[PATCH] ima: Use KEXEC_SIG_FORCE for rejecting unsigned kexec images

Next message: Rakesh Kota: "Re: [PATCH] arm64: dts: qcom: monaco-pmics: Add PON power key and reset inputs"
Previous message: Andy Shevchenko: "Re: [PATCH v10 00/11] ADF41513/ADF41510 PLL frequency synthesizers"
Next in thread: Mimi Zohar: "Re: [PATCH] ima: Use KEXEC_SIG_FORCE for rejecting unsigned kexec images"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chi Wang

Date: Wed Apr 15 2026 - 06:24:54 EST

From: Chi Wang <wangchi@xxxxxxxxxx>

Following the split of KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE,
only KEXEC_SIG_FORCE indicates that unsigned kernel images must be rejected.
KEXEC_SIG alone enables signature verification but permits unsigned images,
so it should not trigger the IMA appraisal denial for kexec_load.

Update the condition in ima_load_data() to check for KEXEC_SIG_FORCE
instead of KEXEC_SIG.

Fixes: 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")

Signed-off-by: Chi Wang <wangchi@xxxxxxxxxx>
---
security/integrity/ima/ima_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 1d6229b156fb..ec70e78ab8cd 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -953,7 +953,7 @@ static int ima_load_data(enum kernel_load_data_id id, bool contents)

switch (id) {
case LOADING_KEXEC_IMAGE:
- if (IS_ENABLED(CONFIG_KEXEC_SIG)
+ if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)
&& arch_ima_get_secureboot()) {
pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
return -EACCES;
--
2.25.1