Re: [PATCH v6 3/8] ima: based on policy require signed kexec kernel images

From: Kees Cook
Date: Sat Jul 14 2018 - 22:22:15 EST

Next message: Chao Yu: "Re: [PATCH v2 5/5] f2fs: fix to propagate error from __get_meta_page()"
Previous message: Kees Cook: "Re: [PATCH v6 2/8] kexec: add call to LSM hook in original kexec_load syscall"
In reply to: Mimi Zohar: "[PATCH v6 3/8] ima: based on policy require signed kexec kernel images"
Next in thread: Mimi Zohar: "[PATCH v6 5/8] ima: based on policy require signed firmware (sysfs fallback)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 13, 2018 at 11:05 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> The original kexec_load syscall can not verify file signatures, nor can
> the kexec image be measured. Based on policy, deny the kexec_load
> syscall.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

-Kees

--
Kees Cook
Pixel Security

Next message: Chao Yu: "Re: [PATCH v2 5/5] f2fs: fix to propagate error from __get_meta_page()"
Previous message: Kees Cook: "Re: [PATCH v6 2/8] kexec: add call to LSM hook in original kexec_load syscall"
In reply to: Mimi Zohar: "[PATCH v6 3/8] ima: based on policy require signed kexec kernel images"
Next in thread: Mimi Zohar: "[PATCH v6 5/8] ima: based on policy require signed firmware (sysfs fallback)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]