• James Morris's avatar
    Merge branch 'next-integrity' of... · 5580b4a1
    James Morris authored
    Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next-integrity
    
    From Mimi:
    
    In Linux 4.19, a new LSM hook named security_kernel_load_data was
    upstreamed, allowing LSMs and IMA to prevent the kexec_load
    syscall.  Different signature verification methods exist for verifying
    the kexec'ed kernel image.  This pull request adds additional support
    in IMA to prevent loading unsigned kernel images via the kexec_load
    syscall, independently of the IMA policy rules, based on the runtime
    "secure boot" flag.  An initial IMA kselftest is included.
    
    In addition, this pull request defines a new, separate keyring named
    ".platform" for storing the preboot/firmware keys needed for verifying
    the kexec'ed kernel image's signature and includes the associated IMA
    kexec usage of the ".platform" keyring.
    
    (David Howell's and Josh Boyer's patches for reading the
    preboot/firmware keys, which were previously posted for a different
    use case scenario, are included here.)
    5580b4a1
ima_appraise.c 12 KB