leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b5ca117365
linux/security/integrity/ima
History
Nayna Jain b5ca117365 ima: prevent kexec_load syscall based on runtime secureboot flag 
When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
requires the kexec'd kernel image to be signed. Distros are concerned
about totally disabling the kexec_load syscall. As a compromise, the
kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG
is configured and the system is booted with secureboot enabled.

This patch disables the kexec_load syscall only for systems booted with
secureboot enabled.

[zohar@linux.ibm.com: add missing mesage on kexec_load failure]
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Peter Jones <pjones@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2018-12-11 07:10:33 -05:00
..
ima_api.c security/integrity: constify some read-only data 2018-10-10 12:56:15 -04:00
ima_appraise.c IMA: don't propagate opened through the entire thing 2018-07-12 10:04:19 -04:00
ima_crypto.c ima: open a new file instance if no read permissions 2018-10-10 15:18:00 -04:00
ima_fs.c ima: fix showing large 'violations' or 'runtime_measurements_count' 2018-10-10 12:56:16 -04:00
ima_init.c security/integrity: constify some read-only data 2018-10-10 12:56:15 -04:00
ima_kexec.c ima: Unify logging 2018-05-17 07:49:12 -04:00
ima_main.c ima: prevent kexec_load syscall based on runtime secureboot flag 2018-12-11 07:10:33 -05:00
ima_mok.c KEYS: Use structure to capture key restriction function and data 2017-04-04 14:10:10 -07:00
ima_policy.c ima: Differentiate auditing policy rules from "audit" actions 2018-07-18 07:27:22 -04:00
ima_queue.c ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead 2018-07-28 17:03:11 +03:00
ima_template_lib.c ima: Unify logging 2018-05-17 07:49:12 -04:00
ima_template_lib.h ima: introduce ima_parse_buf() 2017-06-21 14:37:12 -04:00
ima_template.c security/integrity: constify some read-only data 2018-10-10 12:56:15 -04:00
ima.h security/integrity: constify some read-only data 2018-10-10 12:56:15 -04:00
Kconfig ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set 2018-07-18 07:27:22 -04:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00