diff options
| author |   Dave Young <dyoung@redhat.com> | 2019-08-19 17:17:43 -0700 |
|---|---|---|
| committer |   James Morris <jmorris@namei.org> | 2019-08-19 21:54:15 -0700 |
| commit | fef5dad9876034253d59acbf8c0c314f4d94cf87 (patch) | |
| tree | 1f17869cc8b60692044de992bb20644e3d7c2e21 /arch/x86/kernel/kexec-bzimage64.c | |
| parent | kexec_load: Disable at runtime if the kernel is locked down (diff) | |
| download | linux-dev-fef5dad9876034253d59acbf8c0c314f4d94cf87.tar.xz linux-dev-fef5dad9876034253d59acbf8c0c314f4d94cf87.zip | |
lockdown: Copy secure_boot flag in boot params across kexec reboot
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot.
Adding a patch to fix this by retain the secure_boot flag in original
kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
cc: kexec@lists.infradead.org
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'arch/x86/kernel/kexec-bzimage64.c')
| -rw-r--r-- | arch/x86/kernel/kexec-bzimage64.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index f03237e3f192..5d64a22f99ce 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; |