On Tue, Sep 03, 2013 at 07:50:15PM -0400, Matthew Garrett wrote: > kexec permits the loading and execution of arbitrary code in ring 0, which > is something that module signing enforcement is meant to prevent. It makes > sense to disable kexec in this situation. > > Signed-off-by: Matthew Garrett <matthew.garrett@xxxxxxxxxx> Matthew, Disabling kexec will disable kdump, correct? Are there plans to enable kdump on a system where secure boot is enabled? thanks Jerry > --- > kernel/kexec.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/kernel/kexec.c b/kernel/kexec.c > index 59f7b55..3e2b63a 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -32,6 +32,7 @@ > #include <linux/vmalloc.h> > #include <linux/swap.h> > #include <linux/syscore_ops.h> > +#include <linux/module.h> > > #include <asm/page.h> > #include <asm/uaccess.h> > @@ -943,6 +944,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, > return -EPERM; > > /* > + * kexec can be used to circumvent module loading restrictions, so > + * prevent loading in that case > + */ > + if (secure_modules()) > + return -EPERM; > + > + /* > * Verify we have a legal set of flags > * This leaves us room for future extensions. > */ > -- > 1.8.3.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- ---------------------------------------------------------------------------- Jerry Hoemann Software Engineer Hewlett-Packard/MODL 3404 E Harmony Rd. MS 57 phone: (970) 898-1022 Ft. Collins, CO 80528 FAX: (970) 898-XXXX email: jerry.hoemann@xxxxxx ---------------------------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
