[Fedora 00/19] kernel: Enable Kdump with secureboot/secure modules
Vivek Goyal
vgoyal at redhat.com
Wed Sep 4 21:24:32 UTC 2013
Enabling secureboot or secure modules disable loading kexec kernel. This
also disables kdump feature.
These kernel patches add infrastructure which should allow signing /sbin/kexec
and extend trust chain to user space and allowing loading kernel securly.
I have put some details of problems and solution here.
http://people.redhat.com/vgoyal/kdump-secureboot/kdump-secureboot-summary.txt
https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
There are other changes for kexec-tools and ima-evm-utils. Those will be
posted separately little later.
Please review.
Thanks
Vivek
Vivek Goyal (19):
system_keyring: Make keyring searchable for root
mm: vm_brk(), align the length to page boundary
integrity: Add a function to determine digital signature length
ima: Allow adding more memory locking metadata after digital signature
v2
integrity: Allow digital signature verification with a given keyring
ptr
integrity-export-a-function-to-retrieve-hash-alog-from-digsig
export-ima-function-to-verify-integrity
mm: Define a task flag MMF_VM_LOCKED for memlocked tasks and don't
allow munlock
binfmt_elf: Elf executable signature verification
ima: define functions to appraise memory buffer contents
keyctl: Introduce a new operation KEYCTL_VERIFY_SIGNATURE
ptrace: Do not allow ptrace() from unsigned process to signed one
binfmt_elf: Do not mark process signed if binary has elf interpreter
kexec: Allow only signed processes to call sys_kexec() in secureboot
mode
kexec: Export sysfs attributes for secureboot and secure modules to
user space
kexec: Remove the loading restrictions of secure_modules() now
bootparam: Pass acpi_rsdp pointer in bootparam
modsign_uefi: Do not load uefi certs in kdump kernel
keys: Chagne default lookup method for key type asymmetric
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/acpi/boot.c | 5 +
crypto/asymmetric_keys/asymmetric_type.c | 1 +
drivers/acpi/osl.c | 10 ++
fs/Kconfig.binfmt | 13 +++
fs/binfmt_elf.c | 103 +++++++++++++++++-
include/linux/acpi.h | 1 +
include/linux/compat.h | 4 +-
include/linux/cred.h | 2 +
include/linux/ima.h | 27 +++++
include/linux/integrity.h | 19 ++++
include/linux/sched.h | 2 +
include/linux/syscalls.h | 3 +-
include/uapi/linux/keyctl.h | 16 +++
kernel/cred.c | 2 +
kernel/kexec.c | 32 ++++--
kernel/ksysfs.c | 20 ++++
kernel/modsign_uefi.c | 9 ++
kernel/system_keyring.c | 2 +-
mm/mlock.c | 6 ++
mm/mmap.c | 8 +-
security/commoncap.c | 11 ++
security/integrity/digsig.c | 180 +++++++++++++++++++++++++++++--
security/integrity/digsig_asymmetric.c | 18 +---
security/integrity/ima/ima_api.c | 51 +++++++++
security/integrity/ima/ima_appraise.c | 131 +++++++++++++++++++++-
security/integrity/integrity.h | 35 ++++--
security/keys/compat.c | 31 +++++-
security/keys/internal.h | 2 +
security/keys/keyctl.c | 83 +++++++++++++-
30 files changed, 779 insertions(+), 51 deletions(-)
--
1.8.3.1
More information about the kernel
mailing list