[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Coiby Xu]

Currently, a problem faced by arm64 is if a kernel image is signed by a
MOK key, loading it via the kexec_file_load() system call would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7".

This patch set allows arm64 to use more system keyrings to verify kdump 
kernel image signature by making the existing code in x64 public.

v5:
 - improve commit message [Baoquan]

v4:
 - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]

v3:
 - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
 - clean up arch_kexec_kernel_verify_sig [Eric]

v2:
 - only x86_64 and arm64 need to enable PE file signature check [Dave]

Coiby Xu (3):
  kexec: clean up arch_kexec_kernel_verify_sig
  kexec, KEYS: make the code in bzImage64_verify_sig generic
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

 arch/arm64/kernel/kexec_image.c   |  4 +--
 arch/x86/kernel/kexec-bzimage64.c | 13 +-------
 include/linux/kexec.h             |  7 +++--
 kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
 4 files changed, 37 insertions(+), 38 deletions(-)

-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Coiby Xu]

Currently, a problem faced by arm64 is if a kernel image is signed by a
MOK key, loading it via the kexec_file_load() system call would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7".

This patch set allows arm64 to use more system keyrings to verify kdump 
kernel image signature by making the existing code in x64 public.

v5:
 - improve commit message [Baoquan]

v4:
 - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]

v3:
 - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
 - clean up arch_kexec_kernel_verify_sig [Eric]

v2:
 - only x86_64 and arm64 need to enable PE file signature check [Dave]

Coiby Xu (3):
  kexec: clean up arch_kexec_kernel_verify_sig
  kexec, KEYS: make the code in bzImage64_verify_sig generic
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

 arch/arm64/kernel/kexec_image.c   |  4 +--
 arch/x86/kernel/kexec-bzimage64.c | 13 +-------
 include/linux/kexec.h             |  7 +++--
 kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
 4 files changed, 37 insertions(+), 38 deletions(-)

-- 
2.34.1

[PATCH v5 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Coiby Xu]

Currently there is no arch-specific implementation of
arch_kexec_kernel_verify_sig. Even if we want to add an implementation
for an architecture in the future, we can simply use "(struct
kexec_file_ops*)->verify_sig". So clean it up.

Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 include/linux/kexec.h |  4 ----
 kernel/kexec_file.c   | 34 +++++++++++++---------------------
 2 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 0c994ae37729..755fed183224 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
-#ifdef CONFIG_KEXEC_SIG
-int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-				 unsigned long buf_len);
-#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 8347fc158d2b..3720435807eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
 	return kexec_image_post_load_cleanup_default(image);
 }
 
-#ifdef CONFIG_KEXEC_SIG
-static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
-					  unsigned long buf_len)
-{
-	if (!image->fops || !image->fops->verify_sig) {
-		pr_debug("kernel loader does not support signature verification.\n");
-		return -EKEYREJECTED;
-	}
-
-	return image->fops->verify_sig(buf, buf_len);
-}
-
-int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-					unsigned long buf_len)
-{
-	return kexec_image_verify_sig_default(image, buf, buf_len);
-}
-#endif
-
 /*
  * arch_kexec_apply_relocations_add - apply relocations of type RELA
  * @pi:		Purgatory to be relocated.
@@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+static int kexec_image_verify_sig(struct kimage *image, void *buf,
+		unsigned long buf_len)
+{
+	if (!image->fops || !image->fops->verify_sig) {
+		pr_debug("kernel loader does not support signature verification.\n");
+		return -EKEYREJECTED;
+	}
+
+	return image->fops->verify_sig(buf, buf_len);
+}
+
 static int
 kimage_validate_signature(struct kimage *image)
 {
 	int ret;
 
-	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
-					   image->kernel_buf_len);
+	ret = kexec_image_verify_sig(image, image->kernel_buf,
+			image->kernel_buf_len);
 	if (ret) {
 
 		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-- 
2.34.1

[PATCH v5 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Coiby Xu]

Currently there is no arch-specific implementation of
arch_kexec_kernel_verify_sig. Even if we want to add an implementation
for an architecture in the future, we can simply use "(struct
kexec_file_ops*)->verify_sig". So clean it up.

Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 include/linux/kexec.h |  4 ----
 kernel/kexec_file.c   | 34 +++++++++++++---------------------
 2 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 0c994ae37729..755fed183224 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
-#ifdef CONFIG_KEXEC_SIG
-int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-				 unsigned long buf_len);
-#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 8347fc158d2b..3720435807eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
 	return kexec_image_post_load_cleanup_default(image);
 }
 
-#ifdef CONFIG_KEXEC_SIG
-static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
-					  unsigned long buf_len)
-{
-	if (!image->fops || !image->fops->verify_sig) {
-		pr_debug("kernel loader does not support signature verification.\n");
-		return -EKEYREJECTED;
-	}
-
-	return image->fops->verify_sig(buf, buf_len);
-}
-
-int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-					unsigned long buf_len)
-{
-	return kexec_image_verify_sig_default(image, buf, buf_len);
-}
-#endif
-
 /*
  * arch_kexec_apply_relocations_add - apply relocations of type RELA
  * @pi:		Purgatory to be relocated.
@@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+static int kexec_image_verify_sig(struct kimage *image, void *buf,
+		unsigned long buf_len)
+{
+	if (!image->fops || !image->fops->verify_sig) {
+		pr_debug("kernel loader does not support signature verification.\n");
+		return -EKEYREJECTED;
+	}
+
+	return image->fops->verify_sig(buf, buf_len);
+}
+
 static int
 kimage_validate_signature(struct kimage *image)
 {
 	int ret;
 
-	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
-					   image->kernel_buf_len);
+	ret = kexec_image_verify_sig(image, image->kernel_buf,
+			image->kernel_buf_len);
 	if (ret) {
 
 		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Coiby Xu]

Currently there is no arch-specific implementation of
arch_kexec_kernel_verify_sig. Even if we want to add an implementation
for an architecture in the future, we can simply use "(struct
kexec_file_ops*)->verify_sig". So clean it up.

Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 include/linux/kexec.h |  4 ----
 kernel/kexec_file.c   | 34 +++++++++++++---------------------
 2 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 0c994ae37729..755fed183224 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
-#ifdef CONFIG_KEXEC_SIG
-int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-				 unsigned long buf_len);
-#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 8347fc158d2b..3720435807eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
 	return kexec_image_post_load_cleanup_default(image);
 }
 
-#ifdef CONFIG_KEXEC_SIG
-static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
-					  unsigned long buf_len)
-{
-	if (!image->fops || !image->fops->verify_sig) {
-		pr_debug("kernel loader does not support signature verification.\n");
-		return -EKEYREJECTED;
-	}
-
-	return image->fops->verify_sig(buf, buf_len);
-}
-
-int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-					unsigned long buf_len)
-{
-	return kexec_image_verify_sig_default(image, buf, buf_len);
-}
-#endif
-
 /*
  * arch_kexec_apply_relocations_add - apply relocations of type RELA
  * @pi:		Purgatory to be relocated.
@@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+static int kexec_image_verify_sig(struct kimage *image, void *buf,
+		unsigned long buf_len)
+{
+	if (!image->fops || !image->fops->verify_sig) {
+		pr_debug("kernel loader does not support signature verification.\n");
+		return -EKEYREJECTED;
+	}
+
+	return image->fops->verify_sig(buf, buf_len);
+}
+
 static int
 kimage_validate_signature(struct kimage *image)
 {
 	int ret;
 
-	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
-					   image->kernel_buf_len);
+	ret = kexec_image_verify_sig(image, image->kernel_buf,
+			image->kernel_buf_len);
 	if (ret) {
 
 		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-- 
2.34.1

[PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Coiby Xu]

The code in bzImage64_verify_sig could make use of system keyrings
including .buitin_trusted_keys, .secondary_trusted_keys and .platform
keyring to verify signed kernel image as PE file. Make it generic so
both x86_64 and arm64 can use it.

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  7 +++++++
 kernel/kexec_file.c               | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 170d0fd68b1f..f73aab3fde33 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -17,7 +17,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
-#include <linux/verification.h>
 
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	int ret;
-
-	ret = verify_pefile_signature(kernel, kernel_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_KEXEC_PE_SIGNATURE);
-	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
-		ret = verify_pefile_signature(kernel, kernel_len,
-					      VERIFY_USE_PLATFORM_KEYRING,
-					      VERIFYING_KEXEC_PE_SIGNATURE);
-	}
-	return ret;
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 755fed183224..2fe39e946988 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -19,6 +19,7 @@
 #include <asm/io.h>
 
 #include <uapi/linux/kexec.h>
+#include <linux/verification.h>
 
 #ifdef CONFIG_KEXEC_CORE
 #include <linux/list.h>
@@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
+#ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel,
+				    unsigned long kernel_len);
+#endif
+#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 3720435807eb..754885b96aab 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
+{
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
+}
+#endif
+
 static int kexec_image_verify_sig(struct kimage *image, void *buf,
 		unsigned long buf_len)
 {
-- 
2.34.1

[PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Coiby Xu]

The code in bzImage64_verify_sig could make use of system keyrings
including .buitin_trusted_keys, .secondary_trusted_keys and .platform
keyring to verify signed kernel image as PE file. Make it generic so
both x86_64 and arm64 can use it.

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  7 +++++++
 kernel/kexec_file.c               | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 170d0fd68b1f..f73aab3fde33 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -17,7 +17,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
-#include <linux/verification.h>
 
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	int ret;
-
-	ret = verify_pefile_signature(kernel, kernel_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_KEXEC_PE_SIGNATURE);
-	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
-		ret = verify_pefile_signature(kernel, kernel_len,
-					      VERIFY_USE_PLATFORM_KEYRING,
-					      VERIFYING_KEXEC_PE_SIGNATURE);
-	}
-	return ret;
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 755fed183224..2fe39e946988 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -19,6 +19,7 @@
 #include <asm/io.h>
 
 #include <uapi/linux/kexec.h>
+#include <linux/verification.h>
 
 #ifdef CONFIG_KEXEC_CORE
 #include <linux/list.h>
@@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
+#ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel,
+				    unsigned long kernel_len);
+#endif
+#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 3720435807eb..754885b96aab 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
+{
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
+}
+#endif
+
 static int kexec_image_verify_sig(struct kimage *image, void *buf,
 		unsigned long buf_len)
 {
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Coiby Xu]

The code in bzImage64_verify_sig could make use of system keyrings
including .buitin_trusted_keys, .secondary_trusted_keys and .platform
keyring to verify signed kernel image as PE file. Make it generic so
both x86_64 and arm64 can use it.

Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  7 +++++++
 kernel/kexec_file.c               | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 170d0fd68b1f..f73aab3fde33 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -17,7 +17,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
-#include <linux/verification.h>
 
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	int ret;
-
-	ret = verify_pefile_signature(kernel, kernel_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_KEXEC_PE_SIGNATURE);
-	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
-		ret = verify_pefile_signature(kernel, kernel_len,
-					      VERIFY_USE_PLATFORM_KEYRING,
-					      VERIFYING_KEXEC_PE_SIGNATURE);
-	}
-	return ret;
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 755fed183224..2fe39e946988 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -19,6 +19,7 @@
 #include <asm/io.h>
 
 #include <uapi/linux/kexec.h>
+#include <linux/verification.h>
 
 #ifdef CONFIG_KEXEC_CORE
 #include <linux/list.h>
@@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
+#ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel,
+				    unsigned long kernel_len);
+#endif
+#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 3720435807eb..754885b96aab 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
+{
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
+}
+#endif
+
 static int kexec_image_verify_sig(struct kimage *image, void *buf,
 		unsigned long buf_len)
 {
-- 
2.34.1

[PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Coiby Xu]

Currently, a problem faced by arm64 is if a kernel image is signed by a
MOK key, loading it via the kexec_file_load() system call would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7".

This patch allows to verify arm64 kernel image signature using not only
.builtin_trusted_keys but also .platform and .secondary_trusted_key
keyring.

Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 arch/arm64/kernel/kexec_image.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..51af1c22d6da 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
-- 
2.34.1

[PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Coiby Xu]

Currently, a problem faced by arm64 is if a kernel image is signed by a
MOK key, loading it via the kexec_file_load() system call would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7".

This patch allows to verify arm64 kernel image signature using not only
.builtin_trusted_keys but also .platform and .secondary_trusted_key
keyring.

Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 arch/arm64/kernel/kexec_image.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..51af1c22d6da 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Coiby Xu]

Currently, a problem faced by arm64 is if a kernel image is signed by a
MOK key, loading it via the kexec_file_load() system call would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7".

This patch allows to verify arm64 kernel image signature using not only
.builtin_trusted_keys but also .platform and .secondary_trusted_key
keyring.

Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 arch/arm64/kernel/kexec_image.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..51af1c22d6da 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
-- 
2.34.1

Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Baoquan He]

Hi Coiby,

On 04/01/22 at 09:31am, Coiby Xu wrote:
> Currently, a problem faced by arm64 is if a kernel image is signed by a
> MOK key, loading it via the kexec_file_load() system call would be
> rejected with the error "Lockdown: kexec: kexec of unsigned images is
> restricted; see man kernel_lockdown.7".
> 
> This patch set allows arm64 to use more system keyrings to verify kdump 
> kernel image signature by making the existing code in x64 public.

Thanks for updating. It would be great to tell why the problem is
met, then allow arm64 to use more system keyrings can solve it.

Meanwhile, I noticed Michal also posted a patchset to address the same
issue, while he tries to make it work on s390 too. Could you check and
consider if these two patches can be integrated?

[PATCH 0/4] Unifrom keyring support across architectures and functions
https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek@suse.de/

Thanks
Baoquan

> 
> v5:
>  - improve commit message [Baoquan]
> 
> v4:
>  - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]
> 
> v3:
>  - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
>  - clean up arch_kexec_kernel_verify_sig [Eric]
> 
> v2:
>  - only x86_64 and arm64 need to enable PE file signature check [Dave]
> 
> Coiby Xu (3):
>   kexec: clean up arch_kexec_kernel_verify_sig
>   kexec, KEYS: make the code in bzImage64_verify_sig generic
>   arm64: kexec_file: use more system keyrings to verify kernel image
>     signature
> 
>  arch/arm64/kernel/kexec_image.c   |  4 +--
>  arch/x86/kernel/kexec-bzimage64.c | 13 +-------
>  include/linux/kexec.h             |  7 +++--
>  kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
>  4 files changed, 37 insertions(+), 38 deletions(-)
> 
> -- 
> 2.34.1
> 


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Baoquan He]

Hi Coiby,

On 04/01/22 at 09:31am, Coiby Xu wrote:
> Currently, a problem faced by arm64 is if a kernel image is signed by a
> MOK key, loading it via the kexec_file_load() system call would be
> rejected with the error "Lockdown: kexec: kexec of unsigned images is
> restricted; see man kernel_lockdown.7".
> 
> This patch set allows arm64 to use more system keyrings to verify kdump 
> kernel image signature by making the existing code in x64 public.

Thanks for updating. It would be great to tell why the problem is
met, then allow arm64 to use more system keyrings can solve it.

Meanwhile, I noticed Michal also posted a patchset to address the same
issue, while he tries to make it work on s390 too. Could you check and
consider if these two patches can be integrated?

[PATCH 0/4] Unifrom keyring support across architectures and functions
https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek at suse.de/

Thanks
Baoquan

> 
> v5:
>  - improve commit message [Baoquan]
> 
> v4:
>  - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]
> 
> v3:
>  - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
>  - clean up arch_kexec_kernel_verify_sig [Eric]
> 
> v2:
>  - only x86_64 and arm64 need to enable PE file signature check [Dave]
> 
> Coiby Xu (3):
>   kexec: clean up arch_kexec_kernel_verify_sig
>   kexec, KEYS: make the code in bzImage64_verify_sig generic
>   arm64: kexec_file: use more system keyrings to verify kernel image
>     signature
> 
>  arch/arm64/kernel/kexec_image.c   |  4 +--
>  arch/x86/kernel/kexec-bzimage64.c | 13 +-------
>  include/linux/kexec.h             |  7 +++--
>  kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
>  4 files changed, 37 insertions(+), 38 deletions(-)
> 
> -- 
> 2.34.1
> 

Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Michal Suchánek]

On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
> Hi Coiby,
> 
> On 04/01/22 at 09:31am, Coiby Xu wrote:
> > Currently, a problem faced by arm64 is if a kernel image is signed by a
> > MOK key, loading it via the kexec_file_load() system call would be
> > rejected with the error "Lockdown: kexec: kexec of unsigned images is
> > restricted; see man kernel_lockdown.7".
> > 
> > This patch set allows arm64 to use more system keyrings to verify kdump 
> > kernel image signature by making the existing code in x64 public.
> 
> Thanks for updating. It would be great to tell why the problem is
> met, then allow arm64 to use more system keyrings can solve it.

The reason is that MOK keys are (if anywhere) linked to the secondary
keyring, and only primary keyring is used on arm64.

Thanks

Michal

> 
> Meanwhile, I noticed Michal also posted a patchset to address the same
> issue, while he tries to make it work on s390 too. Could you check and
> consider if these two patches can be integrated?
> 
> [PATCH 0/4] Unifrom keyring support across architectures and functions
> https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek@suse.de/
> 
> Thanks
> Baoquan
> 
> > 
> > v5:
> >  - improve commit message [Baoquan]
> > 
> > v4:
> >  - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]
> > 
> > v3:
> >  - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
> >  - clean up arch_kexec_kernel_verify_sig [Eric]
> > 
> > v2:
> >  - only x86_64 and arm64 need to enable PE file signature check [Dave]
> > 
> > Coiby Xu (3):
> >   kexec: clean up arch_kexec_kernel_verify_sig
> >   kexec, KEYS: make the code in bzImage64_verify_sig generic
> >   arm64: kexec_file: use more system keyrings to verify kernel image
> >     signature
> > 
> >  arch/arm64/kernel/kexec_image.c   |  4 +--
> >  arch/x86/kernel/kexec-bzimage64.c | 13 +-------
> >  include/linux/kexec.h             |  7 +++--
> >  kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
> >  4 files changed, 37 insertions(+), 38 deletions(-)
> > 
> > -- 
> > 2.34.1
> > 
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Michal =?unknown-8bit?q?Such=C3=A1nek?=]

On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
> Hi Coiby,
> 
> On 04/01/22 at 09:31am, Coiby Xu wrote:
> > Currently, a problem faced by arm64 is if a kernel image is signed by a
> > MOK key, loading it via the kexec_file_load() system call would be
> > rejected with the error "Lockdown: kexec: kexec of unsigned images is
> > restricted; see man kernel_lockdown.7".
> > 
> > This patch set allows arm64 to use more system keyrings to verify kdump 
> > kernel image signature by making the existing code in x64 public.
> 
> Thanks for updating. It would be great to tell why the problem is
> met, then allow arm64 to use more system keyrings can solve it.

The reason is that MOK keys are (if anywhere) linked to the secondary
keyring, and only primary keyring is used on arm64.

Thanks

Michal

> 
> Meanwhile, I noticed Michal also posted a patchset to address the same
> issue, while he tries to make it work on s390 too. Could you check and
> consider if these two patches can be integrated?
> 
> [PATCH 0/4] Unifrom keyring support across architectures and functions
> https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek at suse.de/
> 
> Thanks
> Baoquan
> 
> > 
> > v5:
> >  - improve commit message [Baoquan]
> > 
> > v4:
> >  - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]
> > 
> > v3:
> >  - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
> >  - clean up arch_kexec_kernel_verify_sig [Eric]
> > 
> > v2:
> >  - only x86_64 and arm64 need to enable PE file signature check [Dave]
> > 
> > Coiby Xu (3):
> >   kexec: clean up arch_kexec_kernel_verify_sig
> >   kexec, KEYS: make the code in bzImage64_verify_sig generic
> >   arm64: kexec_file: use more system keyrings to verify kernel image
> >     signature
> > 
> >  arch/arm64/kernel/kexec_image.c   |  4 +--
> >  arch/x86/kernel/kexec-bzimage64.c | 13 +-------
> >  include/linux/kexec.h             |  7 +++--
> >  kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
> >  4 files changed, 37 insertions(+), 38 deletions(-)
> > 
> > -- 
> > 2.34.1
> > 
> 

Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Baoquan He]

On 04/08/22 at 10:59am, Michal Suchánek wrote:
> On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
> > Hi Coiby,
> > 
> > On 04/01/22 at 09:31am, Coiby Xu wrote:
> > > Currently, a problem faced by arm64 is if a kernel image is signed by a
> > > MOK key, loading it via the kexec_file_load() system call would be
> > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
> > > restricted; see man kernel_lockdown.7".
> > > 
> > > This patch set allows arm64 to use more system keyrings to verify kdump 
> > > kernel image signature by making the existing code in x64 public.
> > 
> > Thanks for updating. It would be great to tell why the problem is
> > met, then allow arm64 to use more system keyrings can solve it.
> 
> The reason is that MOK keys are (if anywhere) linked to the secondary
> keyring, and only primary keyring is used on arm64.

Thanks for explaining. This is valuable information and should
be put into log for better understanding when reviewing or
reading code later.


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Baoquan He]

On 04/08/22 at 10:59am, Michal Such?nek wrote:
> On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
> > Hi Coiby,
> > 
> > On 04/01/22 at 09:31am, Coiby Xu wrote:
> > > Currently, a problem faced by arm64 is if a kernel image is signed by a
> > > MOK key, loading it via the kexec_file_load() system call would be
> > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
> > > restricted; see man kernel_lockdown.7".
> > > 
> > > This patch set allows arm64 to use more system keyrings to verify kdump 
> > > kernel image signature by making the existing code in x64 public.
> > 
> > Thanks for updating. It would be great to tell why the problem is
> > met, then allow arm64 to use more system keyrings can solve it.
> 
> The reason is that MOK keys are (if anywhere) linked to the secondary
> keyring, and only primary keyring is used on arm64.

Thanks for explaining. This is valuable information and should
be put into log for better understanding when reviewing or
reading code later.

Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Coiby Xu]

On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
>On 04/08/22 at 10:59am, Michal Suchánek wrote:
>> On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
>> > Hi Coiby,
>> >
>> > On 04/01/22 at 09:31am, Coiby Xu wrote:
>> > > Currently, a problem faced by arm64 is if a kernel image is signed by a
>> > > MOK key, loading it via the kexec_file_load() system call would be
>> > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> > > restricted; see man kernel_lockdown.7".
>> > >
>> > > This patch set allows arm64 to use more system keyrings to verify kdump
>> > > kernel image signature by making the existing code in x64 public.
>> >
>> > Thanks for updating. It would be great to tell why the problem is
>> > met, then allow arm64 to use more system keyrings can solve it.
>>
>> The reason is that MOK keys are (if anywhere) linked to the secondary
                                                                ^^^^^^^^^
                                                                platform?
>> keyring, and only primary keyring is used on arm64.

Thanks Michal for providing the info! Btw, I think you made a typo
because MOK keys are linked to the platform keyring, right?

>
>Thanks for explaining. This is valuable information and should
>be put into log for better understanding when reviewing or
>reading code later.

Thanks for the reminder! I'll include this info in the commit message.

>

-- 
Best regards,
Coiby


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Coiby Xu]

On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
>On 04/08/22 at 10:59am, Michal Such?nek wrote:
>> On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
>> > Hi Coiby,
>> >
>> > On 04/01/22 at 09:31am, Coiby Xu wrote:
>> > > Currently, a problem faced by arm64 is if a kernel image is signed by a
>> > > MOK key, loading it via the kexec_file_load() system call would be
>> > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> > > restricted; see man kernel_lockdown.7".
>> > >
>> > > This patch set allows arm64 to use more system keyrings to verify kdump
>> > > kernel image signature by making the existing code in x64 public.
>> >
>> > Thanks for updating. It would be great to tell why the problem is
>> > met, then allow arm64 to use more system keyrings can solve it.
>>
>> The reason is that MOK keys are (if anywhere) linked to the secondary
                                                                ^^^^^^^^^
                                                                platform?
>> keyring, and only primary keyring is used on arm64.

Thanks Michal for providing the info! Btw, I think you made a typo
because MOK keys are linked to the platform keyring, right?

>
>Thanks for explaining. This is valuable information and should
>be put into log for better understanding when reviewing or
>reading code later.

Thanks for the reminder! I'll include this info in the commit message.

>

-- 
Best regards,
Coiby

Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Michal Suchánek]

On Mon, Apr 11, 2022 at 09:52:18AM +0800, Coiby Xu wrote:
> On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
> > On 04/08/22 at 10:59am, Michal Suchánek wrote:
> > > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
> > > > Hi Coiby,
> > > >
> > > > On 04/01/22 at 09:31am, Coiby Xu wrote:
> > > > > Currently, a problem faced by arm64 is if a kernel image is signed by a
> > > > > MOK key, loading it via the kexec_file_load() system call would be
> > > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
> > > > > restricted; see man kernel_lockdown.7".
> > > > >
> > > > > This patch set allows arm64 to use more system keyrings to verify kdump
> > > > > kernel image signature by making the existing code in x64 public.
> > > >
> > > > Thanks for updating. It would be great to tell why the problem is
> > > > met, then allow arm64 to use more system keyrings can solve it.
> > > 
> > > The reason is that MOK keys are (if anywhere) linked to the secondary
>                                                                ^^^^^^^^^
>                                                                platform?
> > > keyring, and only primary keyring is used on arm64.
> 
> Thanks Michal for providing the info! Btw, I think you made a typo
> because MOK keys are linked to the platform keyring, right?

No, I mean secondary, through this patchset:
https://lore.kernel.org/lkml/YhKP12KEmyqyS8rj@iki.fi/

Apparently support for importing the MOK keys into the platform keyring
also exists but I am not sure if this is upstream or downstream feature.

At any rate the MOK keys are not included in the primary keyring which
is the only keyring currently in use for kexec on arm64.

Thanks

Michal

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Michal =?unknown-8bit?q?Such=C3=A1nek?=]

On Mon, Apr 11, 2022 at 09:52:18AM +0800, Coiby Xu wrote:
> On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
> > On 04/08/22 at 10:59am, Michal Such?nek wrote:
> > > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
> > > > Hi Coiby,
> > > >
> > > > On 04/01/22 at 09:31am, Coiby Xu wrote:
> > > > > Currently, a problem faced by arm64 is if a kernel image is signed by a
> > > > > MOK key, loading it via the kexec_file_load() system call would be
> > > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
> > > > > restricted; see man kernel_lockdown.7".
> > > > >
> > > > > This patch set allows arm64 to use more system keyrings to verify kdump
> > > > > kernel image signature by making the existing code in x64 public.
> > > >
> > > > Thanks for updating. It would be great to tell why the problem is
> > > > met, then allow arm64 to use more system keyrings can solve it.
> > > 
> > > The reason is that MOK keys are (if anywhere) linked to the secondary
>                                                                ^^^^^^^^^
>                                                                platform?
> > > keyring, and only primary keyring is used on arm64.
> 
> Thanks Michal for providing the info! Btw, I think you made a typo
> because MOK keys are linked to the platform keyring, right?

No, I mean secondary, through this patchset:
https://lore.kernel.org/lkml/YhKP12KEmyqyS8rj at iki.fi/

Apparently support for importing the MOK keys into the platform keyring
also exists but I am not sure if this is upstream or downstream feature.

At any rate the MOK keys are not included in the primary keyring which
is the only keyring currently in use for kexec on arm64.

Thanks

Michal

Re: [PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Michal Suchánek]

On Fri, Apr 01, 2022 at 09:31:17AM +0800, Coiby Xu wrote:
> The code in bzImage64_verify_sig could make use of system keyrings
s/could make/makes/
> including .buitin_trusted_keys, .secondary_trusted_keys and .platform
> keyring to verify signed kernel image as PE file. Make it generic so
> both x86_64 and arm64 can use it.
> 
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>  include/linux/kexec.h             |  7 +++++++
>  kernel/kexec_file.c               | 17 +++++++++++++++++
>  3 files changed, 25 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 170d0fd68b1f..f73aab3fde33 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -17,7 +17,6 @@
>  #include <linux/kernel.h>
>  #include <linux/mm.h>
>  #include <linux/efi.h>
> -#include <linux/verification.h>
>  
>  #include <asm/bootparam.h>
>  #include <asm/setup.h>
> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	int ret;
> -
> -	ret = verify_pefile_signature(kernel, kernel_len,
> -				      VERIFY_USE_SECONDARY_KEYRING,
> -				      VERIFYING_KEXEC_PE_SIGNATURE);
> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> -		ret = verify_pefile_signature(kernel, kernel_len,
> -					      VERIFY_USE_PLATFORM_KEYRING,
> -					      VERIFYING_KEXEC_PE_SIGNATURE);
> -	}
> -	return ret;
> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }

Maybe you can completely eliminate bzImage64_verify_sig and directly
assign kexec_kernel_verify_pe_sig to the fops?

Other than that

Reviewed-by: Michal Suchanek <msuchanek@suse.de>

>  #endif
>  
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 755fed183224..2fe39e946988 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -19,6 +19,7 @@
>  #include <asm/io.h>
>  
>  #include <uapi/linux/kexec.h>
> +#include <linux/verification.h>
>  
>  #ifdef CONFIG_KEXEC_CORE
>  #include <linux/list.h>
> @@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>  				 const Elf_Shdr *relsec,
>  				 const Elf_Shdr *symtab);
>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
> +#ifdef CONFIG_KEXEC_SIG
> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> +int kexec_kernel_verify_pe_sig(const char *kernel,
> +				    unsigned long kernel_len);
> +#endif
> +#endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 3720435807eb..754885b96aab 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  }
>  
>  #ifdef CONFIG_KEXEC_SIG
> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> +int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> +{
> +	int ret;
> +
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +				      VERIFY_USE_SECONDARY_KEYRING,
> +				      VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +					      VERIFY_USE_PLATFORM_KEYRING,
> +					      VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
> +}
> +#endif
> +
>  static int kexec_image_verify_sig(struct kimage *image, void *buf,
>  		unsigned long buf_len)
>  {
> -- 
> 2.34.1
> 

Re: [PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Michal Suchánek]

On Fri, Apr 01, 2022 at 09:31:17AM +0800, Coiby Xu wrote:
> The code in bzImage64_verify_sig could make use of system keyrings
s/could make/makes/
> including .buitin_trusted_keys, .secondary_trusted_keys and .platform
> keyring to verify signed kernel image as PE file. Make it generic so
> both x86_64 and arm64 can use it.
> 
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>  include/linux/kexec.h             |  7 +++++++
>  kernel/kexec_file.c               | 17 +++++++++++++++++
>  3 files changed, 25 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 170d0fd68b1f..f73aab3fde33 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -17,7 +17,6 @@
>  #include <linux/kernel.h>
>  #include <linux/mm.h>
>  #include <linux/efi.h>
> -#include <linux/verification.h>
>  
>  #include <asm/bootparam.h>
>  #include <asm/setup.h>
> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	int ret;
> -
> -	ret = verify_pefile_signature(kernel, kernel_len,
> -				      VERIFY_USE_SECONDARY_KEYRING,
> -				      VERIFYING_KEXEC_PE_SIGNATURE);
> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> -		ret = verify_pefile_signature(kernel, kernel_len,
> -					      VERIFY_USE_PLATFORM_KEYRING,
> -					      VERIFYING_KEXEC_PE_SIGNATURE);
> -	}
> -	return ret;
> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }

Maybe you can completely eliminate bzImage64_verify_sig and directly
assign kexec_kernel_verify_pe_sig to the fops?

Other than that

Reviewed-by: Michal Suchanek <msuchanek@suse.de>

>  #endif
>  
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 755fed183224..2fe39e946988 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -19,6 +19,7 @@
>  #include <asm/io.h>
>  
>  #include <uapi/linux/kexec.h>
> +#include <linux/verification.h>
>  
>  #ifdef CONFIG_KEXEC_CORE
>  #include <linux/list.h>
> @@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>  				 const Elf_Shdr *relsec,
>  				 const Elf_Shdr *symtab);
>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
> +#ifdef CONFIG_KEXEC_SIG
> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> +int kexec_kernel_verify_pe_sig(const char *kernel,
> +				    unsigned long kernel_len);
> +#endif
> +#endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 3720435807eb..754885b96aab 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  }
>  
>  #ifdef CONFIG_KEXEC_SIG
> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> +int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> +{
> +	int ret;
> +
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +				      VERIFY_USE_SECONDARY_KEYRING,
> +				      VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +					      VERIFY_USE_PLATFORM_KEYRING,
> +					      VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
> +}
> +#endif
> +
>  static int kexec_image_verify_sig(struct kimage *image, void *buf,
>  		unsigned long buf_len)
>  {
> -- 
> 2.34.1
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Michal =?unknown-8bit?q?Such=C3=A1nek?=]

On Fri, Apr 01, 2022 at 09:31:17AM +0800, Coiby Xu wrote:
> The code in bzImage64_verify_sig could make use of system keyrings
s/could make/makes/
> including .buitin_trusted_keys, .secondary_trusted_keys and .platform
> keyring to verify signed kernel image as PE file. Make it generic so
> both x86_64 and arm64 can use it.
> 
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>  include/linux/kexec.h             |  7 +++++++
>  kernel/kexec_file.c               | 17 +++++++++++++++++
>  3 files changed, 25 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 170d0fd68b1f..f73aab3fde33 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -17,7 +17,6 @@
>  #include <linux/kernel.h>
>  #include <linux/mm.h>
>  #include <linux/efi.h>
> -#include <linux/verification.h>
>  
>  #include <asm/bootparam.h>
>  #include <asm/setup.h>
> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	int ret;
> -
> -	ret = verify_pefile_signature(kernel, kernel_len,
> -				      VERIFY_USE_SECONDARY_KEYRING,
> -				      VERIFYING_KEXEC_PE_SIGNATURE);
> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> -		ret = verify_pefile_signature(kernel, kernel_len,
> -					      VERIFY_USE_PLATFORM_KEYRING,
> -					      VERIFYING_KEXEC_PE_SIGNATURE);
> -	}
> -	return ret;
> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }

Maybe you can completely eliminate bzImage64_verify_sig and directly
assign kexec_kernel_verify_pe_sig to the fops?

Other than that

Reviewed-by: Michal Suchanek <msuchanek@suse.de>

>  #endif
>  
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 755fed183224..2fe39e946988 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -19,6 +19,7 @@
>  #include <asm/io.h>
>  
>  #include <uapi/linux/kexec.h>
> +#include <linux/verification.h>
>  
>  #ifdef CONFIG_KEXEC_CORE
>  #include <linux/list.h>
> @@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>  				 const Elf_Shdr *relsec,
>  				 const Elf_Shdr *symtab);
>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
> +#ifdef CONFIG_KEXEC_SIG
> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> +int kexec_kernel_verify_pe_sig(const char *kernel,
> +				    unsigned long kernel_len);
> +#endif
> +#endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 3720435807eb..754885b96aab 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  }
>  
>  #ifdef CONFIG_KEXEC_SIG
> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> +int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> +{
> +	int ret;
> +
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +				      VERIFY_USE_SECONDARY_KEYRING,
> +				      VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +					      VERIFY_USE_PLATFORM_KEYRING,
> +					      VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
> +}
> +#endif
> +
>  static int kexec_image_verify_sig(struct kimage *image, void *buf,
>  		unsigned long buf_len)
>  {
> -- 
> 2.34.1
> 

Re: [PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Michal Suchánek]

On Fri, Apr 01, 2022 at 09:31:18AM +0800, Coiby Xu wrote:
> Currently, a problem faced by arm64 is if a kernel image is signed by a
> MOK key, loading it via the kexec_file_load() system call would be
> rejected with the error "Lockdown: kexec: kexec of unsigned images is
> restricted; see man kernel_lockdown.7".

This is because image_verify_sig uses only the primary keyring that
contains only kernel built-in keys to verify the kexec image.

> This patch allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .platform and .secondary_trusted_key
> keyring.
> 
> Acked-by: Will Deacon <will@kernel.org>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  arch/arm64/kernel/kexec_image.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..51af1c22d6da 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
>  #include <linux/kexec.h>
>  #include <linux/pe.h>
>  #include <linux/string.h>
> -#include <linux/verification.h>
>  #include <asm/byteorder.h>
>  #include <asm/cpufeature.h>
>  #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len, NULL,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }
>  #endif

You can eliminate image_verify_sig here aswell and directly assign
kexec_kernel_verify_pe_sig to fops.

Thanks

Michal

Re: [PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Michal Suchánek]

On Fri, Apr 01, 2022 at 09:31:18AM +0800, Coiby Xu wrote:
> Currently, a problem faced by arm64 is if a kernel image is signed by a
> MOK key, loading it via the kexec_file_load() system call would be
> rejected with the error "Lockdown: kexec: kexec of unsigned images is
> restricted; see man kernel_lockdown.7".

This is because image_verify_sig uses only the primary keyring that
contains only kernel built-in keys to verify the kexec image.

> This patch allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .platform and .secondary_trusted_key
> keyring.
> 
> Acked-by: Will Deacon <will@kernel.org>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  arch/arm64/kernel/kexec_image.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..51af1c22d6da 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
>  #include <linux/kexec.h>
>  #include <linux/pe.h>
>  #include <linux/string.h>
> -#include <linux/verification.h>
>  #include <asm/byteorder.h>
>  #include <asm/cpufeature.h>
>  #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len, NULL,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }
>  #endif

You can eliminate image_verify_sig here aswell and directly assign
kexec_kernel_verify_pe_sig to fops.

Thanks

Michal

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Michal =?unknown-8bit?q?Such=C3=A1nek?=]

On Fri, Apr 01, 2022 at 09:31:18AM +0800, Coiby Xu wrote:
> Currently, a problem faced by arm64 is if a kernel image is signed by a
> MOK key, loading it via the kexec_file_load() system call would be
> rejected with the error "Lockdown: kexec: kexec of unsigned images is
> restricted; see man kernel_lockdown.7".

This is because image_verify_sig uses only the primary keyring that
contains only kernel built-in keys to verify the kexec image.

> This patch allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .platform and .secondary_trusted_key
> keyring.
> 
> Acked-by: Will Deacon <will@kernel.org>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  arch/arm64/kernel/kexec_image.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..51af1c22d6da 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
>  #include <linux/kexec.h>
>  #include <linux/pe.h>
>  #include <linux/string.h>
> -#include <linux/verification.h>
>  #include <asm/byteorder.h>
>  #include <asm/cpufeature.h>
>  #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len, NULL,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }
>  #endif

You can eliminate image_verify_sig here aswell and directly assign
kexec_kernel_verify_pe_sig to fops.

Thanks

Michal

Re: [PATCH v5 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Michal Suchánek]

On Fri, Apr 01, 2022 at 09:31:16AM +0800, Coiby Xu wrote:
> Currently there is no arch-specific implementation of
> arch_kexec_kernel_verify_sig. Even if we want to add an implementation
> for an architecture in the future, we can simply use "(struct
> kexec_file_ops*)->verify_sig". So clean it up.
Reviewed-by: Michal Suchanek <msuchanek@suse.de>
> 
> Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  include/linux/kexec.h |  4 ----
>  kernel/kexec_file.c   | 34 +++++++++++++---------------------
>  2 files changed, 13 insertions(+), 25 deletions(-)
> 
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 0c994ae37729..755fed183224 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>  				 const Elf_Shdr *relsec,
>  				 const Elf_Shdr *symtab);
>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
> -#ifdef CONFIG_KEXEC_SIG
> -int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -				 unsigned long buf_len);
> -#endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 8347fc158d2b..3720435807eb 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
>  	return kexec_image_post_load_cleanup_default(image);
>  }
>  
> -#ifdef CONFIG_KEXEC_SIG
> -static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
> -					  unsigned long buf_len)
> -{
> -	if (!image->fops || !image->fops->verify_sig) {
> -		pr_debug("kernel loader does not support signature verification.\n");
> -		return -EKEYREJECTED;
> -	}
> -
> -	return image->fops->verify_sig(buf, buf_len);
> -}
> -
> -int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -					unsigned long buf_len)
> -{
> -	return kexec_image_verify_sig_default(image, buf, buf_len);
> -}
> -#endif
> -
>  /*
>   * arch_kexec_apply_relocations_add - apply relocations of type RELA
>   * @pi:		Purgatory to be relocated.
> @@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  }
>  
>  #ifdef CONFIG_KEXEC_SIG
> +static int kexec_image_verify_sig(struct kimage *image, void *buf,
> +		unsigned long buf_len)
> +{
> +	if (!image->fops || !image->fops->verify_sig) {
> +		pr_debug("kernel loader does not support signature verification.\n");
> +		return -EKEYREJECTED;
> +	}
> +
> +	return image->fops->verify_sig(buf, buf_len);
> +}
> +
>  static int
>  kimage_validate_signature(struct kimage *image)
>  {
>  	int ret;
>  
> -	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
> -					   image->kernel_buf_len);
> +	ret = kexec_image_verify_sig(image, image->kernel_buf,
> +			image->kernel_buf_len);
>  	if (ret) {
>  
>  		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
> -- 
> 2.34.1
> 

Re: [PATCH v5 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Michal Suchánek]

On Fri, Apr 01, 2022 at 09:31:16AM +0800, Coiby Xu wrote:
> Currently there is no arch-specific implementation of
> arch_kexec_kernel_verify_sig. Even if we want to add an implementation
> for an architecture in the future, we can simply use "(struct
> kexec_file_ops*)->verify_sig". So clean it up.
Reviewed-by: Michal Suchanek <msuchanek@suse.de>
> 
> Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  include/linux/kexec.h |  4 ----
>  kernel/kexec_file.c   | 34 +++++++++++++---------------------
>  2 files changed, 13 insertions(+), 25 deletions(-)
> 
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 0c994ae37729..755fed183224 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>  				 const Elf_Shdr *relsec,
>  				 const Elf_Shdr *symtab);
>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
> -#ifdef CONFIG_KEXEC_SIG
> -int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -				 unsigned long buf_len);
> -#endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 8347fc158d2b..3720435807eb 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
>  	return kexec_image_post_load_cleanup_default(image);
>  }
>  
> -#ifdef CONFIG_KEXEC_SIG
> -static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
> -					  unsigned long buf_len)
> -{
> -	if (!image->fops || !image->fops->verify_sig) {
> -		pr_debug("kernel loader does not support signature verification.\n");
> -		return -EKEYREJECTED;
> -	}
> -
> -	return image->fops->verify_sig(buf, buf_len);
> -}
> -
> -int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -					unsigned long buf_len)
> -{
> -	return kexec_image_verify_sig_default(image, buf, buf_len);
> -}
> -#endif
> -
>  /*
>   * arch_kexec_apply_relocations_add - apply relocations of type RELA
>   * @pi:		Purgatory to be relocated.
> @@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  }
>  
>  #ifdef CONFIG_KEXEC_SIG
> +static int kexec_image_verify_sig(struct kimage *image, void *buf,
> +		unsigned long buf_len)
> +{
> +	if (!image->fops || !image->fops->verify_sig) {
> +		pr_debug("kernel loader does not support signature verification.\n");
> +		return -EKEYREJECTED;
> +	}
> +
> +	return image->fops->verify_sig(buf, buf_len);
> +}
> +
>  static int
>  kimage_validate_signature(struct kimage *image)
>  {
>  	int ret;
>  
> -	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
> -					   image->kernel_buf_len);
> +	ret = kexec_image_verify_sig(image, image->kernel_buf,
> +			image->kernel_buf_len);
>  	if (ret) {
>  
>  		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
> -- 
> 2.34.1
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Michal =?unknown-8bit?q?Such=C3=A1nek?=]

On Fri, Apr 01, 2022 at 09:31:16AM +0800, Coiby Xu wrote:
> Currently there is no arch-specific implementation of
> arch_kexec_kernel_verify_sig. Even if we want to add an implementation
> for an architecture in the future, we can simply use "(struct
> kexec_file_ops*)->verify_sig". So clean it up.
Reviewed-by: Michal Suchanek <msuchanek@suse.de>
> 
> Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  include/linux/kexec.h |  4 ----
>  kernel/kexec_file.c   | 34 +++++++++++++---------------------
>  2 files changed, 13 insertions(+), 25 deletions(-)
> 
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 0c994ae37729..755fed183224 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>  				 const Elf_Shdr *relsec,
>  				 const Elf_Shdr *symtab);
>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
> -#ifdef CONFIG_KEXEC_SIG
> -int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -				 unsigned long buf_len);
> -#endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 8347fc158d2b..3720435807eb 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
>  	return kexec_image_post_load_cleanup_default(image);
>  }
>  
> -#ifdef CONFIG_KEXEC_SIG
> -static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
> -					  unsigned long buf_len)
> -{
> -	if (!image->fops || !image->fops->verify_sig) {
> -		pr_debug("kernel loader does not support signature verification.\n");
> -		return -EKEYREJECTED;
> -	}
> -
> -	return image->fops->verify_sig(buf, buf_len);
> -}
> -
> -int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -					unsigned long buf_len)
> -{
> -	return kexec_image_verify_sig_default(image, buf, buf_len);
> -}
> -#endif
> -
>  /*
>   * arch_kexec_apply_relocations_add - apply relocations of type RELA
>   * @pi:		Purgatory to be relocated.
> @@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  }
>  
>  #ifdef CONFIG_KEXEC_SIG
> +static int kexec_image_verify_sig(struct kimage *image, void *buf,
> +		unsigned long buf_len)
> +{
> +	if (!image->fops || !image->fops->verify_sig) {
> +		pr_debug("kernel loader does not support signature verification.\n");
> +		return -EKEYREJECTED;
> +	}
> +
> +	return image->fops->verify_sig(buf, buf_len);
> +}
> +
>  static int
>  kimage_validate_signature(struct kimage *image)
>  {
>  	int ret;
>  
> -	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
> -					   image->kernel_buf_len);
> +	ret = kexec_image_verify_sig(image, image->kernel_buf,
> +			image->kernel_buf_len);
>  	if (ret) {
>  
>  		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
> -- 
> 2.34.1
> 

Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:43:06AM +0200, Michal Suchánek wrote:
>On Mon, Apr 11, 2022 at 09:52:18AM +0800, Coiby Xu wrote:
>> On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
>> > On 04/08/22 at 10:59am, Michal Suchánek wrote:
>> > > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
>> > > > Hi Coiby,
>> > > >
>> > > > On 04/01/22 at 09:31am, Coiby Xu wrote:
>> > > > > Currently, a problem faced by arm64 is if a kernel image is signed by a
>> > > > > MOK key, loading it via the kexec_file_load() system call would be
>> > > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> > > > > restricted; see man kernel_lockdown.7".
>> > > > >
>> > > > > This patch set allows arm64 to use more system keyrings to verify kdump
>> > > > > kernel image signature by making the existing code in x64 public.
>> > > >
>> > > > Thanks for updating. It would be great to tell why the problem is
>> > > > met, then allow arm64 to use more system keyrings can solve it.
>> > >
>> > > The reason is that MOK keys are (if anywhere) linked to the secondary
>>                                                                ^^^^^^^^^
>>                                                                platform?
>> > > keyring, and only primary keyring is used on arm64.
>>
>> Thanks Michal for providing the info! Btw, I think you made a typo
>> because MOK keys are linked to the platform keyring, right?
>
>No, I mean secondary, through this patchset:
>https://lore.kernel.org/lkml/YhKP12KEmyqyS8rj@iki.fi/

Thanks for the info! This provides another approach to verify kernel
image's signature via the secondary keyring once the end-use chooses to
trust MOK keys by setting MokListTrustedRT.

>
>Apparently support for importing the MOK keys into the platform keyring
>also exists but I am not sure if this is upstream or downstream feature.

This is actually an upstream feature,

commit 15ea0e1e3e185040bed6119f815096f2e4326242
Author: Josh Boyer <jwboyer@fedoraproject.org>
Date:   Thu Dec 13 01:37:56 2018 +0530

     efi: Import certificates from UEFI Secure Boot
     
     Secure Boot stores a list of allowed certificates in the 'db' variable.
     This patch imports those certificates into the platform keyring. The shim
     UEFI bootloader has a similar certificate list stored in the 'MokListRT'
     variable. We import those as well.
     
     Secure Boot also maintains a list of disallowed certificates in the 'dbx'
     variable. We load those certificates into the system blacklist keyring
     and forbid any kernel signed with those from loading.
     
     [zohar@linux.ibm.com: dropped Josh's original patch description]
     Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
     Signed-off-by: David Howells <dhowells@redhat.com>
     Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
     Acked-by: Serge Hallyn <serge@hallyn.com>
     Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

>
>At any rate the MOK keys are not included in the primary keyring which
>is the only keyring currently in use for kexec on arm64.

Good summary, thanks!

>
>Thanks
>
>Michal
>

-- 
Best regards,
Coiby


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:43:06AM +0200, Michal Such?nek wrote:
>On Mon, Apr 11, 2022 at 09:52:18AM +0800, Coiby Xu wrote:
>> On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
>> > On 04/08/22 at 10:59am, Michal Such?nek wrote:
>> > > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
>> > > > Hi Coiby,
>> > > >
>> > > > On 04/01/22 at 09:31am, Coiby Xu wrote:
>> > > > > Currently, a problem faced by arm64 is if a kernel image is signed by a
>> > > > > MOK key, loading it via the kexec_file_load() system call would be
>> > > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> > > > > restricted; see man kernel_lockdown.7".
>> > > > >
>> > > > > This patch set allows arm64 to use more system keyrings to verify kdump
>> > > > > kernel image signature by making the existing code in x64 public.
>> > > >
>> > > > Thanks for updating. It would be great to tell why the problem is
>> > > > met, then allow arm64 to use more system keyrings can solve it.
>> > >
>> > > The reason is that MOK keys are (if anywhere) linked to the secondary
>>                                                                ^^^^^^^^^
>>                                                                platform?
>> > > keyring, and only primary keyring is used on arm64.
>>
>> Thanks Michal for providing the info! Btw, I think you made a typo
>> because MOK keys are linked to the platform keyring, right?
>
>No, I mean secondary, through this patchset:
>https://lore.kernel.org/lkml/YhKP12KEmyqyS8rj at iki.fi/

Thanks for the info! This provides another approach to verify kernel
image's signature via the secondary keyring once the end-use chooses to
trust MOK keys by setting MokListTrustedRT.

>
>Apparently support for importing the MOK keys into the platform keyring
>also exists but I am not sure if this is upstream or downstream feature.

This is actually an upstream feature,

commit 15ea0e1e3e185040bed6119f815096f2e4326242
Author: Josh Boyer <jwboyer@fedoraproject.org>
Date:   Thu Dec 13 01:37:56 2018 +0530

     efi: Import certificates from UEFI Secure Boot
     
     Secure Boot stores a list of allowed certificates in the 'db' variable.
     This patch imports those certificates into the platform keyring. The shim
     UEFI bootloader has a similar certificate list stored in the 'MokListRT'
     variable. We import those as well.
     
     Secure Boot also maintains a list of disallowed certificates in the 'dbx'
     variable. We load those certificates into the system blacklist keyring
     and forbid any kernel signed with those from loading.
     
     [zohar at linux.ibm.com: dropped Josh's original patch description]
     Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
     Signed-off-by: David Howells <dhowells@redhat.com>
     Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
     Acked-by: Serge Hallyn <serge@hallyn.com>
     Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

>
>At any rate the MOK keys are not included in the primary keyring which
>is the only keyring currently in use for kexec on arm64.

Good summary, thanks!

>
>Thanks
>
>Michal
>

-- 
Best regards,
Coiby

Re: [PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:59:38AM +0200, Michal Suchánek wrote:
>On Fri, Apr 01, 2022 at 09:31:18AM +0800, Coiby Xu wrote:
>> Currently, a problem faced by arm64 is if a kernel image is signed by a
>> MOK key, loading it via the kexec_file_load() system call would be
>> rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> restricted; see man kernel_lockdown.7".
>
>This is because image_verify_sig uses only the primary keyring that
>contains only kernel built-in keys to verify the kexec image.
>
>> This patch allows to verify arm64 kernel image signature using not only
>> .builtin_trusted_keys but also .platform and .secondary_trusted_key
>> keyring.
>>
>> Acked-by: Will Deacon <will@kernel.org>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>> ---
>>  arch/arm64/kernel/kexec_image.c | 4 +---
>>  1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
>> index 9ec34690e255..51af1c22d6da 100644
>> --- a/arch/arm64/kernel/kexec_image.c
>> +++ b/arch/arm64/kernel/kexec_image.c
>> @@ -14,7 +14,6 @@
>>  #include <linux/kexec.h>
>>  #include <linux/pe.h>
>>  #include <linux/string.h>
>> -#include <linux/verification.h>
>>  #include <asm/byteorder.h>
>>  #include <asm/cpufeature.h>
>>  #include <asm/image.h>
>> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	return verify_pefile_signature(kernel, kernel_len, NULL,
>> -				       VERIFYING_KEXEC_PE_SIGNATURE);
>> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>>  #endif
>
>You can eliminate image_verify_sig here aswell and directly assign
>kexec_kernel_verify_pe_sig to fops.

Good suggestions, thanks!

>
>Thanks
>
>Michal
>

-- 
Best regards,
Coiby

Re: [PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:59:38AM +0200, Michal Suchánek wrote:
>On Fri, Apr 01, 2022 at 09:31:18AM +0800, Coiby Xu wrote:
>> Currently, a problem faced by arm64 is if a kernel image is signed by a
>> MOK key, loading it via the kexec_file_load() system call would be
>> rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> restricted; see man kernel_lockdown.7".
>
>This is because image_verify_sig uses only the primary keyring that
>contains only kernel built-in keys to verify the kexec image.
>
>> This patch allows to verify arm64 kernel image signature using not only
>> .builtin_trusted_keys but also .platform and .secondary_trusted_key
>> keyring.
>>
>> Acked-by: Will Deacon <will@kernel.org>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>> ---
>>  arch/arm64/kernel/kexec_image.c | 4 +---
>>  1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
>> index 9ec34690e255..51af1c22d6da 100644
>> --- a/arch/arm64/kernel/kexec_image.c
>> +++ b/arch/arm64/kernel/kexec_image.c
>> @@ -14,7 +14,6 @@
>>  #include <linux/kexec.h>
>>  #include <linux/pe.h>
>>  #include <linux/string.h>
>> -#include <linux/verification.h>
>>  #include <asm/byteorder.h>
>>  #include <asm/cpufeature.h>
>>  #include <asm/image.h>
>> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	return verify_pefile_signature(kernel, kernel_len, NULL,
>> -				       VERIFYING_KEXEC_PE_SIGNATURE);
>> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>>  #endif
>
>You can eliminate image_verify_sig here aswell and directly assign
>kexec_kernel_verify_pe_sig to fops.

Good suggestions, thanks!

>
>Thanks
>
>Michal
>

-- 
Best regards,
Coiby


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:59:38AM +0200, Michal Such?nek wrote:
>On Fri, Apr 01, 2022 at 09:31:18AM +0800, Coiby Xu wrote:
>> Currently, a problem faced by arm64 is if a kernel image is signed by a
>> MOK key, loading it via the kexec_file_load() system call would be
>> rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> restricted; see man kernel_lockdown.7".
>
>This is because image_verify_sig uses only the primary keyring that
>contains only kernel built-in keys to verify the kexec image.
>
>> This patch allows to verify arm64 kernel image signature using not only
>> .builtin_trusted_keys but also .platform and .secondary_trusted_key
>> keyring.
>>
>> Acked-by: Will Deacon <will@kernel.org>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>> ---
>>  arch/arm64/kernel/kexec_image.c | 4 +---
>>  1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
>> index 9ec34690e255..51af1c22d6da 100644
>> --- a/arch/arm64/kernel/kexec_image.c
>> +++ b/arch/arm64/kernel/kexec_image.c
>> @@ -14,7 +14,6 @@
>>  #include <linux/kexec.h>
>>  #include <linux/pe.h>
>>  #include <linux/string.h>
>> -#include <linux/verification.h>
>>  #include <asm/byteorder.h>
>>  #include <asm/cpufeature.h>
>>  #include <asm/image.h>
>> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	return verify_pefile_signature(kernel, kernel_len, NULL,
>> -				       VERIFYING_KEXEC_PE_SIGNATURE);
>> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>>  #endif
>
>You can eliminate image_verify_sig here aswell and directly assign
>kexec_kernel_verify_pe_sig to fops.

Good suggestions, thanks!

>
>Thanks
>
>Michal
>

-- 
Best regards,
Coiby

Re: [PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:54:11AM +0200, Michal Suchánek wrote:
>On Fri, Apr 01, 2022 at 09:31:17AM +0800, Coiby Xu wrote:
>> The code in bzImage64_verify_sig could make use of system keyrings
>s/could make/makes/
>> including .buitin_trusted_keys, .secondary_trusted_keys and .platform
>> keyring to verify signed kernel image as PE file. Make it generic so
>> both x86_64 and arm64 can use it.
>>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>> ---
>>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>>  include/linux/kexec.h             |  7 +++++++
>>  kernel/kexec_file.c               | 17 +++++++++++++++++
>>  3 files changed, 25 insertions(+), 12 deletions(-)
>>
>> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
>> index 170d0fd68b1f..f73aab3fde33 100644
>> --- a/arch/x86/kernel/kexec-bzimage64.c
>> +++ b/arch/x86/kernel/kexec-bzimage64.c
>> @@ -17,7 +17,6 @@
>>  #include <linux/kernel.h>
>>  #include <linux/mm.h>
>>  #include <linux/efi.h>
>> -#include <linux/verification.h>
>>
>>  #include <asm/bootparam.h>
>>  #include <asm/setup.h>
>> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	int ret;
>> -
>> -	ret = verify_pefile_signature(kernel, kernel_len,
>> -				      VERIFY_USE_SECONDARY_KEYRING,
>> -				      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> -		ret = verify_pefile_signature(kernel, kernel_len,
>> -					      VERIFY_USE_PLATFORM_KEYRING,
>> -					      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	}
>> -	return ret;
>> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>
>Maybe you can completely eliminate bzImage64_verify_sig and directly
>assign kexec_kernel_verify_pe_sig to the fops?
>
>Other than that
>
>Reviewed-by: Michal Suchanek <msuchanek@suse.de>

Applied, thanks for the suggestion and reviewing the patch!

>

>>  #endif
>>
>> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
>> index 755fed183224..2fe39e946988 100644
>> --- a/include/linux/kexec.h
>> +++ b/include/linux/kexec.h
>> @@ -19,6 +19,7 @@
>>  #include <asm/io.h>
>>
>>  #include <uapi/linux/kexec.h>
>> +#include <linux/verification.h>
>>
>>  #ifdef CONFIG_KEXEC_CORE
>>  #include <linux/list.h>
>> @@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>>  				 const Elf_Shdr *relsec,
>>  				 const Elf_Shdr *symtab);
>>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
>> +#ifdef CONFIG_KEXEC_SIG
>> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
>> +int kexec_kernel_verify_pe_sig(const char *kernel,
>> +				    unsigned long kernel_len);
>> +#endif
>> +#endif
>>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>>
>>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 3720435807eb..754885b96aab 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>>  }
>>
>>  #ifdef CONFIG_KEXEC_SIG
>> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
>> +int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
>> +{
>> +	int ret;
>> +
>> +	ret = verify_pefile_signature(kernel, kernel_len,
>> +				      VERIFY_USE_SECONDARY_KEYRING,
>> +				      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> +		ret = verify_pefile_signature(kernel, kernel_len,
>> +					      VERIFY_USE_PLATFORM_KEYRING,
>> +					      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	}
>> +	return ret;
>> +}
>> +#endif
>> +
>>  static int kexec_image_verify_sig(struct kimage *image, void *buf,
>>  		unsigned long buf_len)
>>  {
>> --
>> 2.34.1
>>
>

-- 
Best regards,
Coiby

Re: [PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:54:11AM +0200, Michal Suchánek wrote:
>On Fri, Apr 01, 2022 at 09:31:17AM +0800, Coiby Xu wrote:
>> The code in bzImage64_verify_sig could make use of system keyrings
>s/could make/makes/
>> including .buitin_trusted_keys, .secondary_trusted_keys and .platform
>> keyring to verify signed kernel image as PE file. Make it generic so
>> both x86_64 and arm64 can use it.
>>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>> ---
>>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>>  include/linux/kexec.h             |  7 +++++++
>>  kernel/kexec_file.c               | 17 +++++++++++++++++
>>  3 files changed, 25 insertions(+), 12 deletions(-)
>>
>> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
>> index 170d0fd68b1f..f73aab3fde33 100644
>> --- a/arch/x86/kernel/kexec-bzimage64.c
>> +++ b/arch/x86/kernel/kexec-bzimage64.c
>> @@ -17,7 +17,6 @@
>>  #include <linux/kernel.h>
>>  #include <linux/mm.h>
>>  #include <linux/efi.h>
>> -#include <linux/verification.h>
>>
>>  #include <asm/bootparam.h>
>>  #include <asm/setup.h>
>> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	int ret;
>> -
>> -	ret = verify_pefile_signature(kernel, kernel_len,
>> -				      VERIFY_USE_SECONDARY_KEYRING,
>> -				      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> -		ret = verify_pefile_signature(kernel, kernel_len,
>> -					      VERIFY_USE_PLATFORM_KEYRING,
>> -					      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	}
>> -	return ret;
>> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>
>Maybe you can completely eliminate bzImage64_verify_sig and directly
>assign kexec_kernel_verify_pe_sig to the fops?
>
>Other than that
>
>Reviewed-by: Michal Suchanek <msuchanek@suse.de>

Applied, thanks for the suggestion and reviewing the patch!

>

>>  #endif
>>
>> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
>> index 755fed183224..2fe39e946988 100644
>> --- a/include/linux/kexec.h
>> +++ b/include/linux/kexec.h
>> @@ -19,6 +19,7 @@
>>  #include <asm/io.h>
>>
>>  #include <uapi/linux/kexec.h>
>> +#include <linux/verification.h>
>>
>>  #ifdef CONFIG_KEXEC_CORE
>>  #include <linux/list.h>
>> @@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>>  				 const Elf_Shdr *relsec,
>>  				 const Elf_Shdr *symtab);
>>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
>> +#ifdef CONFIG_KEXEC_SIG
>> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
>> +int kexec_kernel_verify_pe_sig(const char *kernel,
>> +				    unsigned long kernel_len);
>> +#endif
>> +#endif
>>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>>
>>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 3720435807eb..754885b96aab 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>>  }
>>
>>  #ifdef CONFIG_KEXEC_SIG
>> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
>> +int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
>> +{
>> +	int ret;
>> +
>> +	ret = verify_pefile_signature(kernel, kernel_len,
>> +				      VERIFY_USE_SECONDARY_KEYRING,
>> +				      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> +		ret = verify_pefile_signature(kernel, kernel_len,
>> +					      VERIFY_USE_PLATFORM_KEYRING,
>> +					      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	}
>> +	return ret;
>> +}
>> +#endif
>> +
>>  static int kexec_image_verify_sig(struct kimage *image, void *buf,
>>  		unsigned long buf_len)
>>  {
>> --
>> 2.34.1
>>
>

-- 
Best regards,
Coiby


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v5 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Coiby Xu]

On Mon, Apr 11, 2022 at 10:54:11AM +0200, Michal Such?nek wrote:
>On Fri, Apr 01, 2022 at 09:31:17AM +0800, Coiby Xu wrote:
>> The code in bzImage64_verify_sig could make use of system keyrings
>s/could make/makes/
>> including .buitin_trusted_keys, .secondary_trusted_keys and .platform
>> keyring to verify signed kernel image as PE file. Make it generic so
>> both x86_64 and arm64 can use it.
>>
>> Signed-off-by: Coiby Xu <coxu@redhat.com>
>> ---
>>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>>  include/linux/kexec.h             |  7 +++++++
>>  kernel/kexec_file.c               | 17 +++++++++++++++++
>>  3 files changed, 25 insertions(+), 12 deletions(-)
>>
>> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
>> index 170d0fd68b1f..f73aab3fde33 100644
>> --- a/arch/x86/kernel/kexec-bzimage64.c
>> +++ b/arch/x86/kernel/kexec-bzimage64.c
>> @@ -17,7 +17,6 @@
>>  #include <linux/kernel.h>
>>  #include <linux/mm.h>
>>  #include <linux/efi.h>
>> -#include <linux/verification.h>
>>
>>  #include <asm/bootparam.h>
>>  #include <asm/setup.h>
>> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	int ret;
>> -
>> -	ret = verify_pefile_signature(kernel, kernel_len,
>> -				      VERIFY_USE_SECONDARY_KEYRING,
>> -				      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> -		ret = verify_pefile_signature(kernel, kernel_len,
>> -					      VERIFY_USE_PLATFORM_KEYRING,
>> -					      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	}
>> -	return ret;
>> +	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>
>Maybe you can completely eliminate bzImage64_verify_sig and directly
>assign kexec_kernel_verify_pe_sig to the fops?
>
>Other than that
>
>Reviewed-by: Michal Suchanek <msuchanek@suse.de>

Applied, thanks for the suggestion and reviewing the patch!

>

>>  #endif
>>
>> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
>> index 755fed183224..2fe39e946988 100644
>> --- a/include/linux/kexec.h
>> +++ b/include/linux/kexec.h
>> @@ -19,6 +19,7 @@
>>  #include <asm/io.h>
>>
>>  #include <uapi/linux/kexec.h>
>> +#include <linux/verification.h>
>>
>>  #ifdef CONFIG_KEXEC_CORE
>>  #include <linux/list.h>
>> @@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>>  				 const Elf_Shdr *relsec,
>>  				 const Elf_Shdr *symtab);
>>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
>> +#ifdef CONFIG_KEXEC_SIG
>> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
>> +int kexec_kernel_verify_pe_sig(const char *kernel,
>> +				    unsigned long kernel_len);
>> +#endif
>> +#endif
>>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>>
>>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 3720435807eb..754885b96aab 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>>  }
>>
>>  #ifdef CONFIG_KEXEC_SIG
>> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
>> +int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
>> +{
>> +	int ret;
>> +
>> +	ret = verify_pefile_signature(kernel, kernel_len,
>> +				      VERIFY_USE_SECONDARY_KEYRING,
>> +				      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> +		ret = verify_pefile_signature(kernel, kernel_len,
>> +					      VERIFY_USE_PLATFORM_KEYRING,
>> +					      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	}
>> +	return ret;
>> +}
>> +#endif
>> +
>>  static int kexec_image_verify_sig(struct kimage *image, void *buf,
>>  		unsigned long buf_len)
>>  {
>> --
>> 2.34.1
>>
>

-- 
Best regards,
Coiby