Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down
From: David Howells
Date: Wed Jan 17 2018 - 11:17:43 EST
Jiri Bohac <jbohac@xxxxxxx> wrote:
> > Having said that, I do see your point, I think. We should still let through
> > validly signed images, even if signatures aren't mandatory in lockdown mode.
>
> yes, to be clear, the problem I'm trying to fix is:
> - without CONFIG_KEXEC_VERIFY_SIG kexec in a locked down kernel
> will not work at all -> every distro that wants to support
> secureboot will need to enable CONFIG_KEXEC_VERIFY_SIG;
>
> - once CONFIG_KEXEC_VERIFY_SIG is enabled, kexec images need to
> be signed even if secureboot is not used
>
> The problem is that CONFIG_KEXEC_VERIFY_SIG enables both the
> implementation and the enforcement of the signature checking.
Yep. I understand that.
> What I'm proposing are new config options that allow a kernel to
> be compiled in such a way that:
> - kexec works even without signatures if secureboot is off
> - kexec works with secureboot but requires signed images
Agreed to both of those. I also agree with making it possible to
configurationally require signatures, which your first patch does.
> The semantics should be the same as with signed modules, because
> requiring kexec signatures when you can load unsigned modules is
> futile. But with your original patchset, that's exactly what
> distro kernels will be doing when booted with secureboot off,
> MODULE_SIG_FORCE=n and KEXEC_VERIFY_SIG=y.
I should fix that.
David