[PATCH v2] kexec: add sysctl to disable kexec

Kees Cook keescook at chromium.org
Wed Dec 11 16:13:32 EST 2013


On Wed, Dec 11, 2013 at 9:52 AM, Eric W. Biederman
<ebiederm at xmission.com> wrote:
> Kees Cook <keescook at chromium.org> writes:
>
>> For general-purpose (i.e. distro) kernel builds it makes sense to build with
>> CONFIG_KEXEC to allow end users to choose what kind of things they want to do
>> with kexec. However, in the face of trying to lock down a system with such
>> a kernel, there needs to be a way to disable kexec (much like module loading
>> can be disabled). Without this, it is too easy for the root user to modify
>> kernel memory even when CONFIG_STRICT_DEVMEM and modules_disabled are
>> set.
>
> So let me get this straight.  You object to what happens in sys_reboot
> so you patch sys_kexec_load?

Yes; it's the entry point for loading the image used for crashes and
LINUX_REBOOT_CMD_KEXEC.

> You give someone the privilege to boot whatever they want and yet you
> don't want to support them booting whatever they want?
>
> I'm sorry my brain is hurting trying to understand the logic of this
> patch.

I'm not trying to claim this fixes all attack vectors from a root
user. That is exceedingly hard. :) However, kexec gives the root user
a trivial (and undetectable) way to modify the running kernel.
Providing an option to block sys_kexec_load for systems that will
never use it (or will use it once at startup) is valuable in several
situations. There's no reason to make an attacker's job easier, and
this doesn't get in any one else's way.

-Kees

-- 
Kees Cook
Chrome OS Security



More information about the kexec mailing list