Re: [PATCH 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions
On Mon, Aug 19, 2013 at 6:10 PM, Matthew Garrett matthew.garr...@nebula.com wrote: kexec permits the loading and execution of arbitrary code in ring 0, which is something that module signing enforcement is meant to prevent. It makes sense to disable kexec in this situation. Any plans for signed kexec code? Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say programmer or something like that. -- Linus Torvalds -- To unsubscribe from this list: send the line unsubscribe linux-efi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions
kexec permits the loading and execution of arbitrary code in ring 0, which is something that module signing enforcement is meant to prevent. It makes sense to disable kexec in this situation. Signed-off-by: Matthew Garrett matthew.garr...@nebula.com --- kernel/kexec.c | 4 1 file changed, 4 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 59f7b55..1a7690f 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -32,6 +32,7 @@ #include linux/vmalloc.h #include linux/swap.h #include linux/syscore_ops.h +#include linux/module.h #include asm/page.h #include asm/uaccess.h @@ -1645,6 +1646,9 @@ int kernel_kexec(void) goto Unlock; } + if (secure_modules()) + return -EPERM; + #ifdef CONFIG_KEXEC_JUMP if (kexec_image-preserve_context) { lock_system_sleep(); -- 1.8.3.1 -- To unsubscribe from this list: send the line unsubscribe linux-efi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html