From: Coiby Xu <coxu@redhat.com>
To: kexec@lists.infradead.org
Cc: Matthew Garrett <mjg59@srcf.ucam.org>,
Jiri Bohac <jbohac@suse.cz>, David Howells <dhowells@redhat.com>,
Philipp Rudo <prudo@redhat.com>,
linux-s390@vger.kernel.org, Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
James Morris <jmorris@namei.org>,
Matthew Garrett <mjg59@google.com>,
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed
Date: Mon, 21 Nov 2022 15:27:15 +0800 [thread overview]
Message-ID: <20221121072715.836323-1-coxu@redhat.com> (raw)
Currently for s390, lockdown doesn't prevent unsigned kernel image from
being kexec'ed when secure IPL is disabled. Fix it by always verifying
the signature regardless secure IPL is enabled or not.
Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down")
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Jiri Bohac <jbohac@suse.cz>
Cc: David Howells <dhowells@redhat.com>
Cc: Philipp Rudo <prudo@redhat.com>
Cc: kexec@lists.infradead.org
Cc: linux-s390@vger.kernel.org
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
arch/s390/kernel/machine_kexec_file.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index fc6d5f58debe..627685426ac2 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -33,10 +33,6 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
unsigned long sig_len;
int ret;
- /* Skip signature verification when not secure IPLed. */
- if (!ipl_secure_flag)
- return 0;
-
if (marker_len > kernel_len)
return -EKEYREJECTED;
--
2.38.1
next reply other threads:[~2022-11-21 7:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-21 7:27 Coiby Xu [this message]
2022-11-22 15:15 ` [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed Vasily Gorbik
2022-11-23 0:52 ` Coiby Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221121072715.836323-1-coxu@redhat.com \
--to=coxu@redhat.com \
--cc=agordeev@linux.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=jbohac@suse.cz \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjg59@google.com \
--cc=mjg59@srcf.ucam.org \
--cc=prudo@redhat.com \
--cc=svens@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox