kexec permits the loading and execution of arbitrary code in ring 0, which is something that module signing enforcement is meant to prevent. It makes sense to disable kexec in this situation. Signed-off-by: Matthew Garrett <matthew.garrett@xxxxxxxxxx> --- kernel/kexec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 59f7b55..1a7690f 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -32,6 +32,7 @@ #include <linux/vmalloc.h> #include <linux/swap.h> #include <linux/syscore_ops.h> +#include <linux/module.h> #include <asm/page.h> #include <asm/uaccess.h> @@ -1645,6 +1646,9 @@ int kernel_kexec(void) goto Unlock; } + if (secure_modules()) + return -EPERM; + #ifdef CONFIG_KEXEC_JUMP if (kexec_image->preserve_context) { lock_system_sleep(); -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html