On 06/21/19 at 01:18pm, Matthew Garrett wrote: > On Thu, Jun 20, 2019 at 11:43 PM Dave Young <dyoung@xxxxxxxxxx> wrote: > > > > On 03/26/19 at 11:27am, Matthew Garrett wrote: > > > From: Jiri Bohac <jbohac@xxxxxxx> > > > > > > When KEXEC_SIG is not enabled, kernel should not load images through > > > kexec_file systemcall if the kernel is locked down. > > > > > > [Modified by David Howells to fit with modifications to the previous patch > > > and to return -EPERM if the kernel is locked down for consistency with > > > other lockdowns. Modified by Matthew Garrett to remove the IMA > > > integration, which will be replaced by integrating with the IMA > > > architecture policy patches.] > > > > > > Signed-off-by: Jiri Bohac <jbohac@xxxxxxx> > > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > > > Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> > > > Reviewed-by: Jiri Bohac <jbohac@xxxxxxx> > > > cc: kexec@xxxxxxxxxxxxxxxxxxx > > > --- > > > kernel/kexec_file.c | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > index 67f3a866eabe..a1cc37c8b43b 100644 > > > --- a/kernel/kexec_file.c > > > +++ b/kernel/kexec_file.c > > > @@ -239,6 +239,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, > > > } > > > > > > ret = 0; > > > + > > > + if (kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY)) { > > > + ret = -EPERM; > > > + goto out; > > > + } > > > + > > > > Checking here is late, it would be good to move the check to earlier > > code around below code: > > /* We only trust the superuser with rebooting the system. */ > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > return -EPERM; > > I don't think so - we want it to be possible to load images if they > have a valid signature. I know it works like this way because of the previous patch. But from the patch log "When KEXEC_SIG is not enabled, kernel should not load images", it is simple to check it early for !IS_ENABLED(CONFIG_KEXEC_SIG) && kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY) instead of depending on the late code to verify signature. In that way, easier to understand the logic, no? Thanks Dave