From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: linux-efi@vger.kernel.org, linux-pm@vger.kernel.org,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Matthew Garrett <matthew.garrett@nebula.com>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Josh Boyer <jwboyer@redhat.com>, Vojtech Pavlik <vojtech@suse.cz>,
Matt Fleming <matt.fleming@intel.com>,
Jiri Kosina <jkosina@suse.cz>, "H. Peter Anvin" <hpa@zytor.com>,
Ingo Molnar <mingo@redhat.com>, "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH v2 13/16] PM / hibernate: Add configuration to enforce signature verification
Date: Tue, 11 Aug 2015 14:16:33 +0800 [thread overview]
Message-ID: <1439273796-25359-14-git-send-email-jlee@suse.com> (raw)
In-Reply-To: <1439273796-25359-1-git-send-email-jlee@suse.com>
Like kernel module signature checking, there's both a config option and
a boot parameter which control whether we accept or fail with unsigned
hibernate image and image that are signed with an unknown key.
If hibernate signing is enabled, the kernel will be tainted if a snapshot
image is restored that is unsigned or has a signature for which we don't
have the key. When the enforce flag is enabled, then the hibernate
restoring process will be failed and boot as normal.
Reviewed-by: Jiri Kosina <jkosina@suse.com>
Tested-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
Documentation/kernel-parameters.txt | 5 +++++
arch/x86/power/hibernate_keys.c | 19 +++++++++++++++++--
include/linux/kernel.h | 1 +
include/linux/suspend.h | 3 +++
kernel/panic.c | 2 ++
kernel/power/Kconfig | 8 ++++++++
kernel/power/hibernate.c | 7 +++++++
kernel/power/snapshot.c | 6 +++++-
8 files changed, 48 insertions(+), 3 deletions(-)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 1d6f045..86a6916 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -3318,6 +3318,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
noresume Don't check if there's a hibernation image
present during boot.
nocompress Don't compress/decompress hibernation images.
+ sigenforce When CONFIG_HIBERNATE_VERIFICATION is set, this
+ menas that snapshot image without (valid)
+ signature will fail to restore. Note that if
+ HIBERNATE_VERIFICATION_FORCE is set, that is
+ always true, so this option does nothing.
no Disable hibernation and resume.
retain_initrd [RAM] Keep initrd memory after extraction
diff --git a/arch/x86/power/hibernate_keys.c b/arch/x86/power/hibernate_keys.c
index 5e92101..51e808a 100644
--- a/arch/x86/power/hibernate_keys.c
+++ b/arch/x86/power/hibernate_keys.c
@@ -89,6 +89,7 @@ void fill_forward_info(void *forward_buff_page, int verify_ret)
memset(forward_buff_page, 0, PAGE_SIZE);
info = (struct forward_info *)forward_buff_page;
info->sig_verify_ret = verify_ret;
+ info->sig_enforce = sigenforce;
if (hibernation_keys && !hibernation_keys->hkey_status) {
info->hibernation_keys = *hibernation_keys;
@@ -106,10 +107,24 @@ void restore_sig_forward_info(void)
return;
}
- if (forward_buff->sig_verify_ret)
- pr_warn("PM: Signature verifying failed: %d\n",
+ sigenforce = forward_buff->sig_enforce;
+ if (sigenforce)
+ pr_info("PM: Enforce hibernate signature verifying\n");
+
+ if (forward_buff->sig_verify_ret) {
+ pr_warn("PM: Hibernate signature verifying failed: %d\n",
forward_buff->sig_verify_ret);
+ /* taint kernel */
+ if (!sigenforce) {
+ pr_warn("PM: System restored from unsafe snapshot - "
+ "tainting kernel\n");
+ add_taint(TAINT_UNSAFE_HIBERNATE, LOCKDEP_STILL_OK);
+ pr_info("%s\n", print_tainted());
+ }
+ } else
+ pr_info("PM: Signature verifying pass\n");
+
if (hibernation_keys) {
memset(hibernation_keys, 0, PAGE_SIZE);
*hibernation_keys = forward_buff->hibernation_keys;
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 5582410..a620786 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -489,6 +489,7 @@ extern enum system_states {
#define TAINT_UNSIGNED_MODULE 13
#define TAINT_SOFTLOCKUP 14
#define TAINT_LIVEPATCH 15
+#define TAINT_UNSAFE_HIBERNATE 16
extern const char hex_asc[];
#define hex_asc_lo(x) hex_asc[((x) & 0x0f)]
diff --git a/include/linux/suspend.h b/include/linux/suspend.h
index aa88b3b..d318b72 100644
--- a/include/linux/suspend.h
+++ b/include/linux/suspend.h
@@ -335,6 +335,9 @@ struct platform_hibernation_ops {
#define HIBERNATION_HMAC "hmac(sha1)"
#define HIBERNATION_DIGEST_SIZE 20
+/* kernel/power/hibernate.c */
+extern int sigenforce;
+
/* kernel/power/snapshot.c */
extern void __register_nosave_region(unsigned long b, unsigned long e, int km);
static inline void __init register_nosave_region(unsigned long b, unsigned long e)
diff --git a/kernel/panic.c b/kernel/panic.c
index 04e91ff..a53da16 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -228,6 +228,7 @@ static const struct tnt tnts[] = {
{ TAINT_UNSIGNED_MODULE, 'E', ' ' },
{ TAINT_SOFTLOCKUP, 'L', ' ' },
{ TAINT_LIVEPATCH, 'K', ' ' },
+ { TAINT_UNSAFE_HIBERNATE, 'H', ' ' },
};
/**
@@ -249,6 +250,7 @@ static const struct tnt tnts[] = {
* 'E' - Unsigned module has been loaded.
* 'L' - A soft lockup has previously occurred.
* 'K' - Kernel has been live patched.
+ * 'H' - System restored from unsafe hibernate snapshot image.
*
* The string is overwritten by the next call to print_tainted().
*/
diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
index 8608b3b..f2a7e21 100644
--- a/kernel/power/Kconfig
+++ b/kernel/power/Kconfig
@@ -79,6 +79,14 @@ config HIBERNATE_VERIFICATION
relies on UEFI secure boot environment, EFI stub generates HMAC
key for hibernate verification.
+config HIBERNATE_VERIFICATION_FORCE
+ bool "Require hibernate snapshot image to be validly signed"
+ depends on HIBERNATE_VERIFICATION
+ help
+ Reject hibernate resuming from unsigned snapshot image or signed
+ snapshot image for which we don't have a key. Without this, such
+ snapshot image will simply taint the kernel when resuming.
+
config ARCH_SAVE_PAGE_KEYS
bool
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 640ca8a..2c2cc90 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -43,6 +43,11 @@ static char resume_file[256] = CONFIG_PM_STD_PARTITION;
dev_t swsusp_resume_device;
sector_t swsusp_resume_block;
__visible int in_suspend __nosavedata;
+#ifdef CONFIG_HIBERNATE_VERIFICATION_FORCE
+int sigenforce = 1;
+#else
+int sigenforce;
+#endif
enum {
HIBERNATION_INVALID,
@@ -1119,6 +1124,8 @@ static int __init hibernate_setup(char *str)
noresume = 1;
else if (!strncmp(str, "nocompress", 10))
nocompress = 1;
+ else if (!strncmp(str, "sigenforce", 10))
+ sigenforce = 1;
else if (!strncmp(str, "no", 2)) {
noresume = 1;
nohibernate = 1;
diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index 3629249..486dd73 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -1469,7 +1469,11 @@ error_digest:
forward_ret:
if (ret)
pr_warn("PM: Signature verifying failed: %d\n", ret);
- snapshot_fill_sig_forward_info(ret);
+ /* forward check result when verifying pass or not enforce verifying */
+ if (!ret || !sigenforce) {
+ snapshot_fill_sig_forward_info(ret);
+ ret = 0;
+ }
return ret;
}
--
2.1.4
next prev parent reply other threads:[~2015-08-11 6:20 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-11 6:16 [PATCH v2 00/16] Signature verification of hibernate snapshot Lee, Chun-Yi
2015-08-11 6:16 ` [PATCH v2 01/16] PM / hibernate: define HMAC algorithm and digest size of hibernation Lee, Chun-Yi
2015-08-11 6:16 ` [PATCH v2 02/16] x86/efi: Add get and set variable to EFI services pointer table Lee, Chun-Yi
2015-08-19 16:35 ` Matt Fleming
2015-08-11 6:16 ` [PATCH v2 03/16] x86/boot: Public getting random boot function Lee, Chun-Yi
2015-08-11 6:16 ` [PATCH v2 04/16] x86/efi: Generating random number in EFI stub Lee, Chun-Yi
2015-08-20 14:12 ` Matt Fleming
2015-08-27 4:06 ` joeyli
2015-08-11 6:16 ` [PATCH v2 05/16] x86/efi: Get entropy through EFI random number generator protocol Lee, Chun-Yi
2015-08-20 14:47 ` Matt Fleming
2015-08-27 4:51 ` joeyli
2015-08-20 20:26 ` Matt Fleming
2015-08-27 6:17 ` joeyli
2015-08-11 6:16 ` [PATCH v2 06/16] x86/efi: Generating random HMAC key for siging hibernate image Lee, Chun-Yi
2015-08-20 20:40 ` Matt Fleming
2015-08-27 9:04 ` joeyli
2015-09-09 12:15 ` Matt Fleming
2015-09-13 2:47 ` joeyli
2015-08-11 6:16 ` [PATCH v2 07/16] efi: Make efi_status_to_err() public Lee, Chun-Yi
2015-08-20 15:07 ` Matt Fleming
2015-08-27 9:06 ` joeyli
2015-08-11 6:16 ` [PATCH v2 08/16] x86/efi: Carrying hibernation key by setup data Lee, Chun-Yi
2015-08-15 17:07 ` Pavel Machek
2015-08-16 5:28 ` joeyli
2015-08-16 21:23 ` Jiri Kosina
2015-08-17 6:54 ` Nigel Cunningham
2015-08-21 12:40 ` Matt Fleming
2015-08-27 9:28 ` joeyli
2015-08-11 6:16 ` [PATCH v2 09/16] PM / hibernate: Reserve hibernation key and erase footprints Lee, Chun-Yi
2015-08-13 2:45 ` Chen, Yu C
2015-08-13 3:25 ` joeyli
2015-08-13 14:33 ` joeyli
2015-08-21 13:27 ` Matt Fleming
2015-08-27 10:21 ` joeyli
2015-09-09 12:24 ` Matt Fleming
2015-09-13 2:58 ` joeyli
2015-08-11 6:16 ` [PATCH v2 10/16] PM / hibernate: Generate and verify signature of hibernate snapshot Lee, Chun-Yi
2015-08-11 6:16 ` [PATCH v2 11/16] PM / hibernate: Avoid including hibernation key to hibernate image Lee, Chun-Yi
2015-08-11 6:16 ` [PATCH v2 12/16] PM / hibernate: Forward signature verifying result and key to image kernel Lee, Chun-Yi
2015-08-11 6:16 ` Lee, Chun-Yi [this message]
2015-08-11 6:16 ` [PATCH v2 14/16] PM / hibernate: Allow user trigger hibernation key re-generating Lee, Chun-Yi
2015-08-11 6:16 ` [PATCH v2 15/16] PM / hibernate: Bypass verification logic on legacy BIOS Lee, Chun-Yi
2015-08-11 6:16 ` [PATCH v2 16/16] PM / hibernate: Document signature verification of hibernate snapshot Lee, Chun-Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1439273796-25359-14-git-send-email-jlee@suse.com \
--to=joeyli.kernel@gmail.com \
--cc=hpa@zytor.com \
--cc=jkosina@suse.cz \
--cc=jlee@suse.com \
--cc=jwboyer@redhat.com \
--cc=len.brown@intel.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=matt.fleming@intel.com \
--cc=matthew.garrett@nebula.com \
--cc=mingo@redhat.com \
--cc=pavel@ucw.cz \
--cc=rjw@rjwysocki.net \
--cc=vojtech@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).