[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e1a3b460fe2d12afd897fc3c378fe86902f5bb57.camel@linux.ibm.com>
Date: Tue, 12 Jul 2022 07:40:43 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Coiby Xu <coxu@...hat.com>, linux-integrity@...r.kernel.org
Cc: kexec@...ts.infradead.org, Baoquan He <bhe@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
David Howells <dhowells@...hat.com>,
Jiri Bohac <jbohac@...e.cz>,
Matthew Garrett <mjg59@...gle.com>,
open list <linux-kernel@...r.kernel.org>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] ima: force signature verification when CONFIG_KEXEC_SIG
is configured
On Tue, 2022-07-12 at 17:33 +0800, Coiby Xu wrote:
> Currently, an unsigned kernel could be kexec'ed when IMA arch specific
> policy is configured unless lockdown is enabled. Enforce kernel
> signature verification check in the kexec_file_load syscall when IMA
> arch specific policy is configured.
>
> Fixes: 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")
> Reported-by: Mimi Zohar <zohar@...ux.ibm.com>
> Suggested-by: Mimi Zohar <zohar@...ux.ibm.com>
> Signed-off-by: Coiby Xu <coxu@...hat.com>
Thanks, Coiby. This patch is now queued in next-integrity/next-
integrity-testing.
Mimi
Powered by blists - more mailing lists