[Fedora 00/19] kernel: Enable Kdump with secureboot/secure modules

Wed Sep 4 21:24:32 UTC 2013

Enabling secureboot or secure modules disable loading kexec kernel. This
also disables kdump feature.

These kernel patches add infrastructure which should allow signing /sbin/kexec
and extend trust chain to user space and allowing loading kernel securly.

I have put some details of problems and solution here.

http://people.redhat.com/vgoyal/kdump-secureboot/kdump-secureboot-summary.txt
https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot

There are other changes for kexec-tools and ima-evm-utils. Those will be
posted separately little later.

Please review.

Thanks
Vivek

Vivek Goyal (19):
  system_keyring: Make keyring searchable for root
  mm: vm_brk(), align the length to page boundary
  integrity: Add a function to determine digital signature length
  ima: Allow adding more memory locking metadata after digital signature
    v2
  integrity: Allow digital signature verification with a given keyring
    ptr
  integrity-export-a-function-to-retrieve-hash-alog-from-digsig
  export-ima-function-to-verify-integrity
  mm: Define a task flag MMF_VM_LOCKED for memlocked tasks and don't
    allow munlock
  binfmt_elf: Elf executable signature verification
  ima: define functions to appraise memory buffer contents
  keyctl: Introduce a new operation KEYCTL_VERIFY_SIGNATURE
  ptrace: Do not allow ptrace() from unsigned process to signed one
  binfmt_elf: Do not mark process signed if binary has elf interpreter
  kexec: Allow only signed processes to call sys_kexec() in secureboot
    mode
  kexec: Export sysfs attributes for secureboot and secure modules to
    user space
  kexec: Remove the loading restrictions of secure_modules() now
  bootparam: Pass acpi_rsdp pointer in bootparam
  modsign_uefi: Do not load uefi certs in kdump kernel
  keys: Chagne default lookup method for key type asymmetric

 arch/x86/include/uapi/asm/bootparam.h    |   3 +-
 arch/x86/kernel/acpi/boot.c              |   5 +
 crypto/asymmetric_keys/asymmetric_type.c |   1 +
 drivers/acpi/osl.c                       |  10 ++
 fs/Kconfig.binfmt                        |  13 +++
 fs/binfmt_elf.c                          | 103 +++++++++++++++++-
 include/linux/acpi.h                     |   1 +
 include/linux/compat.h                   |   4 +-
 include/linux/cred.h                     |   2 +
 include/linux/ima.h                      |  27 +++++
 include/linux/integrity.h                |  19 ++++
 include/linux/sched.h                    |   2 +
 include/linux/syscalls.h                 |   3 +-
 include/uapi/linux/keyctl.h              |  16 +++
 kernel/cred.c                            |   2 +
 kernel/kexec.c                           |  32 ++++--
 kernel/ksysfs.c                          |  20 ++++
 kernel/modsign_uefi.c                    |   9 ++
 kernel/system_keyring.c                  |   2 +-
 mm/mlock.c                               |   6 ++
 mm/mmap.c                                |   8 +-
 security/commoncap.c                     |  11 ++
 security/integrity/digsig.c              | 180 +++++++++++++++++++++++++++++--
 security/integrity/digsig_asymmetric.c   |  18 +---
 security/integrity/ima/ima_api.c         |  51 +++++++++
 security/integrity/ima/ima_appraise.c    | 131 +++++++++++++++++++++-
 security/integrity/integrity.h           |  35 ++++--
 security/keys/compat.c                   |  31 +++++-
 security/keys/internal.h                 |   2 +
 security/keys/keyctl.c                   |  83 +++++++++++++-
 30 files changed, 779 insertions(+), 51 deletions(-)

-- 
1.8.3.1