[PATCH v2] kexec: restore functionality to preserve fd xattrs for uncompressed kernel images
Simon Horman
horms at kernel.org
Wed May 27 00:42:04 PDT 2026
On Tue, May 26, 2026 at 03:17:14PM +0000, Alejandro Hernandez wrote:
> Since commit 714fa115 xattrs attached to a kernel image file (such as IMA
> signatures) are not being preserved, do_kexec_file_load() was modified to use
> memfd_create() which now passes an anonymous file descriptor to
> kexec_file_load(). This change eliminated the filesystem inode identity of the
> original kernel file, hence attributes are no longer visible to the kernel IMA
> appraisal handler during kexec_file_load, causing IMA policy enforcement to fail
> even for validly signed kernel images.
>
> This patch attempts to restore such behavior although, only does it for
> uncompressed kernel images. To do this, we first figure out if the image file is
> compressed or not and call each method accordingly.
>
> Compressed images continue to use memfd and cannot carry forward the original fd
> security attributes, since their decompressed bytes do not match the signed
> artifact. Proper handling of compressed images with IMA would require either
> signing the decompressed artifact or kernel-side support for decompression
> within the kexec_file_load path.
>
> Signed-off-by: Alejandro Hernandez Samaniego <alhe at linux.microsoft.com>
Thanks, applied.
- kexec: restore functionality to preserve fd xattrs for uncompressed kernel images
https://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git/commit/?id=f75be9241acc
More information about the kexec
mailing list