From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06FE4C433E0 for ; Wed, 10 Jun 2020 08:21:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D090A2064C for ; Wed, 10 Jun 2020 08:21:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="jKGASy0+" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726739AbgFJIV5 (ORCPT ); Wed, 10 Jun 2020 04:21:57 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:28918 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726081AbgFJIV5 (ORCPT ); Wed, 10 Jun 2020 04:21:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591777315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OI3aCfsDdegeLI3ZNTVz0fiZIXbxW2AX3bbw/1MUDHM=; b=jKGASy0+2eUDcNnvnsxJ59efVtXdEuANsfTcfOkAzYRo8dhKsRoUty5YUHZgdna32QBNxm 36bHigOS1JS49f9Iqb/jCkIyoUXEnfNSHB888gtSHcFK9+chX6DYtMNSQUMaPy2WHHCi4t si7W+oASvIJDD7HRqyOodmDz4vxOBEA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-399-6cSuREqVPdadQqwv8jTYFQ-1; Wed, 10 Jun 2020 04:21:51 -0400 X-MC-Unique: 6cSuREqVPdadQqwv8jTYFQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D946018A8220; Wed, 10 Jun 2020 08:21:49 +0000 (UTC) Received: from [10.72.12.51] (ovpn-12-51.pek2.redhat.com [10.72.12.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 45A125D9D3; Wed, 10 Jun 2020 08:21:42 +0000 (UTC) Subject: Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature From: lijiang To: linux-kernel@vger.kernel.org, akpm@linux-foundation.org, "ebiederm@xmission.com" Cc: kexec@lists.infradead.org, ebiederm@xmission.com, jbohac@suse.cz, jmorris@namei.org, mjg59@google.com, dyoung@redhat.com, bhe@redhat.com References: <20200602045952.27487-1-lijiang@redhat.com> Message-ID: <49d2af1c-bcbf-41d8-071c-93cce024b47b@redhat.com> Date: Wed, 10 Jun 2020 16:21:40 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200602045952.27487-1-lijiang@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I just noticed that I forgot to add Eric Biederman in cc list, so sorry for this. Thanks. Lianbo 在 2020年06月02日 12:59, Lianbo Jiang 写道: > Signature verification is an important security feature, to protect > system from being attacked with a kernel of unknown origin. Kexec > rebooting is a way to replace the running kernel, hence need be > secured carefully. > > In the current code of handling signature verification of kexec kernel, > the logic is very twisted. It mixes signature verification, IMA signature > appraising and kexec lockdown. > > If there is no KEXEC_SIG_FORCE, kexec kernel image doesn't have one of > signature, the supported crypto, and key, we don't think this is wrong, > Unless kexec lockdown is executed. IMA is considered as another kind of > signature appraising method. > > If kexec kernel image has signature/crypto/key, it has to go through the > signature verification and pass. Otherwise it's seen as verification > failure, and won't be loaded. > > Seems kexec kernel image with an unqualified signature is even worse than > those w/o signature at all, this sounds very unreasonable. E.g. If people > get a unsigned kernel to load, or a kernel signed with expired key, which > one is more dangerous? > > So, here, let's simplify the logic to improve code readability. If the > KEXEC_SIG_FORCE enabled or kexec lockdown enabled, signature verification > is mandated. Otherwise, we lift the bar for any kernel image. > > Signed-off-by: Lianbo Jiang > --- > Changes since v1: > [1] Modify the log level(suggested by Jiri Bohac) > > kernel/kexec_file.c | 34 ++++++---------------------------- > 1 file changed, 6 insertions(+), 28 deletions(-) > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index faa74d5f6941..fae496958a68 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -181,34 +181,19 @@ void kimage_file_post_load_cleanup(struct kimage *image) > static int > kimage_validate_signature(struct kimage *image) > { > - const char *reason; > int ret; > > ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, > image->kernel_buf_len); > - switch (ret) { > - case 0: > - break; > + if (ret) { > > - /* Certain verification errors are non-fatal if we're not > - * checking errors, provided we aren't mandating that there > - * must be a valid signature. > - */ > - case -ENODATA: > - reason = "kexec of unsigned image"; > - goto decide; > - case -ENOPKG: > - reason = "kexec of image with unsupported crypto"; > - goto decide; > - case -ENOKEY: > - reason = "kexec of image with unavailable key"; > - decide: > if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { > - pr_notice("%s rejected\n", reason); > + pr_notice("Enforced kernel signature verification failed (%d).\n", ret); > return ret; > } > > - /* If IMA is guaranteed to appraise a signature on the kexec > + /* > + * If IMA is guaranteed to appraise a signature on the kexec > * image, permit it even if the kernel is otherwise locked > * down. > */ > @@ -216,17 +201,10 @@ kimage_validate_signature(struct kimage *image) > security_locked_down(LOCKDOWN_KEXEC)) > return -EPERM; > > - return 0; > - > - /* All other errors are fatal, including nomem, unparseable > - * signatures and signature check failures - even if signatures > - * aren't required. > - */ > - default: > - pr_notice("kernel signature verification failed (%d).\n", ret); > + pr_debug("kernel signature verification failed (%d).\n", ret); > } > > - return ret; > + return 0; > } > #endif > > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from us-smtp-1.mimecast.com ([207.211.31.81] helo=us-smtp-delivery-1.mimecast.com) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jivzi-0004vb-6D for kexec@lists.infradead.org; Wed, 10 Jun 2020 08:21:59 +0000 Subject: Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature From: lijiang References: <20200602045952.27487-1-lijiang@redhat.com> Message-ID: <49d2af1c-bcbf-41d8-071c-93cce024b47b@redhat.com> Date: Wed, 10 Jun 2020 16:21:40 +0800 MIME-Version: 1.0 In-Reply-To: <20200602045952.27487-1-lijiang@redhat.com> Content-Language: en-US List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: linux-kernel@vger.kernel.org, akpm@linux-foundation.org, "ebiederm@xmission.com" Cc: jbohac@suse.cz, bhe@redhat.com, kexec@lists.infradead.org, jmorris@namei.org, mjg59@google.com, ebiederm@xmission.com, dyoung@redhat.com CkkganVzdCBub3RpY2VkIHRoYXQgSSBmb3Jnb3QgdG8gYWRkIEVyaWMgQmllZGVybWFuIGluIGNj IGxpc3QsIHNvIHNvcnJ5IGZvciB0aGlzLgoKVGhhbmtzLgpMaWFuYm8KCuWcqCAyMDIw5bm0MDbm nIgwMuaXpSAxMjo1OSwgTGlhbmJvIEppYW5nIOWGmemBkzoKPiBTaWduYXR1cmUgdmVyaWZpY2F0 aW9uIGlzIGFuIGltcG9ydGFudCBzZWN1cml0eSBmZWF0dXJlLCB0byBwcm90ZWN0Cj4gc3lzdGVt IGZyb20gYmVpbmcgYXR0YWNrZWQgd2l0aCBhIGtlcm5lbCBvZiB1bmtub3duIG9yaWdpbi4gS2V4 ZWMKPiByZWJvb3RpbmcgaXMgYSB3YXkgdG8gcmVwbGFjZSB0aGUgcnVubmluZyBrZXJuZWwsIGhl bmNlIG5lZWQgYmUKPiBzZWN1cmVkIGNhcmVmdWxseS4KPiAKPiBJbiB0aGUgY3VycmVudCBjb2Rl IG9mIGhhbmRsaW5nIHNpZ25hdHVyZSB2ZXJpZmljYXRpb24gb2Yga2V4ZWMga2VybmVsLAo+IHRo ZSBsb2dpYyBpcyB2ZXJ5IHR3aXN0ZWQuIEl0IG1peGVzIHNpZ25hdHVyZSB2ZXJpZmljYXRpb24s IElNQSBzaWduYXR1cmUKPiBhcHByYWlzaW5nIGFuZCBrZXhlYyBsb2NrZG93bi4KPiAKPiBJZiB0 aGVyZSBpcyBubyBLRVhFQ19TSUdfRk9SQ0UsIGtleGVjIGtlcm5lbCBpbWFnZSBkb2Vzbid0IGhh dmUgb25lIG9mCj4gc2lnbmF0dXJlLCB0aGUgc3VwcG9ydGVkIGNyeXB0bywgYW5kIGtleSwgd2Ug ZG9uJ3QgdGhpbmsgdGhpcyBpcyB3cm9uZywKPiBVbmxlc3Mga2V4ZWMgbG9ja2Rvd24gaXMgZXhl Y3V0ZWQuIElNQSBpcyBjb25zaWRlcmVkIGFzIGFub3RoZXIga2luZCBvZgo+IHNpZ25hdHVyZSBh cHByYWlzaW5nIG1ldGhvZC4KPiAKPiBJZiBrZXhlYyBrZXJuZWwgaW1hZ2UgaGFzIHNpZ25hdHVy ZS9jcnlwdG8va2V5LCBpdCBoYXMgdG8gZ28gdGhyb3VnaCB0aGUKPiBzaWduYXR1cmUgdmVyaWZp Y2F0aW9uIGFuZCBwYXNzLiBPdGhlcndpc2UgaXQncyBzZWVuIGFzIHZlcmlmaWNhdGlvbgo+IGZh aWx1cmUsIGFuZCB3b24ndCBiZSBsb2FkZWQuCj4gCj4gU2VlbXMga2V4ZWMga2VybmVsIGltYWdl IHdpdGggYW4gdW5xdWFsaWZpZWQgc2lnbmF0dXJlIGlzIGV2ZW4gd29yc2UgdGhhbgo+IHRob3Nl IHcvbyBzaWduYXR1cmUgYXQgYWxsLCB0aGlzIHNvdW5kcyB2ZXJ5IHVucmVhc29uYWJsZS4gRS5n LiBJZiBwZW9wbGUKPiBnZXQgYSB1bnNpZ25lZCBrZXJuZWwgdG8gbG9hZCwgb3IgYSBrZXJuZWwg c2lnbmVkIHdpdGggZXhwaXJlZCBrZXksIHdoaWNoCj4gb25lIGlzIG1vcmUgZGFuZ2Vyb3VzPwo+ IAo+IFNvLCBoZXJlLCBsZXQncyBzaW1wbGlmeSB0aGUgbG9naWMgdG8gaW1wcm92ZSBjb2RlIHJl YWRhYmlsaXR5LiBJZiB0aGUKPiBLRVhFQ19TSUdfRk9SQ0UgZW5hYmxlZCBvciBrZXhlYyBsb2Nr ZG93biBlbmFibGVkLCBzaWduYXR1cmUgdmVyaWZpY2F0aW9uCj4gaXMgbWFuZGF0ZWQuIE90aGVy d2lzZSwgd2UgbGlmdCB0aGUgYmFyIGZvciBhbnkga2VybmVsIGltYWdlLgo+IAo+IFNpZ25lZC1v ZmYtYnk6IExpYW5ibyBKaWFuZyA8bGlqaWFuZ0ByZWRoYXQuY29tPgo+IC0tLQo+IENoYW5nZXMg c2luY2UgdjE6Cj4gWzFdIE1vZGlmeSB0aGUgbG9nIGxldmVsKHN1Z2dlc3RlZCBieSBKaXJpIEJv aGFjKQo+IAo+ICBrZXJuZWwva2V4ZWNfZmlsZS5jIHwgMzQgKysrKysrLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLQo+ICAxIGZpbGUgY2hhbmdlZCwgNiBpbnNlcnRpb25zKCspLCAyOCBkZWxl dGlvbnMoLSkKPiAKPiBkaWZmIC0tZ2l0IGEva2VybmVsL2tleGVjX2ZpbGUuYyBiL2tlcm5lbC9r ZXhlY19maWxlLmMKPiBpbmRleCBmYWE3NGQ1ZjY5NDEuLmZhZTQ5Njk1OGE2OCAxMDA2NDQKPiAt LS0gYS9rZXJuZWwva2V4ZWNfZmlsZS5jCj4gKysrIGIva2VybmVsL2tleGVjX2ZpbGUuYwo+IEBA IC0xODEsMzQgKzE4MSwxOSBAQCB2b2lkIGtpbWFnZV9maWxlX3Bvc3RfbG9hZF9jbGVhbnVwKHN0 cnVjdCBraW1hZ2UgKmltYWdlKQo+ICBzdGF0aWMgaW50Cj4gIGtpbWFnZV92YWxpZGF0ZV9zaWdu YXR1cmUoc3RydWN0IGtpbWFnZSAqaW1hZ2UpCj4gIHsKPiAtCWNvbnN0IGNoYXIgKnJlYXNvbjsK PiAgCWludCByZXQ7Cj4gIAo+ICAJcmV0ID0gYXJjaF9rZXhlY19rZXJuZWxfdmVyaWZ5X3NpZyhp bWFnZSwgaW1hZ2UtPmtlcm5lbF9idWYsCj4gIAkJCQkJICAgaW1hZ2UtPmtlcm5lbF9idWZfbGVu KTsKPiAtCXN3aXRjaCAocmV0KSB7Cj4gLQljYXNlIDA6Cj4gLQkJYnJlYWs7Cj4gKwlpZiAocmV0 KSB7Cj4gIAo+IC0JCS8qIENlcnRhaW4gdmVyaWZpY2F0aW9uIGVycm9ycyBhcmUgbm9uLWZhdGFs IGlmIHdlJ3JlIG5vdAo+IC0JCSAqIGNoZWNraW5nIGVycm9ycywgcHJvdmlkZWQgd2UgYXJlbid0 IG1hbmRhdGluZyB0aGF0IHRoZXJlCj4gLQkJICogbXVzdCBiZSBhIHZhbGlkIHNpZ25hdHVyZS4K PiAtCQkgKi8KPiAtCWNhc2UgLUVOT0RBVEE6Cj4gLQkJcmVhc29uID0gImtleGVjIG9mIHVuc2ln bmVkIGltYWdlIjsKPiAtCQlnb3RvIGRlY2lkZTsKPiAtCWNhc2UgLUVOT1BLRzoKPiAtCQlyZWFz b24gPSAia2V4ZWMgb2YgaW1hZ2Ugd2l0aCB1bnN1cHBvcnRlZCBjcnlwdG8iOwo+IC0JCWdvdG8g ZGVjaWRlOwo+IC0JY2FzZSAtRU5PS0VZOgo+IC0JCXJlYXNvbiA9ICJrZXhlYyBvZiBpbWFnZSB3 aXRoIHVuYXZhaWxhYmxlIGtleSI7Cj4gLQlkZWNpZGU6Cj4gIAkJaWYgKElTX0VOQUJMRUQoQ09O RklHX0tFWEVDX1NJR19GT1JDRSkpIHsKPiAtCQkJcHJfbm90aWNlKCIlcyByZWplY3RlZFxuIiwg cmVhc29uKTsKPiArCQkJcHJfbm90aWNlKCJFbmZvcmNlZCBrZXJuZWwgc2lnbmF0dXJlIHZlcmlm aWNhdGlvbiBmYWlsZWQgKCVkKS5cbiIsIHJldCk7Cj4gIAkJCXJldHVybiByZXQ7Cj4gIAkJfQo+ ICAKPiAtCQkvKiBJZiBJTUEgaXMgZ3VhcmFudGVlZCB0byBhcHByYWlzZSBhIHNpZ25hdHVyZSBv biB0aGUga2V4ZWMKPiArCQkvKgo+ICsJCSAqIElmIElNQSBpcyBndWFyYW50ZWVkIHRvIGFwcHJh aXNlIGEgc2lnbmF0dXJlIG9uIHRoZSBrZXhlYwo+ICAJCSAqIGltYWdlLCBwZXJtaXQgaXQgZXZl biBpZiB0aGUga2VybmVsIGlzIG90aGVyd2lzZSBsb2NrZWQKPiAgCQkgKiBkb3duLgo+ICAJCSAq Lwo+IEBAIC0yMTYsMTcgKzIwMSwxMCBAQCBraW1hZ2VfdmFsaWRhdGVfc2lnbmF0dXJlKHN0cnVj dCBraW1hZ2UgKmltYWdlKQo+ICAJCSAgICBzZWN1cml0eV9sb2NrZWRfZG93bihMT0NLRE9XTl9L RVhFQykpCj4gIAkJCXJldHVybiAtRVBFUk07Cj4gIAo+IC0JCXJldHVybiAwOwo+IC0KPiAtCQkv KiBBbGwgb3RoZXIgZXJyb3JzIGFyZSBmYXRhbCwgaW5jbHVkaW5nIG5vbWVtLCB1bnBhcnNlYWJs ZQo+IC0JCSAqIHNpZ25hdHVyZXMgYW5kIHNpZ25hdHVyZSBjaGVjayBmYWlsdXJlcyAtIGV2ZW4g aWYgc2lnbmF0dXJlcwo+IC0JCSAqIGFyZW4ndCByZXF1aXJlZC4KPiAtCQkgKi8KPiAtCWRlZmF1 bHQ6Cj4gLQkJcHJfbm90aWNlKCJrZXJuZWwgc2lnbmF0dXJlIHZlcmlmaWNhdGlvbiBmYWlsZWQg KCVkKS5cbiIsIHJldCk7Cj4gKwkJcHJfZGVidWcoImtlcm5lbCBzaWduYXR1cmUgdmVyaWZpY2F0 aW9uIGZhaWxlZCAoJWQpLlxuIiwgcmV0KTsKPiAgCX0KPiAgCj4gLQlyZXR1cm4gcmV0Owo+ICsJ cmV0dXJuIDA7Cj4gIH0KPiAgI2VuZGlmCj4gIAo+IAoKCl9fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fCmtleGVjIG1haWxpbmcgbGlzdAprZXhlY0BsaXN0cy5p bmZyYWRlYWQub3JnCmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8v a2V4ZWMK