From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5936C4332F for ; Wed, 9 Feb 2022 06:44:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234401AbiBIGod (ORCPT ); Wed, 9 Feb 2022 01:44:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234367AbiBIGoT (ORCPT ); Wed, 9 Feb 2022 01:44:19 -0500 Received: from mx1.molgen.mpg.de (mx3.molgen.mpg.de [141.14.17.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6409EC0401C7; Tue, 8 Feb 2022 22:44:18 -0800 (PST) Received: from [192.168.0.2] (ip5f5aee30.dynamic.kabel-deutschland.de [95.90.238.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: pmenzel) by mx.molgen.mpg.de (Postfix) with ESMTPSA id 441A661E64846; Wed, 9 Feb 2022 07:44:16 +0100 (CET) Message-ID: Date: Wed, 9 Feb 2022 07:44:15 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Subject: Re: [PATCH v5 2/6] powerpc/kexec_file: Add KEXEC_SIG support. Content-Language: en-US To: Michal Suchanek , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org Cc: kexec@lists.infradead.org, Philipp Rudo , Mimi Zohar , Nayna , Rob Herring , linux-s390@vger.kernel.org, Vasily Gorbik , Lakshmi Ramasubramanian , Heiko Carstens , Jessica Yu , linux-kernel@vger.kernel.org, David Howells , Christian Borntraeger , Luis Chamberlain , Paul Mackerras , Hari Bathini , Alexander Gordeev , linuxppc-dev@lists.ozlabs.org, Frank van der Linden , Thiago Jung Bauermann , Daniel Axtens , buendgen@de.ibm.com, Michael Ellerman , Benjamin Herrenschmidt , Christian Borntraeger , Herbert Xu , "David S. Miller" , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , Sven Schnelle , Baoquan He , linux-security-module@vger.kernel.org References: From: Paul Menzel In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Dear Michal, Thank you for the patch. Am 11.01.22 um 12:37 schrieb Michal Suchanek: Could you please remove the dot/period at the end of the git commit message summary? > Copy the code from s390x > > Both powerpc and s390x use appended signature format (as opposed to EFI > based patforms using PE format). patforms → platforms How can this be tested? > Signed-off-by: Michal Suchanek > --- > v3: - Philipp Rudo : Update the comit message with > explanation why the s390 code is usable on powerpc. > - Include correct header for mod_check_sig > - Nayna : Mention additional IMA features > in kconfig text > --- > arch/powerpc/Kconfig | 16 ++++++++++++++++ > arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 52 insertions(+) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index dea74d7717c0..1cde9b6c5987 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -560,6 +560,22 @@ config KEXEC_FILE > config ARCH_HAS_KEXEC_PURGATORY > def_bool KEXEC_FILE > > +config KEXEC_SIG > + bool "Verify kernel signature during kexec_file_load() syscall" > + depends on KEXEC_FILE && MODULE_SIG_FORMAT > + help > + This option makes kernel signature verification mandatory for > + the kexec_file_load() syscall. > + > + In addition to that option, you need to enable signature > + verification for the corresponding kernel image type being > + loaded in order for this to work. > + > + Note: on powerpc IMA_ARCH_POLICY also implements kexec'ed kernel > + verification. In addition IMA adds kernel hashes to the measurement > + list, extends IMA PCR in the TPM, and implements kernel image > + blacklist by hash. So, what is the takeaway for the user? IMA_ARCH_POLICY is preferred? What is the disadvantage, and two implementations(?) needed then? More overhead? > + > config RELOCATABLE > bool "Build a relocatable kernel" > depends on PPC64 || (FLATMEM && (44x || FSL_BOOKE)) > diff --git a/arch/powerpc/kexec/elf_64.c b/arch/powerpc/kexec/elf_64.c > index eeb258002d1e..98d1cb5135b4 100644 > --- a/arch/powerpc/kexec/elf_64.c > +++ b/arch/powerpc/kexec/elf_64.c > @@ -23,6 +23,7 @@ > #include > #include > #include > +#include > > static void *elf64_load(struct kimage *image, char *kernel_buf, > unsigned long kernel_len, char *initrd, > @@ -151,7 +152,42 @@ static void *elf64_load(struct kimage *image, char *kernel_buf, > return ret ? ERR_PTR(ret) : NULL; > } > > +#ifdef CONFIG_KEXEC_SIG > +int elf64_verify_sig(const char *kernel, unsigned long kernel_len) > +{ > + const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; > + struct module_signature *ms; > + unsigned long sig_len; Use size_t to match the signature of `verify_pkcs7_signature()`? > + int ret; > + > + if (marker_len > kernel_len) > + return -EKEYREJECTED; > + > + if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING, > + marker_len)) > + return -EKEYREJECTED; > + kernel_len -= marker_len; > + > + ms = (void *)kernel + kernel_len - sizeof(*ms); > + ret = mod_check_sig(ms, kernel_len, "kexec"); > + if (ret) > + return ret; > + > + sig_len = be32_to_cpu(ms->sig_len); > + kernel_len -= sizeof(*ms) + sig_len; > + > + return verify_pkcs7_signature(kernel, kernel_len, > + kernel + kernel_len, sig_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_MODULE_SIGNATURE, > + NULL, NULL); > +} > +#endif /* CONFIG_KEXEC_SIG */ > + > const struct kexec_file_ops kexec_elf64_ops = { > .probe = kexec_elf_probe, > .load = elf64_load, > +#ifdef CONFIG_KEXEC_SIG > + .verify_sig = elf64_verify_sig, > +#endif > }; Kind regards, Paul From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6010EC433EF for ; Wed, 9 Feb 2022 06:44:49 +0000 (UTC) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Jtr333M0Jz3cPr for ; Wed, 9 Feb 2022 17:44:47 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=molgen.mpg.de (client-ip=141.14.17.11; helo=mx1.molgen.mpg.de; envelope-from=pmenzel@molgen.mpg.de; receiver=) Received: from mx1.molgen.mpg.de (mx3.molgen.mpg.de [141.14.17.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Jtr2W6cD4z2yPL for ; Wed, 9 Feb 2022 17:44:19 +1100 (AEDT) Received: from [192.168.0.2] (ip5f5aee30.dynamic.kabel-deutschland.de [95.90.238.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: pmenzel) by mx.molgen.mpg.de (Postfix) with ESMTPSA id 441A661E64846; Wed, 9 Feb 2022 07:44:16 +0100 (CET) Message-ID: Date: Wed, 9 Feb 2022 07:44:15 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Subject: Re: [PATCH v5 2/6] powerpc/kexec_file: Add KEXEC_SIG support. Content-Language: en-US To: Michal Suchanek , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org References: From: Paul Menzel In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nayna , Mimi Zohar , David Howells , Paul Mackerras , Alexander Gordeev , linux-s390@vger.kernel.org, Herbert Xu , Baoquan He , Christian Borntraeger , James Morris , Lakshmi Ramasubramanian , Christian Borntraeger , "Serge E. Hallyn" , Vasily Gorbik , Rob Herring , Heiko Carstens , Dmitry Kasatkin , Hari Bathini , Daniel Axtens , Philipp Rudo , Frank van der Linden , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Luis Chamberlain , Sven Schnelle , linux-security-module@vger.kernel.org, Jessica Yu , linuxppc-dev@lists.ozlabs.org, "David S. Miller" , Thiago Jung Bauermann , buendgen@de.ibm.com Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" Dear Michal, Thank you for the patch. Am 11.01.22 um 12:37 schrieb Michal Suchanek: Could you please remove the dot/period at the end of the git commit message summary? > Copy the code from s390x > > Both powerpc and s390x use appended signature format (as opposed to EFI > based patforms using PE format). patforms → platforms How can this be tested? > Signed-off-by: Michal Suchanek > --- > v3: - Philipp Rudo : Update the comit message with > explanation why the s390 code is usable on powerpc. > - Include correct header for mod_check_sig > - Nayna : Mention additional IMA features > in kconfig text > --- > arch/powerpc/Kconfig | 16 ++++++++++++++++ > arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 52 insertions(+) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index dea74d7717c0..1cde9b6c5987 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -560,6 +560,22 @@ config KEXEC_FILE > config ARCH_HAS_KEXEC_PURGATORY > def_bool KEXEC_FILE > > +config KEXEC_SIG > + bool "Verify kernel signature during kexec_file_load() syscall" > + depends on KEXEC_FILE && MODULE_SIG_FORMAT > + help > + This option makes kernel signature verification mandatory for > + the kexec_file_load() syscall. > + > + In addition to that option, you need to enable signature > + verification for the corresponding kernel image type being > + loaded in order for this to work. > + > + Note: on powerpc IMA_ARCH_POLICY also implements kexec'ed kernel > + verification. In addition IMA adds kernel hashes to the measurement > + list, extends IMA PCR in the TPM, and implements kernel image > + blacklist by hash. So, what is the takeaway for the user? IMA_ARCH_POLICY is preferred? What is the disadvantage, and two implementations(?) needed then? More overhead? > + > config RELOCATABLE > bool "Build a relocatable kernel" > depends on PPC64 || (FLATMEM && (44x || FSL_BOOKE)) > diff --git a/arch/powerpc/kexec/elf_64.c b/arch/powerpc/kexec/elf_64.c > index eeb258002d1e..98d1cb5135b4 100644 > --- a/arch/powerpc/kexec/elf_64.c > +++ b/arch/powerpc/kexec/elf_64.c > @@ -23,6 +23,7 @@ > #include > #include > #include > +#include > > static void *elf64_load(struct kimage *image, char *kernel_buf, > unsigned long kernel_len, char *initrd, > @@ -151,7 +152,42 @@ static void *elf64_load(struct kimage *image, char *kernel_buf, > return ret ? ERR_PTR(ret) : NULL; > } > > +#ifdef CONFIG_KEXEC_SIG > +int elf64_verify_sig(const char *kernel, unsigned long kernel_len) > +{ > + const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; > + struct module_signature *ms; > + unsigned long sig_len; Use size_t to match the signature of `verify_pkcs7_signature()`? > + int ret; > + > + if (marker_len > kernel_len) > + return -EKEYREJECTED; > + > + if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING, > + marker_len)) > + return -EKEYREJECTED; > + kernel_len -= marker_len; > + > + ms = (void *)kernel + kernel_len - sizeof(*ms); > + ret = mod_check_sig(ms, kernel_len, "kexec"); > + if (ret) > + return ret; > + > + sig_len = be32_to_cpu(ms->sig_len); > + kernel_len -= sizeof(*ms) + sig_len; > + > + return verify_pkcs7_signature(kernel, kernel_len, > + kernel + kernel_len, sig_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_MODULE_SIGNATURE, > + NULL, NULL); > +} > +#endif /* CONFIG_KEXEC_SIG */ > + > const struct kexec_file_ops kexec_elf64_ops = { > .probe = kexec_elf_probe, > .load = elf64_load, > +#ifdef CONFIG_KEXEC_SIG > + .verify_sig = elf64_verify_sig, > +#endif > }; Kind regards, Paul From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Menzel Date: Wed, 9 Feb 2022 07:44:15 +0100 Subject: [PATCH v5 2/6] powerpc/kexec_file: Add KEXEC_SIG support. In-Reply-To: References: Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: kexec@lists.infradead.org Dear Michal, Thank you for the patch. Am 11.01.22 um 12:37 schrieb Michal Suchanek: Could you please remove the dot/period at the end of the git commit message summary? > Copy the code from s390x > > Both powerpc and s390x use appended signature format (as opposed to EFI > based patforms using PE format). patforms ? platforms How can this be tested? > Signed-off-by: Michal Suchanek > --- > v3: - Philipp Rudo : Update the comit message with > explanation why the s390 code is usable on powerpc. > - Include correct header for mod_check_sig > - Nayna : Mention additional IMA features > in kconfig text > --- > arch/powerpc/Kconfig | 16 ++++++++++++++++ > arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 52 insertions(+) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index dea74d7717c0..1cde9b6c5987 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -560,6 +560,22 @@ config KEXEC_FILE > config ARCH_HAS_KEXEC_PURGATORY > def_bool KEXEC_FILE > > +config KEXEC_SIG > + bool "Verify kernel signature during kexec_file_load() syscall" > + depends on KEXEC_FILE && MODULE_SIG_FORMAT > + help > + This option makes kernel signature verification mandatory for > + the kexec_file_load() syscall. > + > + In addition to that option, you need to enable signature > + verification for the corresponding kernel image type being > + loaded in order for this to work. > + > + Note: on powerpc IMA_ARCH_POLICY also implements kexec'ed kernel > + verification. In addition IMA adds kernel hashes to the measurement > + list, extends IMA PCR in the TPM, and implements kernel image > + blacklist by hash. So, what is the takeaway for the user? IMA_ARCH_POLICY is preferred? What is the disadvantage, and two implementations(?) needed then? More overhead? > + > config RELOCATABLE > bool "Build a relocatable kernel" > depends on PPC64 || (FLATMEM && (44x || FSL_BOOKE)) > diff --git a/arch/powerpc/kexec/elf_64.c b/arch/powerpc/kexec/elf_64.c > index eeb258002d1e..98d1cb5135b4 100644 > --- a/arch/powerpc/kexec/elf_64.c > +++ b/arch/powerpc/kexec/elf_64.c > @@ -23,6 +23,7 @@ > #include > #include > #include > +#include > > static void *elf64_load(struct kimage *image, char *kernel_buf, > unsigned long kernel_len, char *initrd, > @@ -151,7 +152,42 @@ static void *elf64_load(struct kimage *image, char *kernel_buf, > return ret ? ERR_PTR(ret) : NULL; > } > > +#ifdef CONFIG_KEXEC_SIG > +int elf64_verify_sig(const char *kernel, unsigned long kernel_len) > +{ > + const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; > + struct module_signature *ms; > + unsigned long sig_len; Use size_t to match the signature of `verify_pkcs7_signature()`? > + int ret; > + > + if (marker_len > kernel_len) > + return -EKEYREJECTED; > + > + if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING, > + marker_len)) > + return -EKEYREJECTED; > + kernel_len -= marker_len; > + > + ms = (void *)kernel + kernel_len - sizeof(*ms); > + ret = mod_check_sig(ms, kernel_len, "kexec"); > + if (ret) > + return ret; > + > + sig_len = be32_to_cpu(ms->sig_len); > + kernel_len -= sizeof(*ms) + sig_len; > + > + return verify_pkcs7_signature(kernel, kernel_len, > + kernel + kernel_len, sig_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_MODULE_SIGNATURE, > + NULL, NULL); > +} > +#endif /* CONFIG_KEXEC_SIG */ > + > const struct kexec_file_ops kexec_elf64_ops = { > .probe = kexec_elf_probe, > .load = elf64_load, > +#ifdef CONFIG_KEXEC_SIG > + .verify_sig = elf64_verify_sig, > +#endif > }; Kind regards, Paul