[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Dave Young
dyoung at redhat.com
Fri Apr 7 07:41:59 UTC 2017
On 04/07/17 at 08:07am, David Howells wrote:
> Dave Young <dyoung at redhat.com> wrote:
>
> > > > > + /* Don't permit images to be loaded into trusted kernels if we're not
> > > > > + * going to verify the signature on them
> > > > > + */
> > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > > + return -EPERM;
> > > > > +
> > > > >
> > >
> > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be
> > > required.
> >
> > Mimi, I remember we talked somthing before about the two signature
> > verification. One can change IMA policy in initramfs userspace,
> > also there are kernel cmdline param to disable IMA, so it can break the
> > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > kexec reboot again..
>
> I guess I should lock down the parameter to disable IMA too.
That is one thing, user can change IMA policy in initramfs userspace,
I'm not sure if IMA enforce the signed policy now, if no it will be also
a problem.
Thanks
Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list