[PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down
James Morris
jmorris at namei.org
Thu Jun 27 04:59:09 UTC 2019
On Fri, 21 Jun 2019, Matthew Garrett wrote:
> From: Jiri Bohac <jbohac at suse.cz>
>
> When KEXEC_SIG is not enabled, kernel should not load images through
> kexec_file systemcall if the kernel is locked down.
This is not a criticism of the patch but a related issue which I haven't
seen discussed (apologies if it has).
If signed code is loaded into ring 0, verified by the kernel, then
executed, you still lose your secure/trusted/verified boot state. If the
currently running kernel has been runtime-compromised, any signature
verification performed by the kernel cannot be trusted.
This problem is out of scope for the lockdown threat model (which
naturally cannot include a compromised kernel), but folk should be aware
that signature-verified kexec does not provide equivalent assurance to a
full reboot on a secure-boot system.
Potential mitigations here include runtime integrity verification of the
kernel via a separate security monitor (hypervisor, SMM, TEE etc.) or some
kind of platform support for kexec verification.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list