[PATCH v2] lockdown: allow kexec_file of unsigned images when not under lockdown

[PATCH v2] lockdown: allow kexec_file of unsigned images when not under lockdown

[Thadeu Lima de Souza Cascardo]

If CONFIG_KEXEC_VERIFY_SIG is enabled, kexec -s with an unsigned image will
fail requiring an image signed with a trusted key. However, that same
kernel will allow kexec to load and boot a kernel, if kexec_file_load is
not used.

Now, lockdown brings a solution to this inconsistency. However, as it is,
it will still prevent an unsigned image to be loaded with kexec -s when the
system is not under lockdown, while still allowing kexec to work.

At the same time, with lockdown, kexec_file_load would still work when
CONFIG_KEXEC_VERIFY_SIG is disabled.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---

v2:
fixed build failure, s/#elif/#else/

---
 kernel/kexec_file.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index e5bcd94c1efb..b1f0373014c1 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -140,10 +140,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 					   image->kernel_buf_len);
 	if (ret) {
 		pr_debug("kernel signature verification failed.\n");
-		goto out;
+	} else {
+		pr_debug("kernel signature verification successful.\n");
 	}
-	pr_debug("kernel signature verification successful.\n");
+#else
+	ret = -EPERM;
 #endif
+	if (ret && kernel_is_locked_down("kexec of unsigned images"))
+		goto out;
+	else
+		ret = 0;
+
 	/* It is possible that there no initramfs is being loaded */
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
-- 
2.19.1

Re: [PATCH v2] lockdown: allow kexec_file of unsigned images when not under lockdown

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 4054 bytes --]

Hi Thadeu,

I love your patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v4.20-rc1 next-20181106]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Thadeu-Lima-de-Souza-Cascardo/lockdown-allow-kexec_file-of-unsigned-images-when-not-under-lockdown/20181106-081252
config: x86_64-fedora-25 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All errors (new ones prefixed by >>):

   kernel/kexec_file.c: In function 'kimage_file_prepare_segments':
>> kernel/kexec_file.c:220:13: error: implicit declaration of function 'kernel_is_locked_down'; did you mean 'kernel_sigaction'? [-Werror=implicit-function-declaration]
     if (ret && kernel_is_locked_down("kexec of unsigned images"))
                ^~~~~~~~~~~~~~~~~~~~~
                kernel_sigaction
   cc1: some warnings being treated as errors

vim +220 kernel/kexec_file.c

   180	
   181	/*
   182	 * In file mode list of segments is prepared by kernel. Copy relevant
   183	 * data from user space, do error checking, prepare segment list
   184	 */
   185	static int
   186	kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
   187				     const char __user *cmdline_ptr,
   188				     unsigned long cmdline_len, unsigned flags)
   189	{
   190		int ret = 0;
   191		void *ldata;
   192		loff_t size;
   193	
   194		ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
   195					       &size, INT_MAX, READING_KEXEC_IMAGE);
   196		if (ret)
   197			return ret;
   198		image->kernel_buf_len = size;
   199	
   200		/* IMA needs to pass the measurement list to the next kernel. */
   201		ima_add_kexec_buffer(image);
   202	
   203		/* Call arch image probe handlers */
   204		ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
   205						    image->kernel_buf_len);
   206		if (ret)
   207			goto out;
   208	
   209	#ifdef CONFIG_KEXEC_VERIFY_SIG
   210		ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
   211						   image->kernel_buf_len);
   212		if (ret) {
   213			pr_debug("kernel signature verification failed.\n");
   214		} else {
   215			pr_debug("kernel signature verification successful.\n");
   216		}
   217	#else
   218		ret = -EPERM;
   219	#endif
 > 220		if (ret && kernel_is_locked_down("kexec of unsigned images"))
   221			goto out;
   222		else
   223			ret = 0;
   224	
   225		/* It is possible that there no initramfs is being loaded */
   226		if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
   227			ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
   228						       &size, INT_MAX,
   229						       READING_KEXEC_INITRAMFS);
   230			if (ret)
   231				goto out;
   232			image->initrd_buf_len = size;
   233		}
   234	
   235		if (cmdline_len) {
   236			image->cmdline_buf = memdup_user(cmdline_ptr, cmdline_len);
   237			if (IS_ERR(image->cmdline_buf)) {
   238				ret = PTR_ERR(image->cmdline_buf);
   239				image->cmdline_buf = NULL;
   240				goto out;
   241			}
   242	
   243			image->cmdline_buf_len = cmdline_len;
   244	
   245			/* command line should be a string with last byte null */
   246			if (image->cmdline_buf[cmdline_len - 1] != '\0') {
   247				ret = -EINVAL;
   248				goto out;
   249			}
   250		}
   251	
   252		/* Call arch image load handlers */
   253		ldata = arch_kexec_kernel_image_load(image);
   254	
   255		if (IS_ERR(ldata)) {
   256			ret = PTR_ERR(ldata);
   257			goto out;
   258		}
   259	
   260		image->image_loader_data = ldata;
   261	out:
   262		/* In case of error, free up all allocated memory in this function */
   263		if (ret)
   264			kimage_file_post_load_cleanup(image);
   265		return ret;
   266	}
   267	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 48839 bytes --]