kernel/security/integrity/ima/ima_efi.c, branch linux-6.2.yHosts the 0x221E linux distro kernel.https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.2.y2022-07-13T14:13:41Zima: force signature verification when CONFIG_KEXEC_SIG is configured2022-07-13T14:13:41ZCoiby Xucoxu@redhat.com2022-07-13T07:21:11Zurn:sha1:af16df54b89dee72df253abc5e7b5e8a6d16c11c
Currently, an unsigned kernel could be kexec'ed when IMA arch specific
policy is configured unless lockdown is enabled. Enforce kernel
signature verification check in the kexec_file_load syscall when IMA
arch specific policy is configured.
Fixes: 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")
Reported-and-suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
ima: generalize x86/EFI arch glue for other EFI architectures2020-11-06T06:40:42ZChester Linclin@suse.com2020-10-30T06:08:39Zurn:sha1:25519d68344269f9dc58b5bc72f648248a1fafb9
Move the x86 IMA arch code into security/integrity/ima/ima_efi.c,
so that we will be able to wire it up for arm64 in a future patch.
Co-developed-by: Chester Lin <clin@suse.com>
Signed-off-by: Chester Lin <clin@suse.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>