From: Vivek Goyal <vgoyal@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: ebiederm@xmission.com, hpa@zytor.com, mjg59@srcf.ucam.org,
greg@kroah.com, bp@alien8.de, dyoung@redhat.com,
chaowang@redhat.com, bhe@redhat.com, akpm@linux-foundation.org,
dhowells@redhat.com, pjones@redhat.com,
Vivek Goyal <vgoyal@redhat.com>
Subject: [RFC PATCH 0/9] kexec: Verify signature of PE signed bzImage
Date: Thu, 3 Jul 2014 17:07:12 -0400 [thread overview]
Message-ID: <1404421641-12691-1-git-send-email-vgoyal@redhat.com> (raw)
Hi,
This patch series enables signature verification of signed PE bzimage. This
patches series needs two more patch series before it.
First one is kexec_file_load() syscall support posted here.
https://lkml.org/lkml/2014/6/26/497
This patch seris is also available in -mm tree now.
Second one is PKCS7 signature parsing and verification support. These
patches are available in David Howells's modsign tree in pkcs7 branch.
https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-modsign.git/log/?h=pkcs7
This patch series is based on David Howells's work of PE file parsing
and PKCS7 signature verificaiton. Now PKCS7 signature part is available
in his tree. So I have taken PE file parsing patches, changed them a
bit and posting these here.
Now kexec bzImage loader calls into pefile parser and passes the PE
signed bzImage for signature verification.
Two new config options have been intorduced. First one is
CONFIG_KEXEC_VERIFY_SIG. This option enforces that kernel has to be
validly signed otherwise kernel load will fail. If this option is not
set, no signature verification will be done. Only exception will be
when secureboot is enabled. In that case signature verification should
be automatically enforced when secureboot is enabled. But that will
happen when secureboot patches are merged.
Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG. This option
enables signature verification support on bzImage. If this option is
not set and previous one is set, kernel image loading will fail because
kernel does not have support to verify signature of bzImage.
I tested these patches with both "pesign" and "sbsign" signed bzImages.
I used signing_key.priv key and signing_key.x509 cert for signing as
generated during kernel build process (if module signing is enabled).
Used following method to sign bzImage.
pesign
======
- Convert DER format cert to PEM format cert
openssl x509 -in signing_key.x509 -inform DER -out signing_key.x509.PEM -outform PEM
- Generate a .p12 file from existing cert and private key file
openssl pkcs12 -export -out kernel-key.p12 -inkey signing_key.priv -in signing_key.x509.PEM
- Import .p12 file into pesign db
pk12util -i /tmp/kernel-key.p12 -d /etc/pki/pesign
- Sign bzImage
pesign -i /boot/vmlinuz-3.16.0-rc3+ -o /boot/vmlinuz-3.16.0-rc3+.signed.pesign -c "Glacier signing key - Magrathea" -s
sbsign
======
sbsign --key signing_key.priv --cert signing_key.x509.PEM --output /boot/vmlinuz-3.16.0-rc3+.signed.sbsign /boot/vmlinuz-3.16.0-rc3+
Please review. Any feedback is welcome.
Thanks
Vivek
Vivek Goyal (9):
pkcs7: Forward declare struct key in pkcs7.h
Provide PE binary definitions
pefile: Parse a PE binary and verify signature
pefile: Strip the wrapper off of the cert data block
pefile: Parse the presumed PKCS#7 content of the certificate blob
pefile: Parse the "Microsoft individual code signing" data blob
pefile: Digest the PE binary and compare to the PKCS#7 data
PEFILE: Validate PKCS#7 trust chain
kexec: Verify the signature of signed PE bzImage
arch/x86/Kconfig | 31 +++
arch/x86/kernel/Makefile | 7 +
arch/x86/kernel/kexec-bzimage64.c | 11 +
arch/x86/kernel/machine_kexec_64.c | 11 +
arch/x86/kernel/mscode.asn1 | 28 +++
arch/x86/kernel/mscode_parser.c | 126 +++++++++++
arch/x86/kernel/pefile_parser.c | 437 ++++++++++++++++++++++++++++++++++++
arch/x86/kernel/pefile_parser.h | 36 +++
include/crypto/pkcs7.h | 1 +
include/linux/kexec.h | 3 +
include/linux/oid_registry.h | 7 +-
include/linux/pe.h | 448 +++++++++++++++++++++++++++++++++++++
kernel/kexec.c | 15 ++
13 files changed, 1160 insertions(+), 1 deletion(-)
create mode 100644 arch/x86/kernel/mscode.asn1
create mode 100644 arch/x86/kernel/mscode_parser.c
create mode 100644 arch/x86/kernel/pefile_parser.c
create mode 100644 arch/x86/kernel/pefile_parser.h
create mode 100644 include/linux/pe.h
--
1.9.0
next reply other threads:[~2014-07-03 21:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-03 21:07 Vivek Goyal [this message]
2014-07-03 21:07 ` [PATCH 1/9] pkcs7: Forward declare struct key in pkcs7.h Vivek Goyal
2014-07-03 21:07 ` [PATCH 2/9] Provide PE binary definitions Vivek Goyal
2014-07-04 19:12 ` Anca Emanuel
2014-07-04 19:14 ` H. Peter Anvin
2014-07-04 19:16 ` Matthew Garrett
2014-07-03 21:07 ` [PATCH 3/9] pefile: Parse a PE binary and verify signature Vivek Goyal
2014-07-03 21:07 ` [PATCH 4/9] pefile: Strip the wrapper off of the cert data block Vivek Goyal
2014-07-03 21:07 ` [PATCH 5/9] pefile: Parse the presumed PKCS#7 content of the certificate blob Vivek Goyal
2014-07-03 21:07 ` [PATCH 6/9] pefile: Parse the "Microsoft individual code signing" data blob Vivek Goyal
2014-07-03 21:07 ` [PATCH 7/9] pefile: Digest the PE binary and compare to the PKCS#7 data Vivek Goyal
2014-07-03 21:07 ` [PATCH 8/9] PEFILE: Validate PKCS#7 trust chain Vivek Goyal
2014-07-03 21:07 ` [PATCH 9/9] kexec: Verify the signature of signed PE bzImage Vivek Goyal
2014-07-04 14:51 ` [RFC PATCH 0/9] kexec: Verify signature of PE signed bzImage Borislav Petkov
2014-07-05 3:01 ` Vivek Goyal
2014-07-08 15:54 ` Borislav Petkov
2014-07-08 16:07 ` Vivek Goyal
2014-07-08 16:12 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1404421641-12691-1-git-send-email-vgoyal@redhat.com \
--to=vgoyal@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=chaowang@redhat.com \
--cc=dhowells@redhat.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.