Message ID | 20230217201435.39784-3-rharwood@redhat.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Fix kexec of pesigned images | expand |
Robbie Harwood <rharwood@redhat.com> wrote: > These particular errors can be encountered while trying to kexec when > secureboot lockdown is in place. Without this change, even with a > signed debug build, one still needs to reboot the machine to add the > appropriate dyndbg parameters (since lockdown blocks debugfs). > > Accordingly, upgrade all pr_debug() before fatal error into pr_info(). I wonder if they should then be pr_warn() instead. > Signed-off-by: Robbie Harwood <rharwood@redhat.com> Acked-by: David Howells <dhowells@redhat.com>
On Fri, Feb 17, 2023 at 03:14:35PM -0500, Robbie Harwood wrote: > These particular errors can be encountered while trying to kexec when > secureboot lockdown is in place. Without this change, even with a > signed debug build, one still needs to reboot the machine to add the > appropriate dyndbg parameters (since lockdown blocks debugfs). > > Accordingly, upgrade all pr_debug() before fatal error into pr_info(). > > Signed-off-by: Robbie Harwood <rharwood@redhat.com> Eessentially this changes configuration to hard coded implementation. No gain IMHO. If you are ready to patch the kernel you could live with boot time dyndbg parameters. > --- > crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++----- > crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------ > 2 files changed, 17 insertions(+), 17 deletions(-) > > diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c > index f6321c785714..da425d142720 100644 > --- a/crypto/asymmetric_keys/pkcs7_verify.c > +++ b/crypto/asymmetric_keys/pkcs7_verify.c > @@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, > } > > if (sinfo->msgdigest_len != sig->digest_size) { > - pr_debug("Sig %u: Invalid digest size (%u)\n", > - sinfo->index, sinfo->msgdigest_len); > + pr_info("Sig %u: Invalid digest size (%u)\n", > + sinfo->index, sinfo->msgdigest_len); > ret = -EBADMSG; > goto error; > } > > if (memcmp(sig->digest, sinfo->msgdigest, > sinfo->msgdigest_len) != 0) { > - pr_debug("Sig %u: Message digest doesn't match\n", > - sinfo->index); > + pr_info("Sig %u: Message digest doesn't match\n", > + sinfo->index); > ret = -EKEYREJECTED; > goto error; > } > @@ -478,7 +478,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, > const void *data, size_t datalen) > { > if (pkcs7->data) { > - pr_debug("Data already supplied\n"); > + pr_info("Data already supplied\n"); > return -EINVAL; > } > pkcs7->data = data; > diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c > index fe1bb374239d..c30e6610db26 100644 > --- a/crypto/asymmetric_keys/verify_pefile.c > +++ b/crypto/asymmetric_keys/verify_pefile.c > @@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, > break; > > default: > - pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic); > + pr_info("Unknown PEOPT magic = %04hx\n", pe32->magic); > return -ELIBBAD; > } > > @@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, > ctx->certs_size = ddir->certs.size; > > if (!ddir->certs.virtual_address || !ddir->certs.size) { > - pr_debug("Unsigned PE binary\n"); > + pr_info("Unsigned PE binary\n"); > return -ENODATA; > } > > @@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, > unsigned len; > > if (ctx->sig_len < sizeof(wrapper)) { > - pr_debug("Signature wrapper too short\n"); > + pr_info("Signature wrapper too short\n"); > return -ELIBBAD; > } > > @@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf, > * rounded up since 0.110. > */ > if (wrapper.length > ctx->sig_len) { > - pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", > - ctx->sig_len, wrapper.length); > + pr_info("Signature wrapper bigger than sig len (%x > %x)\n", > + ctx->sig_len, wrapper.length); > return -ELIBBAD; > } > if (wrapper.revision != WIN_CERT_REVISION_2_0) { > - pr_debug("Signature is not revision 2.0\n"); > + pr_info("Signature is not revision 2.0\n"); > return -ENOTSUPP; > } > if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { > - pr_debug("Signature certificate type is not PKCS\n"); > + pr_info("Signature certificate type is not PKCS\n"); > return -ENOTSUPP; > } > > @@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, > ctx->sig_offset += sizeof(wrapper); > ctx->sig_len -= sizeof(wrapper); > if (ctx->sig_len < 4) { > - pr_debug("Signature data missing\n"); > + pr_info("Signature data missing\n"); > return -EKEYREJECTED; > } > > @@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, > return 0; > } > not_pkcs7: > - pr_debug("Signature data not PKCS#7\n"); > + pr_info("Signature data not PKCS#7\n"); > return -ELIBBAD; > } > > @@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, > digest_size = crypto_shash_digestsize(tfm); > > if (digest_size != ctx->digest_len) { > - pr_debug("Digest size mismatch (%zx != %x)\n", > - digest_size, ctx->digest_len); > + pr_info("Digest size mismatch (%zx != %x)\n", > + digest_size, ctx->digest_len); > ret = -EBADMSG; > goto error_no_desc; > } > @@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, > * PKCS#7 certificate. > */ > if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) { > - pr_debug("Digest mismatch\n"); > + pr_info("Digest mismatch\n"); > ret = -EKEYREJECTED; > } else { > pr_debug("The digests match!\n"); > -- > 2.39.1 > BR, Jarkko
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index f6321c785714..da425d142720 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, } if (sinfo->msgdigest_len != sig->digest_size) { - pr_debug("Sig %u: Invalid digest size (%u)\n", - sinfo->index, sinfo->msgdigest_len); + pr_info("Sig %u: Invalid digest size (%u)\n", + sinfo->index, sinfo->msgdigest_len); ret = -EBADMSG; goto error; } if (memcmp(sig->digest, sinfo->msgdigest, sinfo->msgdigest_len) != 0) { - pr_debug("Sig %u: Message digest doesn't match\n", - sinfo->index); + pr_info("Sig %u: Message digest doesn't match\n", + sinfo->index); ret = -EKEYREJECTED; goto error; } @@ -478,7 +478,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, const void *data, size_t datalen) { if (pkcs7->data) { - pr_debug("Data already supplied\n"); + pr_info("Data already supplied\n"); return -EINVAL; } pkcs7->data = data; diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c index fe1bb374239d..c30e6610db26 100644 --- a/crypto/asymmetric_keys/verify_pefile.c +++ b/crypto/asymmetric_keys/verify_pefile.c @@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, break; default: - pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic); + pr_info("Unknown PEOPT magic = %04hx\n", pe32->magic); return -ELIBBAD; } @@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, ctx->certs_size = ddir->certs.size; if (!ddir->certs.virtual_address || !ddir->certs.size) { - pr_debug("Unsigned PE binary\n"); + pr_info("Unsigned PE binary\n"); return -ENODATA; } @@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, unsigned len; if (ctx->sig_len < sizeof(wrapper)) { - pr_debug("Signature wrapper too short\n"); + pr_info("Signature wrapper too short\n"); return -ELIBBAD; } @@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf, * rounded up since 0.110. */ if (wrapper.length > ctx->sig_len) { - pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", - ctx->sig_len, wrapper.length); + pr_info("Signature wrapper bigger than sig len (%x > %x)\n", + ctx->sig_len, wrapper.length); return -ELIBBAD; } if (wrapper.revision != WIN_CERT_REVISION_2_0) { - pr_debug("Signature is not revision 2.0\n"); + pr_info("Signature is not revision 2.0\n"); return -ENOTSUPP; } if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { - pr_debug("Signature certificate type is not PKCS\n"); + pr_info("Signature certificate type is not PKCS\n"); return -ENOTSUPP; } @@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, ctx->sig_offset += sizeof(wrapper); ctx->sig_len -= sizeof(wrapper); if (ctx->sig_len < 4) { - pr_debug("Signature data missing\n"); + pr_info("Signature data missing\n"); return -EKEYREJECTED; } @@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, return 0; } not_pkcs7: - pr_debug("Signature data not PKCS#7\n"); + pr_info("Signature data not PKCS#7\n"); return -ELIBBAD; } @@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, digest_size = crypto_shash_digestsize(tfm); if (digest_size != ctx->digest_len) { - pr_debug("Digest size mismatch (%zx != %x)\n", - digest_size, ctx->digest_len); + pr_info("Digest size mismatch (%zx != %x)\n", + digest_size, ctx->digest_len); ret = -EBADMSG; goto error_no_desc; } @@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, * PKCS#7 certificate. */ if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) { - pr_debug("Digest mismatch\n"); + pr_info("Digest mismatch\n"); ret = -EKEYREJECTED; } else { pr_debug("The digests match!\n");
These particular errors can be encountered while trying to kexec when secureboot lockdown is in place. Without this change, even with a signed debug build, one still needs to reboot the machine to add the appropriate dyndbg parameters (since lockdown blocks debugfs). Accordingly, upgrade all pr_debug() before fatal error into pr_info(). Signed-off-by: Robbie Harwood <rharwood@redhat.com> --- crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++----- crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------ 2 files changed, 17 insertions(+), 17 deletions(-)