From: Dave Young <dyoung@redhat.com>
To: Matthew Garrett <matthewgarrett@google.com>
Cc: jmorris@namei.org, Jiri Bohac <jbohac@suse.cz>,
linux-api@vger.kernel.org, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org, Matthew Garrett <mjg59@google.com>,
dhowells@redhat.com, linux-security-module@vger.kernel.org,
luto@kernel.org
Subject: Re: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE
Date: Fri, 21 Jun 2019 14:34:02 +0800 [thread overview]
Message-ID: <20190621063402.GA4528@localhost.localdomain> (raw)
In-Reply-To: <20190326182742.16950-7-matthewgarrett@google.com>
On 03/26/19 at 11:27am, Matthew Garrett wrote:
> From: Jiri Bohac <jbohac@suse.cz>
>
> This is a preparatory patch for kexec_file_load() lockdown. A locked down
> kernel needs to prevent unsigned kernel images from being loaded with
> kexec_file_load(). Currently, the only way to force the signature
> verification is compiling with KEXEC_VERIFY_SIG. This prevents loading
> usigned images even when the kernel is not locked down at runtime.
>
> This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
> Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
> turns on the signature verification but allows unsigned images to be
> loaded. KEXEC_SIG_FORCE disallows images without a valid signature.
>
> [Modified by David Howells such that:
>
> (1) verify_pefile_signature() differentiates between no-signature and
> sig-didn't-match in its returned errors.
>
> (2) kexec fails with EKEYREJECTED and logs an appropriate message if
> signature checking is enforced and an signature is not found, uses
> unsupported crypto or has no matching key.
>
> (3) kexec fails with EKEYREJECTED if there is a signature for which we
> have a key, but signature doesn't match - even if in non-forcing mode.
>
> (4) kexec fails with EBADMSG or some other error if there is a signature
> which cannot be parsed - even if in non-forcing mode.
>
> (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
> the signature - even if in non-forcing mode.
>
> ]
>
> Signed-off-by: Jiri Bohac <jbohac@suse.cz>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> Reviewed-by: Jiri Bohac <jbohac@suse.cz>
> cc: kexec@lists.infradead.org
> ---
> arch/x86/Kconfig | 20 ++++++++---
> crypto/asymmetric_keys/verify_pefile.c | 4 ++-
> include/linux/kexec.h | 4 +--
> kernel/kexec_file.c | 48 ++++++++++++++++++++++----
> 4 files changed, 61 insertions(+), 15 deletions(-)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 4b4a7f32b68e..735d04a4b18f 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2016,20 +2016,30 @@ config KEXEC_FILE
> config ARCH_HAS_KEXEC_PURGATORY
> def_bool KEXEC_FILE
>
> -config KEXEC_VERIFY_SIG
> +config KEXEC_SIG
> bool "Verify kernel signature during kexec_file_load() syscall"
> depends on KEXEC_FILE
> ---help---
> - This option makes kernel signature verification mandatory for
> - the kexec_file_load() syscall.
>
> - In addition to that option, you need to enable signature
> + This option makes the kexec_file_load() syscall check for a valid
> + signature of the kernel image. The image can still be loaded without
> + a valid signature unless you also enable KEXEC_SIG_FORCE, though if
> + there's a signature that we can check, then it must be valid.
> +
> + In addition to this option, you need to enable signature
> verification for the corresponding kernel image type being
> loaded in order for this to work.
>
> +config KEXEC_SIG_FORCE
> + bool "Require a valid signature in kexec_file_load() syscall"
> + depends on KEXEC_SIG
> + ---help---
> + This option makes kernel signature verification mandatory for
> + the kexec_file_load() syscall.
> +
> config KEXEC_BZIMAGE_VERIFY_SIG
> bool "Enable bzImage signature verification support"
> - depends on KEXEC_VERIFY_SIG
> + depends on KEXEC_SIG
> depends on SIGNED_PE_FILE_VERIFICATION
> select SYSTEM_TRUSTED_KEYRING
> ---help---
> diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
> index d178650fd524..4473cea1e877 100644
> --- a/crypto/asymmetric_keys/verify_pefile.c
> +++ b/crypto/asymmetric_keys/verify_pefile.c
> @@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
>
> if (!ddir->certs.virtual_address || !ddir->certs.size) {
> pr_debug("Unsigned PE binary\n");
> - return -EKEYREJECTED;
> + return -ENODATA;
> }
>
> chkaddr(ctx->header_size, ddir->certs.virtual_address,
> @@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
> * (*) 0 if at least one signature chain intersects with the keys in the trust
> * keyring, or:
> *
> + * (*) -ENODATA if there is no signature present.
> + *
> * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
> * chain.
> *
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index b9b1bc5f9669..58b27c7bdc2b 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
> unsigned long cmdline_len);
> typedef int (kexec_cleanup_t)(void *loader_data);
>
> -#ifdef CONFIG_KEXEC_VERIFY_SIG
> +#ifdef CONFIG_KEXEC_SIG
> typedef int (kexec_verify_sig_t)(const char *kernel_buf,
> unsigned long kernel_len);
> #endif
> @@ -134,7 +134,7 @@ struct kexec_file_ops {
> kexec_probe_t *probe;
> kexec_load_t *load;
> kexec_cleanup_t *cleanup;
> -#ifdef CONFIG_KEXEC_VERIFY_SIG
> +#ifdef CONFIG_KEXEC_SIG
> kexec_verify_sig_t *verify_sig;
> #endif
> };
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index f1d0e00a3971..67f3a866eabe 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -90,7 +90,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
> return kexec_image_post_load_cleanup_default(image);
> }
>
> -#ifdef CONFIG_KEXEC_VERIFY_SIG
> +#ifdef CONFIG_KEXEC_SIG
> static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
> unsigned long buf_len)
> {
> @@ -188,7 +188,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> const char __user *cmdline_ptr,
> unsigned long cmdline_len, unsigned flags)
> {
> - int ret = 0;
> + const char *reason;
> + int ret;
> void *ldata;
> loff_t size;
>
> @@ -207,15 +208,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> if (ret)
> goto out;
>
> -#ifdef CONFIG_KEXEC_VERIFY_SIG
> +#ifdef CONFIG_KEXEC_SIG
> ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
> image->kernel_buf_len);
> - if (ret) {
> - pr_debug("kernel signature verification failed.\n");
> +#else
> + ret = -ENODATA;
> +#endif
> +
> + switch (ret) {
> + case 0:
> + break;
> +
> + /* Certain verification errors are non-fatal if we're not
> + * checking errors, provided we aren't mandating that there
> + * must be a valid signature.
> + */
> + case -ENODATA:
> + reason = "kexec of unsigned image";
> + goto decide;
> + case -ENOPKG:
> + reason = "kexec of image with unsupported crypto";
> + goto decide;
> + case -ENOKEY:
> + reason = "kexec of image with unavailable key";
> + decide:
> + if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
> + pr_notice("%s rejected\n", reason);
> + ret = -EKEYREJECTED;
Force use -EKEYREJECTED is odd, why not just use original "ret"?
> + goto out;
> + }
> +
> + ret = 0;
> + break;
> +
> + /* All other errors are fatal, including nomem, unparseable
> + * signatures and signature check failures - even if signatures
> + * aren't required.
> + */
> + default:
> + pr_notice("kernel signature verification failed (%d).\n", ret);
> goto out;
> }
> - pr_debug("kernel signature verification successful.\n");
> -#endif
> +
> /* It is possible that there no initramfs is being loaded */
> if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
> ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
> --
> 2.21.0.392.gf8f6787159e-goog
>
>
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
Thanks
Dave
next prev parent reply other threads:[~2019-06-21 6:34 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 18:27 [PATCH V31 00/25] Add support for kernel lockdown Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 01/25] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 02/25] Enforce module signatures if the kernel is locked down Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 03/25] Restrict /dev/{mem,kmem,port} when " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 04/25] kexec_load: Disable at runtime if " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 05/25] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-06-21 6:34 ` Dave Young [this message]
2019-06-21 20:13 ` Matthew Garrett
2019-06-21 20:14 ` Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-06-21 6:43 ` Dave Young
2019-06-21 20:18 ` Matthew Garrett
2019-06-24 1:52 ` Dave Young
2019-06-24 21:06 ` Matthew Garrett
2019-06-24 21:27 ` Mimi Zohar
2019-06-25 0:02 ` Matthew Garrett
2019-06-25 1:46 ` Mimi Zohar
2019-06-25 2:51 ` Dave Young
2019-03-26 18:27 ` [PATCH V31 08/25] hibernate: Disable when " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 09/25] uswsusp: " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 10/25] PCI: Lock down BAR access " Matthew Garrett
2019-03-26 20:55 ` Andy Lutomirski
2019-03-26 21:19 ` Alex Williamson
2019-03-26 18:27 ` [PATCH V31 11/25] x86: Lock down IO port " Matthew Garrett
2019-03-26 20:56 ` Andy Lutomirski
2019-03-26 18:27 ` [PATCH V31 12/25] x86/msr: Restrict MSR " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 13/25] ACPI: Limit access to custom_method " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 15/25] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 16/25] Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 17/25] Lock down TIOCSSERIAL Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 18/25] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-03-27 15:57 ` Steven Rostedt
2019-03-27 16:55 ` Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 20/25] Lock down /proc/kcore Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 21/25] Lock down kprobes when in confidentiality mode Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett
2019-03-26 19:21 ` Andy Lutomirski
2019-03-26 18:27 ` [PATCH V31 23/25] Lock down perf when " Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 24/25] lockdown: Print current->comm in restriction messages Matthew Garrett
2019-03-26 18:27 ` [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down Matthew Garrett
2019-03-26 19:20 ` Andy Lutomirski
2019-03-26 19:21 ` Matthew Garrett
2019-03-27 0:30 ` Greg KH
2019-03-27 4:29 ` Andy Lutomirski
2019-03-27 5:06 ` Greg KH
2019-03-27 5:29 ` Andy Lutomirski
2019-03-27 5:33 ` Greg KH
2019-03-27 16:53 ` James Morris
2019-03-27 17:39 ` Andy Lutomirski
2019-03-27 17:42 ` Matthew Garrett
2019-03-27 18:29 ` Greg KH
2019-03-27 18:31 ` Greg KH
2019-03-27 0:31 ` Greg KH
2019-03-27 2:06 ` Matthew Garrett
2019-03-27 2:35 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190621063402.GA4528@localhost.localdomain \
--to=dyoung@redhat.com \
--cc=dhowells@redhat.com \
--cc=jbohac@suse.cz \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=matthewgarrett@google.com \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).