• Lianbo Jiang's avatar
    kexec: do not verify the signature without the lockdown or mandatory signature · fd7af71b
    Lianbo Jiang authored
    Signature verification is an important security feature, to protect
    system from being attacked with a kernel of unknown origin.  Kexec
    rebooting is a way to replace the running kernel, hence need be secured
    carefully.
    
    In the current code of handling signature verification of kexec kernel,
    the logic is very twisted.  It mixes signature verification, IMA
    signature appraising and kexec lockdown.
    
    If there is no KEXEC_SIG_FORCE, kexec kernel image doesn't have one of
    signature, the supported crypto, and key, we don't think this is wrong,
    Unless kexec lockdown is executed.  IMA is considered as another kind of
    signature appraising method.
    
    If kexec kernel image has signature/crypto/key, it has to go through the
    signature verification and pass.  Otherwise it's seen as verification
    failure, and won't be loaded.
    
    Seems kexec kernel image with an unqualified signature is even worse
    than those w/o signature at all, this sounds very unreasonable.  E.g.
    If people get a unsigned kernel to load, or a kernel signed with expired
    key, which one is more dangerous?
    
    So, here, let's simplify the logic to improve code readability.  If the
    KEXEC_SIG_FORCE enabled or kexec lockdown enabled, signature
    verification is mandated.  Otherwise, we lift the bar for any kernel
    image.
    
    Link: http://lkml.kernel.org/r/20200602045952.27487-1-lijiang@redhat.comSigned-off-by: default avatarLianbo Jiang <lijiang@redhat.com>
    Reviewed-by: default avatarJiri Bohac <jbohac@suse.cz>
    Acked-by: default avatarDave Young <dyoung@redhat.com>
    Acked-by: default avatarBaoquan He <bhe@redhat.com>
    Cc: James Morris <jmorris@namei.org>
    Cc: Matthew Garrett <mjg59@google.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    fd7af71b
kexec_file.c 32.6 KB