kexec: Disable at runtime if the kernel is locked down
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
kexec in this situation.
This does not affect kexec_file_load() which can check for a signature on the
image to be booted.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: kexec@lists.infradead.org
[bwh: Adjust context to apply after commit
a210fd32a46b
"kexec: add call to LSM hook in original kexec_load syscall"]
Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
projects / linux.git / commit