On Wed, 2018-06-13 at 14:33 +0800, Herbert Xu wrote: > On Fri, Jun 08, 2018 at 02:57:42PM -0700, Matthew Garrett wrote: > > When EVM attempts to appraise a file signed with a crypto algorithm the > > kernel doesn't have support for, it will cause the kernel to trigger a > > module load. If the EVM policy includes appraisal of kernel modules this > > will in turn call back into EVM - since EVM is holding a lock until the > > crypto initialisation is complete, this triggers a deadlock. Add a > > CRYPTO_NOLOAD flag and skip module loading if it's set, and add that flag > > in the EVM case in order to fail gracefully with an error message > > instead of deadlocking. > > > > Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> > > Acked-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Thanks! This patch and "evm: Allow non-SHA1 digital signatures" are now queued in the next-integrity-queued branch. Mimi
