Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

From: David Howells
Date: Thu Oct 26 2017 - 11:02:32 EST

Next message: Theodore Ts'o: "Re: [PATCH RFC] random: fix syzkaller fuzzer test int overflow"
Previous message: Nick Sarnie: "Re: [PATCH] KVM: SVM: obey guest PAT"
In reply to: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Next in thread: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

joeyli <jlee@xxxxxxxx> wrote:

> + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
> + !is_ima_appraise_enabled() &&
> + kernel_is_locked_down("kexec of unsigned images"))

This doesn't seem right. It seems that you can then kexec unsigned images
into a locked-down kernel if IMA appraise is enabled.

I think the commit message needs expansion as to why it's okay. Can you also
do it as an additional patch rather than altering the original IMA-less patch
7?

David

Next message: Theodore Ts'o: "Re: [PATCH RFC] random: fix syzkaller fuzzer test int overflow"
Previous message: Nick Sarnie: "Re: [PATCH] KVM: SVM: obey guest PAT"
In reply to: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Next in thread: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]