| Message ID | 20221121072947.836672-1-coxu@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled | expand |
Hi Coiby, On Mon, 2022-11-21 at 15:29 +0800, Coiby Xu wrote: > A kernel builder may not enable KEXEC_SIG and some architectures like > ppc64 simply don't have KEXEC_SIG. In these cases, unless both > IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent > unsigned kernel image from being kexec'ed via the kexec_file_load > syscall whereas it could prevent one via the kexec_load syscall. Mandate > signature verification for those cases. > > Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down") > Cc: Matthew Garrett <mjg59@srcf.ucam.org> > Cc: Jiri Bohac <jbohac@suse.cz> > Cc: David Howells <dhowells@redhat.com> > Cc: kexec@lists.infradead.org > Cc: linux-integrity@vger.kernel.org > Signed-off-by: Coiby Xu <coxu@redhat.com> Other than correcting the function name to mandate_signature_verificati on(), Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Hi Mimi, On Mon, Nov 21, 2022 at 01:23:57PM -0500, Mimi Zohar wrote: >Hi Coiby, > >On Mon, 2022-11-21 at 15:29 +0800, Coiby Xu wrote: >> A kernel builder may not enable KEXEC_SIG and some architectures like >> ppc64 simply don't have KEXEC_SIG. In these cases, unless both >> IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent >> unsigned kernel image from being kexec'ed via the kexec_file_load >> syscall whereas it could prevent one via the kexec_load syscall. Mandate >> signature verification for those cases. >> >> Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down") >> Cc: Matthew Garrett <mjg59@srcf.ucam.org> >> Cc: Jiri Bohac <jbohac@suse.cz> >> Cc: David Howells <dhowells@redhat.com> >> Cc: kexec@lists.infradead.org >> Cc: linux-integrity@vger.kernel.org >> Signed-off-by: Coiby Xu <coxu@redhat.com> > >Other than correcting the function name to mandate_signature_verificati >on(), Applied to v2, thanks for correcting me! Btw, I realize I overwrote the return code of kexec_image_verify_sig with mandate_signature_verification's. v2 has fixed this issue as well. > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> And thanks for the review!
On Tue, 2022-11-22 at 10:36 +0800, Coiby Xu wrote: > Hi Mimi, > > On Mon, Nov 21, 2022 at 01:23:57PM -0500, Mimi Zohar wrote: > >Hi Coiby, > > > >On Mon, 2022-11-21 at 15:29 +0800, Coiby Xu wrote: > >> A kernel builder may not enable KEXEC_SIG and some architectures like > >> ppc64 simply don't have KEXEC_SIG. In these cases, unless both > >> IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent > >> unsigned kernel image from being kexec'ed via the kexec_file_load > >> syscall whereas it could prevent one via the kexec_load syscall. Mandate > >> signature verification for those cases. > >> > >> Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down") > >> Cc: Matthew Garrett <mjg59@srcf.ucam.org> > >> Cc: Jiri Bohac <jbohac@suse.cz> > >> Cc: David Howells <dhowells@redhat.com> > >> Cc: kexec@lists.infradead.org > >> Cc: linux-integrity@vger.kernel.org > >> Signed-off-by: Coiby Xu <coxu@redhat.com> > > > >Other than correcting the function name to mandate_signature_verificati > >on(), > > Applied to v2, thanks for correcting me! Btw, I realize I overwrote the > return code of kexec_image_verify_sig with > mandate_signature_verification's. v2 has fixed this issue as well. > > > > >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > And thanks for the review! You're welcome. Without either IMA_ARCH or KEXEC_SIG enabled, the kexec selftest test_kexec_file_load.sh properly failed with "kexec_file_load failed [PASS]", but from the informational messages output, it isn't clear why it failed. This should be corrected.
On Mon, Nov 28, 2022 at 12:16:08PM -0500, Mimi Zohar wrote: >On Tue, 2022-11-22 at 10:36 +0800, Coiby Xu wrote: >> Hi Mimi, >> >> On Mon, Nov 21, 2022 at 01:23:57PM -0500, Mimi Zohar wrote: >> >Hi Coiby, >> > >> >On Mon, 2022-11-21 at 15:29 +0800, Coiby Xu wrote: >> >> A kernel builder may not enable KEXEC_SIG and some architectures like >> >> ppc64 simply don't have KEXEC_SIG. In these cases, unless both >> >> IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent >> >> unsigned kernel image from being kexec'ed via the kexec_file_load >> >> syscall whereas it could prevent one via the kexec_load syscall. Mandate >> >> signature verification for those cases. >> >> >> >> Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down") >> >> Cc: Matthew Garrett <mjg59@srcf.ucam.org> >> >> Cc: Jiri Bohac <jbohac@suse.cz> >> >> Cc: David Howells <dhowells@redhat.com> >> >> Cc: kexec@lists.infradead.org >> >> Cc: linux-integrity@vger.kernel.org >> >> Signed-off-by: Coiby Xu <coxu@redhat.com> >> > >> >Other than correcting the function name to mandate_signature_verificati >> >on(), >> >> Applied to v2, thanks for correcting me! Btw, I realize I overwrote the >> return code of kexec_image_verify_sig with >> mandate_signature_verification's. v2 has fixed this issue as well. >> >> > >> >Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >> >> And thanks for the review! > >You're welcome. > >Without either IMA_ARCH or KEXEC_SIG enabled, the kexec selftest >test_kexec_file_load.sh properly failed with "kexec_file_load failed >[PASS]", but from the informational messages output, it isn't clear why >it failed. This should be corrected. Thanks for the suggestion! I've added some tests in v3 and now the message is "# kexec_file_load failed (missing IMA sig) [PASS]". > >-- >thanks, > >Mimi >
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 45637511e0de..04d56b6e6459 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -125,6 +125,20 @@ void kimage_file_post_load_cleanup(struct kimage *image) image->image_loader_data = NULL; } +static int mandate_signatute_verification(void) +{ + /* + * If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + security_locked_down(LOCKDOWN_KEXEC)) + return -EPERM; + + return 0; +} + #ifdef CONFIG_KEXEC_SIG #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len) @@ -168,14 +182,9 @@ kimage_validate_signature(struct kimage *image) return ret; } - /* - * If IMA is guaranteed to appraise a signature on the kexec - * image, permit it even if the kernel is otherwise locked - * down. - */ - if (!ima_appraise_signature(READING_KEXEC_IMAGE) && - security_locked_down(LOCKDOWN_KEXEC)) - return -EPERM; + ret = mandate_signatute_verification(); + if (ret) + return ret; pr_debug("kernel signature verification failed (%d).\n", ret); } @@ -211,10 +220,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, #ifdef CONFIG_KEXEC_SIG ret = kimage_validate_signature(image); - +#else + ret = mandate_signatute_verification(); +#endif if (ret) goto out; -#endif + /* It is possible that there no initramfs is being loaded */ if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { ret = kernel_read_file_from_fd(initrd_fd, 0, &image->initrd_buf,
A kernel builder may not enable KEXEC_SIG and some architectures like ppc64 simply don't have KEXEC_SIG. In these cases, unless both IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent unsigned kernel image from being kexec'ed via the kexec_file_load syscall whereas it could prevent one via the kexec_load syscall. Mandate signature verification for those cases. Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down") Cc: Matthew Garrett <mjg59@srcf.ucam.org> Cc: Jiri Bohac <jbohac@suse.cz> Cc: David Howells <dhowells@redhat.com> Cc: kexec@lists.infradead.org Cc: linux-integrity@vger.kernel.org Signed-off-by: Coiby Xu <coxu@redhat.com> --- kernel/kexec_file.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-)