[PATCH 03/27] Enforce module signatures if the kernel is locked down

[PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 01/27] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 01/27] Add the ability to lock down access to the running kernel image · James Morris <hidden> · 2017-10-20
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Randy Dunlap <hidden> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Thiago Jung Bauermann <hidden> · 2017-11-07
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-07
[PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
[PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · Ethan Zhao <hidden> · 2017-10-24
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-24
[PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · James Morris <hidden> · 2017-10-20
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-23
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-29
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
[PATCH 08/27] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 08/27] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 09/27] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · Alan Cox <hidden> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-21
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 19/27] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 21/27] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 25/27] Lock down /proc/kcore · James Morris <hidden> · 2017-10-21
Re: [PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · James Morris <hidden> · 2017-10-21
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 27/27] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-11
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-16
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-12-04
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-12-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08

STALE3092d

Revisions (2)

2017-10-19 v1 current
2017-11-09 v1 [diff vs current]

From: dhowells@redhat.com (David Howells)
Date: 2017-10-19 14:51:02
Also in: linux-efi, lkml
Subsystem: the rest · Maintainer: Linus Torvalds

If the kernel is locked down, require that all modules have valid
signatures that we can verify.

Signed-off-by: David Howells <dhowells@redhat.com>
---

 kernel/module.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/module.c b/kernel/module.c
index de66ec825992..3d9a3270c179 100644
--- a/kernel/module.c
+++ b/kernel/module.c

@@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags)
 	}
 
 	/* Not having a signature is only an error if we're strict. */
-	if (err == -ENOKEY && !sig_enforce)
+	if (err == -ENOKEY && !sig_enforce &&
+	    !kernel_is_locked_down("Loading of unsigned modules"))
 		err = 0;
 
 	return err;

--

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help