Commit dca07861 authored by Coiby Xu's avatar Coiby Xu Committed by Zheng Zengkai
Browse files

ima: force signature verification when CONFIG_KEXEC_SIG is configured 

stable inclusion
from stable-v5.10.132
commit eb360267e1e972475023d06546e18365a222698c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5YS3T

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=eb360267e1e972475023d06546e18365a222698c



--------------------------------

[ Upstream commit af16df54 ]

Currently, an unsigned kernel could be kexec'ed when IMA arch specific
policy is configured unless lockdown is enabled. Enforce kernel
signature verification check in the kexec_file_load syscall when IMA
arch specific policy is configured.

Fixes: 99d5cadf ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")
Reported-and-suggested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarCoiby Xu <coxu@redhat.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Acked-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
parent 95497337
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment