Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
evm: Don't enable fix mode when secure boot is enabled
Similar to IMA fix mode, forbid EVM fix mode when secure boot is
enabled.
Reported-and-suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
authored by
Coiby Xu
and committed by
Mimi Zohar
cf75c863
31a6a07e
+19
-9
+19
-9
security/integrity/evm/evm_main.c
+19
-9
security/integrity/evm/evm_main.c
···
72
72
73
73
LIST_HEAD(evm_config_xattrnames);
74
74
75
-
static int evm_fixmode __ro_after_init;
76
-
static int __init evm_set_fixmode(char *str)
77
-
{
78
-
if (strncmp(str, "fix", 3) == 0)
79
-
evm_fixmode = 1;
80
-
else
81
-
pr_err("invalid \"%s\" mode", str);
75
+
static char *evm_cmdline __initdata;
76
+
core_param(evm, evm_cmdline, charp, 0);
82
77
83
-
return 1;
78
+
static int evm_fixmode __ro_after_init;
79
+
static void __init evm_set_fixmode(void)
80
+
{
81
+
if (!evm_cmdline)
82
+
return;
83
+
84
+
if (strncmp(evm_cmdline, "fix", 3) == 0) {
85
+
if (arch_get_secureboot()) {
86
+
pr_info("Secure boot enabled: ignoring evm=fix");
87
+
return;
88
+
}
89
+
evm_fixmode = 1;
90
+
} else {
91
+
pr_err("invalid \"%s\" mode", evm_cmdline);
92
+
}
84
93
}
85
-
__setup("evm=", evm_set_fixmode);
86
94
87
95
static void __init evm_init_config(void)
88
96
{
···
1126
1118
struct list_head *pos, *q;
1127
1119
1128
1120
evm_init_config();
1121
+
1122
+
evm_set_fixmode();
1129
1123
1130
1124
error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
1131
1125
if (error)