From: Matthew Garrett <matthew.garrett@xxxxxxxxxx> kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec in this situation. This does not affect kexec_file_load() which can check for a signature on the image to be booted. Signed-off-by: Matthew Garrett <matthew.garrett@xxxxxxxxxx> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> --- kernel/kexec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 980936a90ee6..c6aa4620d1bf 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -12,6 +12,7 @@ #include <linux/mm.h> #include <linux/file.h> #include <linux/kexec.h> +#include <linux/security.h> #include <linux/mutex.h> #include <linux/list.h> #include <linux/syscalls.h> @@ -194,6 +195,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down()) + return -EPERM; + + /* * Verify we have a legal set of flags * This leaves us room for future extensions. */ -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
