diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2022-01-11 13:11:10 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2022-01-11 13:11:10 -0800 |
| commit | 84bfcc0b6994057905cf98d2c5cedef48b3322b5 (patch) | |
| tree | 8e2d4095dc6ee28bf08ec6d7e2c15fa2f9db850c /security | |
| parent | 5d7e52237c59e37a25da854196fc70e9b09704d9 (diff) | |
| parent | 65e38e32a959dbbb0bf5cf1ae699789f81759be6 (diff) | |
Merge tag 'integrity-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar:
"The few changes are all kexec related:
- The MOK keys are loaded onto the .platform keyring in order to
verify the kexec kernel image signature.
However, the MOK keys should only be trusted when secure boot is
enabled. Before loading the MOK keys onto the .platform keyring,
make sure the system is booted in secure boot mode.
- When carrying the IMA measurement list across kexec, limit dumping
the measurement list to when dynamic debug or CONFIG_DEBUG is
enabled.
- kselftest: add kexec_file_load selftest support for PowerNV and
other cleanup"
* tag 'integrity-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
selftests/kexec: Enable secureboot tests for PowerPC
ima: silence measurement list hexdump during kexec
selftests/kexec: update searching for the Kconfig
selftest/kexec: fix "ignored null byte in input" warning
integrity: Do not load MOK and MOKx when secure boot be disabled
ima: Fix undefined arch_ima_get_secureboot() and co
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima_kexec.c | 6 | ||||
| -rw-r--r-- | security/integrity/platform_certs/load_uefi.c | 5 |
2 files changed, 8 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index f799cc278a9a..13753136f03f 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -61,9 +61,9 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, } memcpy(file.buf, &khdr, sizeof(khdr)); - print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE, - 16, 1, file.buf, - file.count < 100 ? file.count : 100, true); + print_hex_dump_debug("ima dump: ", DUMP_PREFIX_NONE, 16, 1, + file.buf, file.count < 100 ? file.count : 100, + true); *buffer_size = file.count; *buffer = file.buf; diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index f290f78c3f30..08b6d12f99b4 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -6,6 +6,7 @@ #include <linux/err.h> #include <linux/efi.h> #include <linux/slab.h> +#include <linux/ima.h> #include <keys/asymmetric-type.h> #include <keys/system_keyring.h> #include "../integrity.h" @@ -176,6 +177,10 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK/MOKx can not be trusted when secure boot is disabled */ + if (!arch_ima_get_secureboot()) + return 0; + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); if (!mokx) { if (status == EFI_NOT_FOUND) |