[PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down
David Howells
dhowells at redhat.com
Thu Jan 11 12:43:20 UTC 2018
Jiri Bohac <jbohac at suse.cz> wrote:
> I don't like the idea that the lockdown (which is a runtime
> thing) requires a compile time option (KEXEC_VERIFY_SIG) that
> forces the verification even when the kernel is then not locked
> down at runtime.
It doesn't. The EPERM only triggers if:
(1) File signatures aren't mandatory (ie. CONFIG_KEXEC_VERIFY_SIG) is not
set, and
(2) you're not using IMA appraisal to validate the file contents, and
(3) lockdown mode is enabled.
If file signatures are mandatory or IMA appraisal is in use, then the lockdown
state doesn't need to be checked.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list