From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC867C433DF for ; Thu, 18 Jun 2020 09:58:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 93AC321548 for ; Thu, 18 Jun 2020 09:58:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="CEKgvqkR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728269AbgFRJ6c (ORCPT ); Thu, 18 Jun 2020 05:58:32 -0400 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:49623 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727121AbgFRJ6a (ORCPT ); Thu, 18 Jun 2020 05:58:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1592474308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gbqjrwqFXRmxoGwqqNgfEHopA2VshMnaJanmKD0Qpms=; b=CEKgvqkR5XyIzJpXWyN5F+UZBEJdEo5hZp3PRHVR4T9C/5zHIONKpRpmmRccu4p5/FvXXh u4TOdtO653hNHsqtPNQAx/Z3P+dF1ATEER2D5aDuG25jQKtPeQghhuf6/0OWstLZ1288Wz rRXU/xNpCckDqOXMH5AIwcMnQaXz0dQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-378-NeysvbJNM_mOZDG51GPGMg-1; Thu, 18 Jun 2020 05:58:26 -0400 X-MC-Unique: NeysvbJNM_mOZDG51GPGMg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BC42485DA2C; Thu, 18 Jun 2020 09:58:24 +0000 (UTC) Received: from [10.72.13.252] (ovpn-13-252.pek2.redhat.com [10.72.13.252]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B81211000324; Thu, 18 Jun 2020 09:58:17 +0000 (UTC) Subject: Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature To: Andrew Morton Cc: linux-kernel@vger.kernel.org, kexec@lists.infradead.org, ebiederm@xmission.com, jbohac@suse.cz, jmorris@namei.org, mjg59@google.com, dyoung@redhat.com, bhe@redhat.com References: <20200602045952.27487-1-lijiang@redhat.com> <20200617123731.0dbb039a053a2ef610af59fb@linux-foundation.org> From: lijiang Message-ID: Date: Thu, 18 Jun 2020 17:58:14 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200617123731.0dbb039a053a2ef610af59fb@linux-foundation.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2020年06月18日 03:37, Andrew Morton 写道: > On Tue, 2 Jun 2020 12:59:52 +0800 Lianbo Jiang wrote: > >> Signature verification is an important security feature, to protect >> system from being attacked with a kernel of unknown origin. Kexec >> rebooting is a way to replace the running kernel, hence need be >> secured carefully. > > I'm finding this changelog quite hard to understand, > Thanks for your comment. I will improve the patch log and try to make it easily understand. >> In the current code of handling signature verification of kexec kernel, >> the logic is very twisted. It mixes signature verification, IMA signature >> appraising and kexec lockdown. >> >> If there is no KEXEC_SIG_FORCE, kexec kernel image doesn't have one of >> signature, the supported crypto, and key, we don't think this is wrong, > > I think this is saying that in the absence of KEXEC_SIG_FORCE and if > the signature/crypto/key are all incorrect, the kexec still succeeds, > but it should not. > When the KEXEC_SIG_FORCE is not enabled, even if kexec kernel image doesn't have the signature, or the key, etc, kexec should be still allowed to loaded, unless kexec lockdown is executed. >> Unless kexec lockdown is executed. IMA is considered as another kind of >> signature appraising method. >> >> If kexec kernel image has signature/crypto/key, it has to go through the >> signature verification and pass. Otherwise it's seen as verification >> failure, and won't be loaded. > > I don't know if this is describing the current situation or the > post-patch situation. > This is the current situation, and we'd like to change it so that kexec allows the kernel and initrd images to be loaded when they are not the lockdown or mandatory signature. >> Seems kexec kernel image with an unqualified signature is even worse than >> those w/o signature at all, this sounds very unreasonable. E.g. If people >> get a unsigned kernel to load, or a kernel signed with expired key, which >> one is more dangerous? >> >> So, here, let's simplify the logic to improve code readability. If the >> KEXEC_SIG_FORCE enabled or kexec lockdown enabled, signature verification >> is mandated. Otherwise, we lift the bar for any kernel image. > > I think the whole thing needs a rewrite. Start out by fully describing > the current situation. THen describe what is wrong with it, and why. > Then describe the proposed change. Or something along these lines. > > The changelog should also make clear the end-user impact of the patch. > In sufficient detail for others to decide which kernel version(s) > should be patched. Your recommendations will also be valuable - which > kernel version(s) do you think should be patched, and why? > Currently, kernel will always verify the signature without the lockdown or mandatory signature. This may prevent the kernel from loading the kernel and initrd images via the kexec_file_load() syscall. However, we'd like to allow to still load the images in such case rather than failure due to the signature verification issue. For example, at the stage of development and test, usually use a signature key to test whether the procedure of signature can work well as expected. Sometimes, the signing time may be expired, but still use the kernel with the old signature key to reproduce some problems in some automatic tests, which always caused the failure of loading images. Let's clean the logic of kernel code and allow to still load the kernel and initrd images without the lockdown or mandatory signature. Hope this helps. Thanks. Lianbo From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from us-smtp-1.mimecast.com ([205.139.110.61] helo=us-smtp-delivery-1.mimecast.com) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jlrJZ-0001Uu-En for kexec@lists.infradead.org; Thu, 18 Jun 2020 09:58:34 +0000 Subject: Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature References: <20200602045952.27487-1-lijiang@redhat.com> <20200617123731.0dbb039a053a2ef610af59fb@linux-foundation.org> From: lijiang Message-ID: Date: Thu, 18 Jun 2020 17:58:14 +0800 MIME-Version: 1.0 In-Reply-To: <20200617123731.0dbb039a053a2ef610af59fb@linux-foundation.org> Content-Language: en-US List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Andrew Morton Cc: jbohac@suse.cz, bhe@redhat.com, kexec@lists.infradead.org, jmorris@namei.org, mjg59@google.com, linux-kernel@vger.kernel.org, ebiederm@xmission.com, dyoung@redhat.com 5ZyoIDIwMjDlubQwNuaciDE45pelIDAzOjM3LCBBbmRyZXcgTW9ydG9uIOWGmemBkzoKPiBPbiBU dWUsICAyIEp1biAyMDIwIDEyOjU5OjUyICswODAwIExpYW5ibyBKaWFuZyA8bGlqaWFuZ0ByZWRo YXQuY29tPiB3cm90ZToKPiAKPj4gU2lnbmF0dXJlIHZlcmlmaWNhdGlvbiBpcyBhbiBpbXBvcnRh bnQgc2VjdXJpdHkgZmVhdHVyZSwgdG8gcHJvdGVjdAo+PiBzeXN0ZW0gZnJvbSBiZWluZyBhdHRh Y2tlZCB3aXRoIGEga2VybmVsIG9mIHVua25vd24gb3JpZ2luLiBLZXhlYwo+PiByZWJvb3Rpbmcg aXMgYSB3YXkgdG8gcmVwbGFjZSB0aGUgcnVubmluZyBrZXJuZWwsIGhlbmNlIG5lZWQgYmUKPj4g c2VjdXJlZCBjYXJlZnVsbHkuCj4gCj4gSSdtIGZpbmRpbmcgdGhpcyBjaGFuZ2Vsb2cgcXVpdGUg aGFyZCB0byB1bmRlcnN0YW5kLAo+IApUaGFua3MgZm9yIHlvdXIgY29tbWVudC4KCkkgd2lsbCBp bXByb3ZlIHRoZSBwYXRjaCBsb2cgYW5kIHRyeSB0byBtYWtlIGl0IGVhc2lseSB1bmRlcnN0YW5k LgoKPj4gSW4gdGhlIGN1cnJlbnQgY29kZSBvZiBoYW5kbGluZyBzaWduYXR1cmUgdmVyaWZpY2F0 aW9uIG9mIGtleGVjIGtlcm5lbCwKPj4gdGhlIGxvZ2ljIGlzIHZlcnkgdHdpc3RlZC4gSXQgbWl4 ZXMgc2lnbmF0dXJlIHZlcmlmaWNhdGlvbiwgSU1BIHNpZ25hdHVyZQo+PiBhcHByYWlzaW5nIGFu ZCBrZXhlYyBsb2NrZG93bi4KPj4KPj4gSWYgdGhlcmUgaXMgbm8gS0VYRUNfU0lHX0ZPUkNFLCBr ZXhlYyBrZXJuZWwgaW1hZ2UgZG9lc24ndCBoYXZlIG9uZSBvZgo+PiBzaWduYXR1cmUsIHRoZSBz dXBwb3J0ZWQgY3J5cHRvLCBhbmQga2V5LCB3ZSBkb24ndCB0aGluayB0aGlzIGlzIHdyb25nLAo+ IAo+IEkgdGhpbmsgdGhpcyBpcyBzYXlpbmcgdGhhdCBpbiB0aGUgYWJzZW5jZSBvZiBLRVhFQ19T SUdfRk9SQ0UgYW5kIGlmCj4gdGhlIHNpZ25hdHVyZS9jcnlwdG8va2V5IGFyZSBhbGwgaW5jb3Jy ZWN0LCB0aGUga2V4ZWMgc3RpbGwgc3VjY2VlZHMsCj4gYnV0IGl0IHNob3VsZCBub3QuCj4gCldo ZW4gdGhlIEtFWEVDX1NJR19GT1JDRSBpcyBub3QgZW5hYmxlZCwgZXZlbiBpZiBrZXhlYyBrZXJu ZWwgaW1hZ2UgZG9lc24ndApoYXZlIHRoZSBzaWduYXR1cmUsIG9yIHRoZSBrZXksIGV0Yywga2V4 ZWMgc2hvdWxkIGJlIHN0aWxsIGFsbG93ZWQgdG8gbG9hZGVkLAp1bmxlc3Mga2V4ZWMgbG9ja2Rv d24gaXMgZXhlY3V0ZWQuCgo+PiBVbmxlc3Mga2V4ZWMgbG9ja2Rvd24gaXMgZXhlY3V0ZWQuIElN QSBpcyBjb25zaWRlcmVkIGFzIGFub3RoZXIga2luZCBvZgo+PiBzaWduYXR1cmUgYXBwcmFpc2lu ZyBtZXRob2QuCj4+Cj4+IElmIGtleGVjIGtlcm5lbCBpbWFnZSBoYXMgc2lnbmF0dXJlL2NyeXB0 by9rZXksIGl0IGhhcyB0byBnbyB0aHJvdWdoIHRoZQo+PiBzaWduYXR1cmUgdmVyaWZpY2F0aW9u IGFuZCBwYXNzLiBPdGhlcndpc2UgaXQncyBzZWVuIGFzIHZlcmlmaWNhdGlvbgo+PiBmYWlsdXJl LCBhbmQgd29uJ3QgYmUgbG9hZGVkLgo+IAo+IEkgZG9uJ3Qga25vdyBpZiB0aGlzIGlzIGRlc2Ny aWJpbmcgdGhlIGN1cnJlbnQgc2l0dWF0aW9uIG9yIHRoZQo+IHBvc3QtcGF0Y2ggc2l0dWF0aW9u Lgo+IApUaGlzIGlzIHRoZSBjdXJyZW50IHNpdHVhdGlvbiwgYW5kIHdlJ2QgbGlrZSB0byBjaGFu Z2UgaXQgc28gdGhhdCBrZXhlYyBhbGxvd3MKdGhlIGtlcm5lbCBhbmQgaW5pdHJkIGltYWdlcyB0 byBiZSBsb2FkZWQgd2hlbiB0aGV5IGFyZSBub3QgdGhlIGxvY2tkb3duIG9yIAptYW5kYXRvcnkg c2lnbmF0dXJlLgoKPj4gU2VlbXMga2V4ZWMga2VybmVsIGltYWdlIHdpdGggYW4gdW5xdWFsaWZp ZWQgc2lnbmF0dXJlIGlzIGV2ZW4gd29yc2UgdGhhbgo+PiB0aG9zZSB3L28gc2lnbmF0dXJlIGF0 IGFsbCwgdGhpcyBzb3VuZHMgdmVyeSB1bnJlYXNvbmFibGUuIEUuZy4gSWYgcGVvcGxlCj4+IGdl dCBhIHVuc2lnbmVkIGtlcm5lbCB0byBsb2FkLCBvciBhIGtlcm5lbCBzaWduZWQgd2l0aCBleHBp cmVkIGtleSwgd2hpY2gKPj4gb25lIGlzIG1vcmUgZGFuZ2Vyb3VzPwo+Pgo+PiBTbywgaGVyZSwg bGV0J3Mgc2ltcGxpZnkgdGhlIGxvZ2ljIHRvIGltcHJvdmUgY29kZSByZWFkYWJpbGl0eS4gSWYg dGhlCj4+IEtFWEVDX1NJR19GT1JDRSBlbmFibGVkIG9yIGtleGVjIGxvY2tkb3duIGVuYWJsZWQs IHNpZ25hdHVyZSB2ZXJpZmljYXRpb24KPj4gaXMgbWFuZGF0ZWQuIE90aGVyd2lzZSwgd2UgbGlm dCB0aGUgYmFyIGZvciBhbnkga2VybmVsIGltYWdlLgo+IAo+IEkgdGhpbmsgdGhlIHdob2xlIHRo aW5nIG5lZWRzIGEgcmV3cml0ZS4gIFN0YXJ0IG91dCBieSBmdWxseSBkZXNjcmliaW5nCj4gdGhl IGN1cnJlbnQgc2l0dWF0aW9uLiAgVEhlbiBkZXNjcmliZSB3aGF0IGlzIHdyb25nIHdpdGggaXQs IGFuZCB3aHkuIAo+IFRoZW4gZGVzY3JpYmUgdGhlIHByb3Bvc2VkIGNoYW5nZS4gIE9yIHNvbWV0 aGluZyBhbG9uZyB0aGVzZSBsaW5lcy4KPiAKPiBUaGUgY2hhbmdlbG9nIHNob3VsZCBhbHNvIG1h a2UgY2xlYXIgdGhlIGVuZC11c2VyIGltcGFjdCBvZiB0aGUgcGF0Y2guIAo+IEluIHN1ZmZpY2ll bnQgZGV0YWlsIGZvciBvdGhlcnMgdG8gZGVjaWRlIHdoaWNoIGtlcm5lbCB2ZXJzaW9uKHMpCj4g c2hvdWxkIGJlIHBhdGNoZWQuICBZb3VyIHJlY29tbWVuZGF0aW9ucyB3aWxsIGFsc28gYmUgdmFs dWFibGUgLSB3aGljaAo+IGtlcm5lbCB2ZXJzaW9uKHMpIGRvIHlvdSB0aGluayBzaG91bGQgYmUg cGF0Y2hlZCwgYW5kIHdoeT8KPiAKCkN1cnJlbnRseSwga2VybmVsIHdpbGwgYWx3YXlzIHZlcmlm eSB0aGUgc2lnbmF0dXJlIHdpdGhvdXQgdGhlIGxvY2tkb3duIG9yCm1hbmRhdG9yeSBzaWduYXR1 cmUuIFRoaXMgbWF5IHByZXZlbnQgdGhlIGtlcm5lbCBmcm9tIGxvYWRpbmcgdGhlIGtlcm5lbCBh bmQKaW5pdHJkIGltYWdlcyB2aWEgdGhlIGtleGVjX2ZpbGVfbG9hZCgpIHN5c2NhbGwuIEhvd2V2 ZXIsIHdlJ2QgbGlrZSB0byBhbGxvdwp0byBzdGlsbCBsb2FkIHRoZSBpbWFnZXMgaW4gc3VjaCBj YXNlIHJhdGhlciB0aGFuIGZhaWx1cmUgZHVlIHRvIHRoZSBzaWduYXR1cmUKdmVyaWZpY2F0aW9u IGlzc3VlLgoKRm9yIGV4YW1wbGUsIGF0IHRoZSBzdGFnZSBvZiBkZXZlbG9wbWVudCBhbmQgdGVz dCwgdXN1YWxseSB1c2UgYSBzaWduYXR1cmUKa2V5IHRvIHRlc3Qgd2hldGhlciB0aGUgcHJvY2Vk dXJlIG9mIHNpZ25hdHVyZSBjYW4gd29yayB3ZWxsIGFzIGV4cGVjdGVkLgpTb21ldGltZXMsIHRo ZSBzaWduaW5nIHRpbWUgbWF5IGJlIGV4cGlyZWQsIGJ1dCBzdGlsbCB1c2UgdGhlIGtlcm5lbCB3 aXRoCnRoZSBvbGQgc2lnbmF0dXJlIGtleSB0byByZXByb2R1Y2Ugc29tZSBwcm9ibGVtcyBpbiBz b21lIGF1dG9tYXRpYyB0ZXN0cywKd2hpY2ggYWx3YXlzIGNhdXNlZCB0aGUgZmFpbHVyZSBvZiBs b2FkaW5nIGltYWdlcy4KCkxldCdzIGNsZWFuIHRoZSBsb2dpYyBvZiBrZXJuZWwgY29kZSBhbmQg YWxsb3cgdG8gc3RpbGwgbG9hZCB0aGUga2VybmVsIGFuZAppbml0cmQgaW1hZ2VzIHdpdGhvdXQg dGhlIGxvY2tkb3duIG9yIG1hbmRhdG9yeSBzaWduYXR1cmUuCgoKSG9wZSB0aGlzIGhlbHBzLgoK VGhhbmtzLgpMaWFuYm8KCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXwprZXhlYyBtYWlsaW5nIGxpc3QKa2V4ZWNAbGlzdHMuaW5mcmFkZWFkLm9yZwpodHRw Oi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2tleGVjCg==