[PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down
Matthew Garrett
mjg59 at google.com
Tue Jun 25 00:02:29 UTC 2019
On Mon, Jun 24, 2019 at 2:27 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> I agree with Dave. There should be a stub lockdown function to
> prevent enforcing lockdown when it isn't enabled.
Sorry, when what isn't enabled? If no LSMs are enforcing lockdown then
the check will return 0. The goal here is for distributions to be able
to ship a kernel that has CONFIG_KEXEC_SIG=y, CONFIG_KEXEC_SIG_FORCE=n
and at runtime be able to enforce a policy that requires signatures on
kexec payloads.
More information about the Linux-security-module-archive
mailing list