Re: [PATCH v2] kexec: restore functionality to preserve fd xattrs for uncompressed kernel images

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <horms@kernel.org>
To: Alejandro Hernandez <alhe@linux.microsoft.com>
Cc: kexec@lists.infradead.org
Subject: Re: [PATCH v2] kexec: restore functionality to preserve fd xattrs for uncompressed kernel images
Date: Wed, 27 May 2026 08:42:04 +0100	[thread overview]
Message-ID: <20260527074204.GC51310@horms.kernel.org> (raw)
In-Reply-To: <20260526151714.4181388-1-alhe@linux.microsoft.com>

On Tue, May 26, 2026 at 03:17:14PM +0000, Alejandro Hernandez wrote:
> Since commit 714fa115 xattrs attached to a kernel image file (such as IMA
> signatures) are not being preserved, do_kexec_file_load() was modified to use
> memfd_create() which now passes an anonymous file descriptor to
> kexec_file_load(). This change eliminated the filesystem inode identity of the
> original kernel file, hence attributes are no longer visible to the kernel IMA
> appraisal handler during kexec_file_load, causing IMA policy enforcement to fail
> even for validly signed kernel images.
> 
> This patch attempts to restore such behavior although, only does it for
> uncompressed kernel images. To do this, we first figure out if the image file is
> compressed or not and call each method accordingly.
> 
> Compressed images continue to use memfd and cannot carry forward the original fd
> security attributes, since their decompressed bytes do not match the signed
> artifact. Proper handling of compressed images with IMA would require either
> signing the decompressed artifact or kernel-side support for decompression
> within the kexec_file_load path.
> 
> Signed-off-by: Alejandro Hernandez Samaniego <alhe@linux.microsoft.com>

Thanks, applied.

- kexec: restore functionality to preserve fd xattrs for uncompressed kernel images
  https://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git/commit/?id=f75be9241acc

     prev parent reply	other threads:[~2026-05-27  7:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-26 15:17 [PATCH v2] kexec: restore functionality to preserve fd xattrs for uncompressed kernel images Alejandro Hernandez
2026-05-27  7:42 ` Simon Horman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260527074204.GC51310@horms.kernel.org \
    --to=horms@kernel.org \
    --cc=alhe@linux.microsoft.com \
    --cc=kexec@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.