| Message ID | 20221230065850.897967-2-coxu@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3,1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled | expand |
Hi Coiby, On Fri, 2022-12-30 at 14:58 +0800, Coiby Xu wrote: > When lockdown is enabled, kexec_load syscall should always fail. > > For kexec_file_load, when lockdown is enabled, it should > - fail of missing PE signature when KEXEC_SIG is enabled > - fail of missing IMA signature when KEXEC_SIG is disabled Appended kernel image signatures are supported, but differently on powerpc and s390. For s390, KEXEC_SIG is enabled. For completeness the above statements should reflect appended signatures. > > Before this patch, test_kexec_load.sh fails (false positive) and > test_kexec_file_load.sh fails without a reason when lockdown enabled and > KEXEC_SIG disabled, > > # kexec_load failed [FAIL] > not ok 1 selftests: kexec: test_kexec_load.sh # exit=1 > # kexec_file_load failed [PASS] > ok 2 selftests: kexec: test_kexec_file_load.sh > > After this patch, test_kexec_load.sh succeeds and > test_kexec_file_load.sh fails with the correct reason when lockdown > enabled and KEXEC_SIG disabled, > > # kexec_load failed [PASS] > ok 1 selftests: kexec: test_kexec_load.sh > # kexec_file_load failed (missing IMA sig) [PASS] > ok 2 selftests: kexec: test_kexec_file_load.sh > > Cc: kexec@lists.infradead.org > Cc: linux-integrity@vger.kernel.org > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Coiby Xu <coxu@redhat.com> > --- > .../selftests/kexec/kexec_common_lib.sh | 16 +++++++++++ > .../selftests/kexec/test_kexec_file_load.sh | 27 +++++++++++++++++++ > .../selftests/kexec/test_kexec_load.sh | 12 ++++++--- > 3 files changed, 52 insertions(+), 3 deletions(-) > > diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh > index 641ef05863b2..06c298b46788 100755 > --- a/tools/testing/selftests/kexec/kexec_common_lib.sh > +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh > @@ -110,6 +110,22 @@ get_secureboot_mode() > return $secureboot_mode; > } > > +is_lockdown_enabled() > +{ > + local ret=0 > + > + if [ -f /sys/kernel/security/lockdown ] \ > + && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then > + ret=1 > + fi > + > + if [ $ret -eq 0 ]; then > + log_info "lockdown not enabled" > + fi > + > + return $ret > +} > + > require_root_privileges() > { > if [ $(id -ru) -ne 0 ]; then > diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh > index c9ccb3c93d72..790f96938083 100755 > --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh > +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh > @@ -139,6 +139,16 @@ kexec_file_load_test() > log_fail "$succeed_msg (missing IMA sig)" > fi > > + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \ > + && [ $pe_signed -eq 0 ]; then > + log_fail "$succeed_msg (missing PE sig)" > + fi CONFIG_KEXEC_SIG being enabled does not require signature verification to be enforced. When the CONFIG_IMA_ARCH_POLICY is enabled, IMA requires kexec signature verification. Also on s390, CONFIG_KEXEC_SIG verifies an appended signature, not a PE signature. Instead of the "missing PE sig" message, perhaps indicate lockdown requires kexec signature verification. > + > + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \ > + && [ $ima_modsig -eq 0 ]; then > + log_fail "$succeed_msg (missing IMA sig)" > + fi > + Similarly, only if IMA is enabled and requires the kexec signature verficiation should this message be emitted. Perhaps a single generic lockdown message would be sufficient for both. > if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ > && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ > && [ $ima_read_policy -eq 0 ]; then > @@ -181,6 +191,16 @@ kexec_file_load_test() > log_pass "$failed_msg (possibly missing IMA sig)" > fi > > + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \ > + && [ $pe_signed -eq 0 ]; then > + log_pass "$failed_msg (missing PE sig)" > + fi > + > + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \ > + && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then > + log_pass "$failed_msg (missing IMA sig)" > + fi > + Similar comments as above.
diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 641ef05863b2..06c298b46788 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -110,6 +110,22 @@ get_secureboot_mode() return $secureboot_mode; } +is_lockdown_enabled() +{ + local ret=0 + + if [ -f /sys/kernel/security/lockdown ] \ + && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then + ret=1 + fi + + if [ $ret -eq 0 ]; then + log_info "lockdown not enabled" + fi + + return $ret +} + require_root_privileges() { if [ $(id -ru) -ne 0 ]; then diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index c9ccb3c93d72..790f96938083 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -139,6 +139,16 @@ kexec_file_load_test() log_fail "$succeed_msg (missing IMA sig)" fi + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing PE sig)" + fi + + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_modsig -eq 0 ]; then + log_fail "$succeed_msg (missing IMA sig)" + fi + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ && [ $ima_read_policy -eq 0 ]; then @@ -181,6 +191,16 @@ kexec_file_load_test() log_pass "$failed_msg (possibly missing IMA sig)" fi + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then + log_pass "$failed_msg (missing PE sig)" + fi + + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \ + && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then + log_pass "$failed_msg (missing IMA sig)" + fi + log_pass "$failed_msg" return 0 } @@ -215,6 +235,10 @@ kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \ "kexec signed kernel image required" kexec_sig_required=$? +kconfig_enabled "CONFIG_KEXEC_SIG=y" \ + "KEXEC_SIG enabled" +kexec_sig_enabled=$? + kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ "PE signed kernel image required" pe_sig_required=$? @@ -225,6 +249,9 @@ ima_sig_required=$? get_secureboot_mode secureboot=$? +is_lockdown_enabled +lockdown=$? + # Are there pe and ima signatures if [ "$(get_arch)" == 'ppc64le' ]; then pe_signed=0 diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 49c6aa929137..0542887866c0 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -28,18 +28,24 @@ arch_policy=$? get_secureboot_mode secureboot=$? -# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled +is_lockdown_enabled +lockdown=$? + +# kexec_load should fail in either +# a) secure boot mode and CONFIG_IMA_ARCH_POLICY enabled +# or +# b) lockdown enabled kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload - if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then + if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then log_fail "kexec_load succeeded" elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then log_info "Either IMA or the IMA arch policy is not enabled" fi log_pass "kexec_load succeeded" else - if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then + if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then log_pass "kexec_load failed" else log_fail "kexec_load failed"
When lockdown is enabled, kexec_load syscall should always fail. For kexec_file_load, when lockdown is enabled, it should - fail of missing PE signature when KEXEC_SIG is enabled - fail of missing IMA signature when KEXEC_SIG is disabled Before this patch, test_kexec_load.sh fails (false positive) and test_kexec_file_load.sh fails without a reason when lockdown enabled and KEXEC_SIG disabled, # kexec_load failed [FAIL] not ok 1 selftests: kexec: test_kexec_load.sh # exit=1 # kexec_file_load failed [PASS] ok 2 selftests: kexec: test_kexec_file_load.sh After this patch, test_kexec_load.sh succeeds and test_kexec_file_load.sh fails with the correct reason when lockdown enabled and KEXEC_SIG disabled, # kexec_load failed [PASS] ok 1 selftests: kexec: test_kexec_load.sh # kexec_file_load failed (missing IMA sig) [PASS] ok 2 selftests: kexec: test_kexec_file_load.sh Cc: kexec@lists.infradead.org Cc: linux-integrity@vger.kernel.org Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Coiby Xu <coxu@redhat.com> --- .../selftests/kexec/kexec_common_lib.sh | 16 +++++++++++ .../selftests/kexec/test_kexec_file_load.sh | 27 +++++++++++++++++++ .../selftests/kexec/test_kexec_load.sh | 12 ++++++--- 3 files changed, 52 insertions(+), 3 deletions(-)