linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] lockdown: allow kexec_file of unsigned images when not under lockdown
@ 2018-11-01 22:53 Thadeu Lima de Souza Cascardo
  2018-11-02  6:47 ` kbuild test robot
  0 siblings, 1 reply; 2+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2018-11-01 22:53 UTC (permalink / raw)
  To: David Howells; +Cc: linux-kernel, kexec, Thadeu Lima de Souza Cascardo

If CONFIG_KEXEC_VERIFY_SIG is enabled, kexec -s with an unsigned image will
fail requiring an image signed with a trusted key. However, that same
kernel will allow kexec to load and boot a kernel, if kexec_file_load is
not used.

Now, lockdown brings a solution to this inconsistency. However, as it is,
it will still prevent an unsigned image to be loaded with kexec -s when the
system is not under lockdown, while still allowing kexec to work.

At the same time, with lockdown, kexec_file_load would still work when
CONFIG_KEXEC_VERIFY_SIG is disabled.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 kernel/kexec_file.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 35cf0ad29718..b64f32fda9ca 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -211,10 +211,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 					   image->kernel_buf_len);
 	if (ret) {
 		pr_debug("kernel signature verification failed.\n");
-		goto out;
+	} else {
+		pr_debug("kernel signature verification successful.\n");
 	}
-	pr_debug("kernel signature verification successful.\n");
+#elif
+	ret = -EPERM;
 #endif
+	if (ret && kernel_is_locked_down("kexec of unsigned images"))
+		goto out;
+	else
+		ret = 0;
+
 	/* It is possible that there no initramfs is being loaded */
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
-- 
2.19.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] lockdown: allow kexec_file of unsigned images when not under lockdown
  2018-11-01 22:53 [PATCH] lockdown: allow kexec_file of unsigned images when not under lockdown Thadeu Lima de Souza Cascardo
@ 2018-11-02  6:47 ` kbuild test robot
  0 siblings, 0 replies; 2+ messages in thread
From: kbuild test robot @ 2018-11-02  6:47 UTC (permalink / raw)
  To: Thadeu Lima de Souza Cascardo
  Cc: kbuild-all, David Howells, linux-kernel, kexec,
	Thadeu Lima de Souza Cascardo

[-- Attachment #1: Type: text/plain, Size: 4636 bytes --]

Hi Thadeu,

I love your patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v4.19 next-20181102]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Thadeu-Lima-de-Souza-Cascardo/lockdown-allow-kexec_file-of-unsigned-images-when-not-under-lockdown/20181102-123838
config: x86_64-randconfig-x002-201843 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All error/warnings (new ones prefixed by >>):

   In file included from include/asm-generic/bug.h:5:0,
                    from arch/x86/include/asm/bug.h:47,
                    from include/linux/bug.h:5,
                    from include/linux/mmdebug.h:5,
                    from include/linux/mm.h:9,
                    from kernel/kexec_file.c:15:
   kernel/kexec_file.c: In function 'kimage_file_prepare_segments':
>> kernel/kexec_file.c:222:13: error: implicit declaration of function 'kernel_is_locked_down'; did you mean 'kernel_sigaction'? [-Werror=implicit-function-declaration]
     if (ret && kernel_is_locked_down("kexec of unsigned images"))
                ^
   include/linux/compiler.h:58:30: note: in definition of macro '__trace_if'
     if (__builtin_constant_p(!!(cond)) ? !!(cond) :   \
                                 ^~~~
>> kernel/kexec_file.c:222:2: note: in expansion of macro 'if'
     if (ret && kernel_is_locked_down("kexec of unsigned images"))
     ^~
   cc1: some warnings being treated as errors

vim +222 kernel/kexec_file.c

   182	
   183	/*
   184	 * In file mode list of segments is prepared by kernel. Copy relevant
   185	 * data from user space, do error checking, prepare segment list
   186	 */
   187	static int
   188	kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
   189				     const char __user *cmdline_ptr,
   190				     unsigned long cmdline_len, unsigned flags)
   191	{
   192		int ret = 0;
   193		void *ldata;
   194		loff_t size;
   195	
   196		ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
   197					       &size, INT_MAX, READING_KEXEC_IMAGE);
   198		if (ret)
   199			return ret;
   200		image->kernel_buf_len = size;
   201	
   202		/* IMA needs to pass the measurement list to the next kernel. */
   203		ima_add_kexec_buffer(image);
   204	
   205		/* Call arch image probe handlers */
   206		ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
   207						    image->kernel_buf_len);
   208		if (ret)
   209			goto out;
   210	
   211	#ifdef CONFIG_KEXEC_VERIFY_SIG
   212		ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
   213						   image->kernel_buf_len);
   214		if (ret) {
   215			pr_debug("kernel signature verification failed.\n");
   216		} else {
   217			pr_debug("kernel signature verification successful.\n");
   218		}
   219	#elif
   220		ret = -EPERM;
   221	#endif
 > 222		if (ret && kernel_is_locked_down("kexec of unsigned images"))
   223			goto out;
   224		else
   225			ret = 0;
   226	
   227		/* It is possible that there no initramfs is being loaded */
   228		if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
   229			ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
   230						       &size, INT_MAX,
   231						       READING_KEXEC_INITRAMFS);
   232			if (ret)
   233				goto out;
   234			image->initrd_buf_len = size;
   235		}
   236	
   237		if (cmdline_len) {
   238			image->cmdline_buf = memdup_user(cmdline_ptr, cmdline_len);
   239			if (IS_ERR(image->cmdline_buf)) {
   240				ret = PTR_ERR(image->cmdline_buf);
   241				image->cmdline_buf = NULL;
   242				goto out;
   243			}
   244	
   245			image->cmdline_buf_len = cmdline_len;
   246	
   247			/* command line should be a string with last byte null */
   248			if (image->cmdline_buf[cmdline_len - 1] != '\0') {
   249				ret = -EINVAL;
   250				goto out;
   251			}
   252		}
   253	
   254		/* Call arch image load handlers */
   255		ldata = arch_kexec_kernel_image_load(image);
   256	
   257		if (IS_ERR(ldata)) {
   258			ret = PTR_ERR(ldata);
   259			goto out;
   260		}
   261	
   262		image->image_loader_data = ldata;
   263	out:
   264		/* In case of error, free up all allocated memory in this function */
   265		if (ret)
   266			kimage_file_post_load_cleanup(image);
   267		return ret;
   268	}
   269	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 33603 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-11-02  6:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-01 22:53 [PATCH] lockdown: allow kexec_file of unsigned images when not under lockdown Thadeu Lima de Souza Cascardo
2018-11-02  6:47 ` kbuild test robot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).