On Tue, May 1, 2018 at 1:15 PM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > a) Requiring two signatures was addressed by a patch titled "lockdown: > fix coordination of kernel module signature verification" [1] Ah, I'd missed that - thanks! > There's been further discussions as to what should remain in the > "lockdown" patch set. Based on the discussion here [2], it seems like > "[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked > down" will be removed. > Instead of preventing the loading of a kernel image (kexec_load > syscall) being dependent on the lockdown flag, it could be dependent > on the kernel_read_file_id READING_KEXEC_IMAGE. A version of these > patches was posted [3]. Hm. My concern is that distributions are going to ship IMA in a configuration that allows users to add their own keys at boot time (it's difficult to use it in a generic way otherwise), and that's going to allow kexecing of arbitrary images without requiring physical access. I think kexec_file_load() needs to be relying on non-IMA signatures.
