Message ID | 8b30a3c6a4e845eb77f276298424811897efdebf.1637862358.git.msuchanek@suse.de (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Herbert Xu |
Headers | show |
Series | KEXEC_SIG with appended signature | expand |
Hello, On Wed, Dec 08, 2021 at 08:51:47PM -0500, Nayna wrote: > > On 11/25/21 13:02, Michal Suchanek wrote: > > Copy the code from s390x > > > > Signed-off-by: Michal Suchanek<msuchanek@suse.de> > > --- > > arch/powerpc/Kconfig | 11 +++++++++++ > > arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ > > 2 files changed, 47 insertions(+) > > > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > > index ac0c515552fd..ecc1227a77f1 100644 > > --- a/arch/powerpc/Kconfig > > +++ b/arch/powerpc/Kconfig > > @@ -561,6 +561,17 @@ config KEXEC_FILE > > config ARCH_HAS_KEXEC_PURGATORY > > def_bool KEXEC_FILE > > > > +config KEXEC_SIG > > + bool "Verify kernel signature during kexec_file_load() syscall" > > + depends on KEXEC_FILE && MODULE_SIG_FORMAT > > After manually applying the patch, the build is failing with the following > error: > > build failed with error "arch/powerpc/kexec/elf_64.o: In function > `elf64_verify_sig': > /root/kernel/linus/linux/arch/powerpc/kexec/elf_64.c:160: undefined > reference to `verify_appended_signature'" This patch does not add call to verify_appended_signature. Maybe you applied the following patch as well? Thanks Michal
On 12/9/21 04:21, Michal Suchánek wrote: > Hello, Hi, > On Wed, Dec 08, 2021 at 08:51:47PM -0500, Nayna wrote: >> On 11/25/21 13:02, Michal Suchanek wrote: >>> Copy the code from s390x >>> >>> Signed-off-by: Michal Suchanek<msuchanek@suse.de> >>> --- >>> arch/powerpc/Kconfig | 11 +++++++++++ >>> arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ >>> 2 files changed, 47 insertions(+) >>> >>> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig >>> index ac0c515552fd..ecc1227a77f1 100644 >>> --- a/arch/powerpc/Kconfig >>> +++ b/arch/powerpc/Kconfig >>> @@ -561,6 +561,17 @@ config KEXEC_FILE >>> config ARCH_HAS_KEXEC_PURGATORY >>> def_bool KEXEC_FILE >>> >>> +config KEXEC_SIG >>> + bool "Verify kernel signature during kexec_file_load() syscall" >>> + depends on KEXEC_FILE && MODULE_SIG_FORMAT >> After manually applying the patch, the build is failing with the following >> error: >> >> build failed with error "arch/powerpc/kexec/elf_64.o: In function >> `elf64_verify_sig': >> /root/kernel/linus/linux/arch/powerpc/kexec/elf_64.c:160: undefined >> reference to `verify_appended_signature'" > This patch does not add call to verify_appended_signature. > > Maybe you applied the following patch as well? Yes, I tried build after applying all the patches. Thanks & Regards, - Nayna
On 11/25/21 13:02, Michal Suchanek wrote: > Copy the code from s390x > > Signed-off-by: Michal Suchanek <msuchanek@suse.de> > --- > arch/powerpc/Kconfig | 11 +++++++++++ > arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 47 insertions(+) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index ac0c515552fd..ecc1227a77f1 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -561,6 +561,17 @@ config KEXEC_FILE > config ARCH_HAS_KEXEC_PURGATORY > def_bool KEXEC_FILE > > +config KEXEC_SIG > + bool "Verify kernel signature during kexec_file_load() syscall" > + depends on KEXEC_FILE && MODULE_SIG_FORMAT > + help > + This option makes kernel signature verification mandatory for > + the kexec_file_load() syscall. > + Resending my last response as looks like it didn't go through mailing list because of some wrong formatting. My apologies to those who are receiving it twice. Since powerpc also supports IMA_ARCH_POLICY for kernel image signature verification, please include the following: "An alternative implementation for the powerpc arch is IMA_ARCH_POLICY. It verifies the appended kernel image signature and additionally includes both the signed and unsigned file hashes in the IMA measurement list, extends the IMA PCR in the TPM, and prevents blacklisted binary kernel images from being kexec'd." Thanks & Regards, - Nayna
Hello, On Sun, Dec 12, 2021 at 07:46:53PM -0500, Nayna wrote: > > On 11/25/21 13:02, Michal Suchanek wrote: > > Copy the code from s390x > > > > Signed-off-by: Michal Suchanek <msuchanek@suse.de> > > --- > > arch/powerpc/Kconfig | 11 +++++++++++ > > arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ > > 2 files changed, 47 insertions(+) > > > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > > index ac0c515552fd..ecc1227a77f1 100644 > > --- a/arch/powerpc/Kconfig > > +++ b/arch/powerpc/Kconfig > > @@ -561,6 +561,17 @@ config KEXEC_FILE > > config ARCH_HAS_KEXEC_PURGATORY > > def_bool KEXEC_FILE > > > > +config KEXEC_SIG > > + bool "Verify kernel signature during kexec_file_load() syscall" > > + depends on KEXEC_FILE && MODULE_SIG_FORMAT > > + help > > + This option makes kernel signature verification mandatory for > > + the kexec_file_load() syscall. > > + > > Resending my last response as looks like it didn't go through mailing list > because of some wrong formatting. My apologies to those who are receiving it > twice. > > Since powerpc also supports IMA_ARCH_POLICY for kernel image signature > verification, please include the following: > > "An alternative implementation for the powerpc arch is IMA_ARCH_POLICY. It > verifies the appended kernel image signature and additionally includes both > the signed and unsigned file hashes in the IMA measurement list, extends the > IMA PCR in the TPM, and prevents blacklisted binary kernel images from being > kexec'd." It also does blacklist based on the file hash? There is a downstream patch that adds the support for the module signatures, and when the code is reused for KEXEC_SIG the blacklist also applies to it. Which kind of shows that people really want to use the IMA features but with no support on some major architectures it's not going to work. Thanks Michal
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index ac0c515552fd..ecc1227a77f1 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -561,6 +561,17 @@ config KEXEC_FILE config ARCH_HAS_KEXEC_PURGATORY def_bool KEXEC_FILE +config KEXEC_SIG + bool "Verify kernel signature during kexec_file_load() syscall" + depends on KEXEC_FILE && MODULE_SIG_FORMAT + help + This option makes kernel signature verification mandatory for + the kexec_file_load() syscall. + + In addition to that option, you need to enable signature + verification for the corresponding kernel image type being + loaded in order for this to work. + config PPC64_BUILD_ELF_V2_ABI bool diff --git a/arch/powerpc/kexec/elf_64.c b/arch/powerpc/kexec/elf_64.c index eeb258002d1e..25dc1071feec 100644 --- a/arch/powerpc/kexec/elf_64.c +++ b/arch/powerpc/kexec/elf_64.c @@ -23,6 +23,7 @@ #include <linux/of_fdt.h> #include <linux/slab.h> #include <linux/types.h> +#include <linux/verification.h> static void *elf64_load(struct kimage *image, char *kernel_buf, unsigned long kernel_len, char *initrd, @@ -151,7 +152,42 @@ static void *elf64_load(struct kimage *image, char *kernel_buf, return ret ? ERR_PTR(ret) : NULL; } +#ifdef CONFIG_KEXEC_SIG +int elf64_verify_sig(const char *kernel, unsigned long kernel_len) +{ + const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; + struct module_signature *ms; + unsigned long sig_len; + int ret; + + if (marker_len > kernel_len) + return -EKEYREJECTED; + + if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING, + marker_len)) + return -EKEYREJECTED; + kernel_len -= marker_len; + + ms = (void *)kernel + kernel_len - sizeof(*ms); + ret = mod_check_sig(ms, kernel_len, "kexec"); + if (ret) + return ret; + + sig_len = be32_to_cpu(ms->sig_len); + kernel_len -= sizeof(*ms) + sig_len; + + return verify_pkcs7_signature(kernel, kernel_len, + kernel + kernel_len, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); +} +#endif /* CONFIG_KEXEC_SIG */ + const struct kexec_file_ops kexec_elf64_ops = { .probe = kexec_elf_probe, .load = elf64_load, +#ifdef CONFIG_KEXEC_SIG + .verify_sig = elf64_verify_sig, +#endif };
Copy the code from s390x Signed-off-by: Michal Suchanek <msuchanek@suse.de> --- arch/powerpc/Kconfig | 11 +++++++++++ arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+)