[PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

[PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 01/27] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 01/27] Add the ability to lock down access to the running kernel image · James Morris <hidden> · 2017-10-20
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Randy Dunlap <hidden> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Thiago Jung Bauermann <hidden> · 2017-11-07
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-07
[PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
[PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · Ethan Zhao <hidden> · 2017-10-24
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-24
[PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · James Morris <hidden> · 2017-10-20
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-23
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-29
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
[PATCH 08/27] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 08/27] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 09/27] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · Alan Cox <hidden> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-21
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 19/27] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 21/27] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 25/27] Lock down /proc/kcore · James Morris <hidden> · 2017-10-21
Re: [PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · James Morris <hidden> · 2017-10-21
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 27/27] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-11
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-16
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-12-04
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-12-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08

STALE3092d

From: dhowells@redhat.com (David Howells)
Date: 2017-10-19 14:51:33
Also in: linux-efi, lkml
Subsystem: kexec, the rest · Maintainers: Andrew Morton, Baoquan He, Mike Rapoport, Pasha Tatashin, Pratyush Yadav, Linus Torvalds

From: Chun-Yi Lee <redacted>

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: kexec at lists.infradead.org
---

 kernel/kexec_file.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 9f48f4412297..ff6523f2dcc2 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c

@@ -255,6 +255,13 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
 		return -EPERM;
 
+	/* Don't permit images to be loaded into trusted kernels if we're not
+	 * going to verify the signature on them
+	 */
+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
+	    kernel_is_locked_down("kexec of unsigned images"))
+		return -EPERM;
+
 	/* Make sure we have a legal set of flags */
 	if (flags != (flags & KEXEC_FILE_FLAGS))
 		return -EINVAL;

--

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help