[PATCH] lockdown: allow kexec_file of unsigned images when not under lockdown
From: Thadeu Lima de Souza Cascardo
Date: Thu Nov 01 2018 - 18:53:34 EST
If CONFIG_KEXEC_VERIFY_SIG is enabled, kexec -s with an unsigned image will
fail requiring an image signed with a trusted key. However, that same
kernel will allow kexec to load and boot a kernel, if kexec_file_load is
not used.
Now, lockdown brings a solution to this inconsistency. However, as it is,
it will still prevent an unsigned image to be loaded with kexec -s when the
system is not under lockdown, while still allowing kexec to work.
At the same time, with lockdown, kexec_file_load would still work when
CONFIG_KEXEC_VERIFY_SIG is disabled.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
---
kernel/kexec_file.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 35cf0ad29718..b64f32fda9ca 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -211,10 +211,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
image->kernel_buf_len);
if (ret) {
pr_debug("kernel signature verification failed.\n");
- goto out;
+ } else {
+ pr_debug("kernel signature verification successful.\n");
}
- pr_debug("kernel signature verification successful.\n");
+#elif
+ ret = -EPERM;
#endif
+ if (ret && kernel_is_locked_down("kexec of unsigned images"))
+ goto out;
+ else
+ ret = 0;
+
/* It is possible that there no initramfs is being loaded */
if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
--
2.19.1