diff options
author | James Morris <james.morris@microsoft.com> | 2019-02-14 21:55:42 +0300 |
---|---|---|
committer | James Morris <james.morris@microsoft.com> | 2019-02-14 21:55:42 +0300 |
commit | 2e884fc9759d8816630d3c30694721a39b7396e0 (patch) | |
tree | 83c213634f69eec583f1d4ca7234e78ccf367435 /arch | |
parent | e7a44cfd639945a0dec749f896adc1d340c2a6aa (diff) | |
parent | e7fde070f39bc058c356cf366cb17ac2d643abb0 (diff) | |
download | linux-2e884fc9759d8816630d3c30694721a39b7396e0.tar.xz |
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next-integrity
From: Mimi Zohar <zohar@linux.ibm.com>
Linux 5.0 introduced the platform keyring to allow verifying the IMA
kexec kernel image signature using the pre-boot keys. This pull
request similarly makes keys on the platform keyring accessible for
verifying the PE kernel image signature.*
Also included in this pull request is a new IMA hook that tags tmp
files, in policy, indicating the file hash needs to be calculated.
The remaining patches are cleanup.
*Upstream commit "993a110319a4 (x86/kexec: Fix a kexec_file_load()
failure)" is required for testing.
Diffstat (limited to 'arch')
-rw-r--r-- | arch/x86/kernel/kexec-bzimage64.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 278cd07228dd..e1215a600064 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data) #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) { - return verify_pefile_signature(kernel, kernel_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_KEXEC_PE_SIGNATURE); + int ret; + + ret = verify_pefile_signature(kernel, kernel_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { + ret = verify_pefile_signature(kernel, kernel_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + } + return ret; } #endif |