if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
+ kernel_is_locked_down("kexec of unsigned images"))
+ return -EPERM;
+
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;