) return ret; } - return security_locked_down(LOCKDOWN_KEXEC); + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + security_locked_down(LOCKDOWN_KEXEC)) + return -EPERM; + + return 0; /* All other errors are fatal, including nomem, unparseable * signatures and signature check failures - even if signatures |