ima: prevent kexec_load syscall based on runtime secureboot flag - linux.git

diff options

author	Nayna Jain <nayna@linux.ibm.com>	2018-10-09 23:00:34 +0530
committer	Mimi Zohar <zohar@linux.ibm.com>	2018-12-11 07:10:33 -0500
commit	b5ca117365d960fe5e4fe272bcc8142c28769383 (patch)
tree	6e306a5c52ad13271a2d947c9a41922f1ddf709d /tools/perf/scripts/python/exported-sql-viewer.py
parent	0914ade209c452cff6a29b1c0ae6fff3167fa1d0 (diff)

ima: prevent kexec_load syscall based on runtime secureboot flag

When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall requires the kexec'd kernel image to be signed. Distros are concerned about totally disabling the kexec_load syscall. As a compromise, the kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with secureboot enabled. This patch disables the kexec_load syscall only for systems booted with secureboot enabled. [zohar@linux.ibm.com: add missing mesage on kexec_load failure] Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Cc: David Howells <dhowells@redhat.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Peter Jones <pjones@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Dave Young <dyoung@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Diffstat (limited to 'tools/perf/scripts/python/exported-sql-viewer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: