From patchwork Fri Dec 30 06:58:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Coiby Xu X-Patchwork-Id: 13084140 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7A77C3DA7C for ; Fri, 30 Dec 2022 06:59:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234534AbiL3G7o (ORCPT ); Fri, 30 Dec 2022 01:59:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229490AbiL3G7n (ORCPT ); Fri, 30 Dec 2022 01:59:43 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D28E13F05 for ; Thu, 29 Dec 2022 22:58:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1672383537; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=i6xNXZW5xcHpX8ctqGmuNcrSYwUwnLYg5NtdNPmfezg=; b=Iuj+Sh3UsyujM+7Jx8nm6hp8RFolqpvJ0KEPh6acHr/OsVyZsAYTV5DbBv641UeUgWzTEG xjsS7d+WESLIlLUPFLfdwy0DBcZotK8icE6nQ/cOVAZGS/VxuTxQzeCacjW2TpdN4A6eDc XQ9kqbTzOUmrCMlQ9Vrs4YAQCtxVuIU= Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-274-Pn1QvsbiOWKPnV2Ukul8bQ-1; Fri, 30 Dec 2022 01:58:55 -0500 X-MC-Unique: Pn1QvsbiOWKPnV2Ukul8bQ-1 Received: by mail-pj1-f72.google.com with SMTP id il11-20020a17090b164b00b00219a4366109so15092118pjb.0 for ; Thu, 29 Dec 2022 22:58:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i6xNXZW5xcHpX8ctqGmuNcrSYwUwnLYg5NtdNPmfezg=; b=anRFN/EPf+dWyVYc7hufqSQ5K9verQKVk0S0Wsm6wbyKFQlYzF1msMfkuu5TzRfy1w gc4mUUhTHM7ENqVBvfDHK0C+bJ4Osm7RWT4QSb7w9UXehHb5HbbUejFjg/6uffPzm6LU pLtO9vzN8qU3d6GWdtXoBXQhINqb5iIRyWShCF8838rCuoNO0AMqdI+pk3NkkMwfVkjA d1tNkFtrPwOzZo65m7MkyF7bgf+YDvC+N61EaaL9o9VXgql+fT4zIzIGYgUF2iroSUS7 t0Iltm/ZPfRVNZbnCfytMGIedT9E4teHKquNJuMNm9xzb8Vz4hedU0+7r6gc4zY7fa9O fCug== X-Gm-Message-State: AFqh2kr96gMKu6ikJW+JebAkXQESFzhZPIHAIll8C1dfG6VXFcTWfsoZ n/qi3viOfQhDMGEgXv1gV/84VBXpHNDxWuTqiyKEKIcR6KiGG/8g6JrMlEf9JBm4MUcMLGp+4g1 aU/7EipDp+XL4d6pgDyINRGF4EOk4 X-Received: by 2002:a05:6a20:1586:b0:9d:efc0:67 with SMTP id h6-20020a056a20158600b0009defc00067mr47397758pzj.15.1672383534930; Thu, 29 Dec 2022 22:58:54 -0800 (PST) X-Google-Smtp-Source: AMrXdXuS31o499EJ+P0QkGmvXR/8sEY71NzOuPxCXXw9OvVKvODqQywZozPkjeIXEo35ZNQmiVJihw== X-Received: by 2002:a05:6a20:1586:b0:9d:efc0:67 with SMTP id h6-20020a056a20158600b0009defc00067mr47397736pzj.15.1672383534644; Thu, 29 Dec 2022 22:58:54 -0800 (PST) Received: from localhost ([240e:478:10:2273:12cf:a540:d79b:db49]) by smtp.gmail.com with ESMTPSA id s5-20020aa78bc5000000b00581e0b5ad8dsm1614157pfd.107.2022.12.29.22.58.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Dec 2022 22:58:54 -0800 (PST) From: Coiby Xu To: kexec@lists.infradead.org Cc: Mimi Zohar , Matthew Garrett , Jiri Bohac , David Howells , linux-integrity@vger.kernel.org, Eric Biederman , Matthew Garrett , James Morris , linux-kernel@vger.kernel.org (open list) Subject: [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled Date: Fri, 30 Dec 2022 14:58:49 +0800 Message-Id: <20221230065850.897967-1-coxu@redhat.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org A kernel builder may not enable KEXEC_SIG and some architectures like ppc64 simply don't have KEXEC_SIG. In these cases, unless both IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent unsigned kernel image from being kexec'ed via the kexec_file_load syscall whereas it could prevent one via the kexec_load syscall. Mandate signature verification for those cases. Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down") Cc: Matthew Garrett Cc: Jiri Bohac Cc: David Howells Cc: kexec@lists.infradead.org Cc: linux-integrity@vger.kernel.org Signed-off-by: Coiby Xu Reviewed-by: Mimi Zohar --- v3 - add lockdown tests to explain why kexec_file_load failed [Mimi] v2 - collect reviewed-by tag from Mimi - s/mandate_signatute_verification/mandate_signature_verification [Mimi] - return the status of kexec_image_verify_sig correctly when signature verification is not mandated --- kernel/kexec_file.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index dd5983010b7b..2c1054ab21ef 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -125,6 +125,17 @@ void kimage_file_post_load_cleanup(struct kimage *image) image->image_loader_data = NULL; } +static bool mandate_signature_verification(void) +{ + /* + * If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + return !ima_appraise_signature(READING_KEXEC_IMAGE) && + security_locked_down(LOCKDOWN_KEXEC); +} + #ifdef CONFIG_KEXEC_SIG #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len) @@ -168,13 +179,7 @@ kimage_validate_signature(struct kimage *image) return ret; } - /* - * If IMA is guaranteed to appraise a signature on the kexec - * image, permit it even if the kernel is otherwise locked - * down. - */ - if (!ima_appraise_signature(READING_KEXEC_IMAGE) && - security_locked_down(LOCKDOWN_KEXEC)) + if (mandate_signature_verification()) return -EPERM; pr_debug("kernel signature verification failed (%d).\n", ret); @@ -211,10 +216,13 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, #ifdef CONFIG_KEXEC_SIG ret = kimage_validate_signature(image); - +#else + if (mandate_signature_verification()) + ret = -EPERM; +#endif if (ret) goto out; -#endif + /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { ret = kernel_read_file_from_fd(initrd_fd, 0, &image->initrd_buf, From patchwork Fri Dec 30 06:58:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Coiby Xu X-Patchwork-Id: 13084141 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6DA27C3DA7C for ; Fri, 30 Dec 2022 06:59:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234532AbiL3G7w (ORCPT ); Fri, 30 Dec 2022 01:59:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234535AbiL3G7u (ORCPT ); Fri, 30 Dec 2022 01:59:50 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C331186B6 for ; Thu, 29 Dec 2022 22:59:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1672383545; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xfQVFUk68QjEj99AgM4T7hbGZN2TqICY24ExGXMOCJA=; b=GQECBKse+bT1pUacWyCC9ozCpAzHW1gPY3ccHCaonEAO7HDN8hzYjU+lfySnJjbYe4sXMg dr7TJ6b3e3WlKyjUAhOt9BwxTUr/mPenaNgkm/nU7avMyK8F9u7XmOtAEgVPvlW+zy1kYC bdwc5dtanA3l7QY0HrRZgrvoPjHdsBc= Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com [209.85.215.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-394-p2nU2F15M7GE8OrIyGG8eQ-1; Fri, 30 Dec 2022 01:59:01 -0500 X-MC-Unique: p2nU2F15M7GE8OrIyGG8eQ-1 Received: by mail-pg1-f197.google.com with SMTP id r126-20020a632b84000000b004393806c06eso9964758pgr.4 for ; Thu, 29 Dec 2022 22:59:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xfQVFUk68QjEj99AgM4T7hbGZN2TqICY24ExGXMOCJA=; b=X6Lzx+pSA51z8HHFvEWJ9r7ZN0Dd4Z1D1TOX2pWl3b/MhktSCg15EI2YgnCzaZE27w +UrTjuWg5r69iqdE3iHGO8Hfix1DVO9DlOcoQBKPhZfd701VkEPc85C9ap/gQSiL4FDe gBf0QNKjt4ZDE1h6wVrGEu8bUCMrTLLRwSqQOHNP2WqAaPg6QwO4TFFPv9ZuD+7ExgVc FwMthLDqwjF/v/gAT9xz0cOCOSJsC97xJ8s2JOxaZoYSxK4N3+h55DGZIAsOG3Ui+Elv Mn2n6XrakyHBRfW+e/HMkcJWwSQKeGxgPaQG/hVDDjdGDJddQKGjH9O3VdM+C3hVge/W DOOw== X-Gm-Message-State: AFqh2kod3aIMm/wtk5wgYRchXxoucA/qJ/VVaWwcOSQS7K5+B0lqpBvk Wxt+/vAU23306hLnrZRkcsyv2vr3pGj/DPMUiqiTLquTmEEe6PoshTugnb2JfEUNx86Ywo34f0Q yQ0xorYl7RBsTZLhPd9nnQO3eqlIU X-Received: by 2002:a17:902:d3d3:b0:192:8f38:7492 with SMTP id w19-20020a170902d3d300b001928f387492mr10901742plb.13.1672383539827; Thu, 29 Dec 2022 22:58:59 -0800 (PST) X-Google-Smtp-Source: AMrXdXvgQSu4eJrF7t9Ee8jFtrdmW2Mfrqq37xxbhi3CqTIuwlP91hv2uCBIjFGbYTi7mF+inP0IYw== X-Received: by 2002:a17:902:d3d3:b0:192:8f38:7492 with SMTP id w19-20020a170902d3d300b001928f387492mr10901731plb.13.1672383539523; Thu, 29 Dec 2022 22:58:59 -0800 (PST) Received: from localhost ([240e:478:10:2273:12cf:a540:d79b:db49]) by smtp.gmail.com with ESMTPSA id ij6-20020a170902ab4600b00176e6f553efsm14012757plb.84.2022.12.29.22.58.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Dec 2022 22:58:59 -0800 (PST) From: Coiby Xu To: kexec@lists.infradead.org Cc: Mimi Zohar , linux-integrity@vger.kernel.org, Shuah Khan , linux-kselftest@vger.kernel.org (open list:KERNEL SELFTEST FRAMEWORK), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v3 2/2] selftests/kexec: enable lockdown tests Date: Fri, 30 Dec 2022 14:58:50 +0800 Message-Id: <20221230065850.897967-2-coxu@redhat.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221230065850.897967-1-coxu@redhat.com> References: <20221230065850.897967-1-coxu@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org When lockdown is enabled, kexec_load syscall should always fail. For kexec_file_load, when lockdown is enabled, it should - fail of missing PE signature when KEXEC_SIG is enabled - fail of missing IMA signature when KEXEC_SIG is disabled Before this patch, test_kexec_load.sh fails (false positive) and test_kexec_file_load.sh fails without a reason when lockdown enabled and KEXEC_SIG disabled, # kexec_load failed [FAIL] not ok 1 selftests: kexec: test_kexec_load.sh # exit=1 # kexec_file_load failed [PASS] ok 2 selftests: kexec: test_kexec_file_load.sh After this patch, test_kexec_load.sh succeeds and test_kexec_file_load.sh fails with the correct reason when lockdown enabled and KEXEC_SIG disabled, # kexec_load failed [PASS] ok 1 selftests: kexec: test_kexec_load.sh # kexec_file_load failed (missing IMA sig) [PASS] ok 2 selftests: kexec: test_kexec_file_load.sh Cc: kexec@lists.infradead.org Cc: linux-integrity@vger.kernel.org Suggested-by: Mimi Zohar Signed-off-by: Coiby Xu --- .../selftests/kexec/kexec_common_lib.sh | 16 +++++++++++ .../selftests/kexec/test_kexec_file_load.sh | 27 +++++++++++++++++++ .../selftests/kexec/test_kexec_load.sh | 12 ++++++--- 3 files changed, 52 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 641ef05863b2..06c298b46788 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -110,6 +110,22 @@ get_secureboot_mode() return $secureboot_mode; } +is_lockdown_enabled() +{ + local ret=0 + + if [ -f /sys/kernel/security/lockdown ] \ + && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then + ret=1 + fi + + if [ $ret -eq 0 ]; then + log_info "lockdown not enabled" + fi + + return $ret +} + require_root_privileges() { if [ $(id -ru) -ne 0 ]; then diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index c9ccb3c93d72..790f96938083 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -139,6 +139,16 @@ kexec_file_load_test() log_fail "$succeed_msg (missing IMA sig)" fi + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing PE sig)" + fi + + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_modsig -eq 0 ]; then + log_fail "$succeed_msg (missing IMA sig)" + fi + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ && [ $ima_read_policy -eq 0 ]; then @@ -181,6 +191,16 @@ kexec_file_load_test() log_pass "$failed_msg (possibly missing IMA sig)" fi + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then + log_pass "$failed_msg (missing PE sig)" + fi + + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \ + && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then + log_pass "$failed_msg (missing IMA sig)" + fi + log_pass "$failed_msg" return 0 } @@ -215,6 +235,10 @@ kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \ "kexec signed kernel image required" kexec_sig_required=$? +kconfig_enabled "CONFIG_KEXEC_SIG=y" \ + "KEXEC_SIG enabled" +kexec_sig_enabled=$? + kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ "PE signed kernel image required" pe_sig_required=$? @@ -225,6 +249,9 @@ ima_sig_required=$? get_secureboot_mode secureboot=$? +is_lockdown_enabled +lockdown=$? + # Are there pe and ima signatures if [ "$(get_arch)" == 'ppc64le' ]; then pe_signed=0 diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 49c6aa929137..0542887866c0 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -28,18 +28,24 @@ arch_policy=$? get_secureboot_mode secureboot=$? -# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled +is_lockdown_enabled +lockdown=$? + +# kexec_load should fail in either +# a) secure boot mode and CONFIG_IMA_ARCH_POLICY enabled +# or +# b) lockdown enabled kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload - if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then + if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then log_fail "kexec_load succeeded" elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then log_info "Either IMA or the IMA arch policy is not enabled" fi log_pass "kexec_load succeeded" else - if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then + if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then log_pass "kexec_load failed" else log_fail "kexec_load failed"