Dave Young <dyoung at redhat.com> wrote: > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > + * going to verify the signature on them > > > > + */ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Mimi, I remember we talked somthing before about the two signature > verification. One can change IMA policy in initramfs userspace, > also there are kernel cmdline param to disable IMA, so it can break the > lockdown? Suppose kexec boot with ima disabled cmdline param and then > kexec reboot again.. I guess I should lock down the parameter to disable IMA too. David
