| Message ID | 1567005240-12912-1-git-send-email-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | cbc0425d3dd370a6f0bf23589dc7b6955a53a9ce |
| Headers | show |
| Series | [v1] sefltest/ima: support appended signatures (modsig) | expand |
On 8/28/19 9:14 AM, Mimi Zohar wrote: > In addition to the PE/COFF and IMA xattr signatures, the kexec kernel > image can be signed with an appended signature, using the same > scripts/sign-file tool that is used to sign kernel modules. > > This patch adds support for detecting a kernel image signed with an > appended signature and updates the existing test messages > appropriately. > > Reviewed-by: Petr Vorel <pvorel@suse.cz> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- Thanks Mimi. This commit log looks good. My Ack for the patch to go through the IMA tree. Acked-by: Shuah Khan <skhan@linuxfoundation.org> thanks, -- Shuah
On Wed, 2019-08-28 at 09:53 -0600, shuah wrote: > On 8/28/19 9:14 AM, Mimi Zohar wrote: > > In addition to the PE/COFF and IMA xattr signatures, the kexec kernel > > image can be signed with an appended signature, using the same > > scripts/sign-file tool that is used to sign kernel modules. > > > > This patch adds support for detecting a kernel image signed with an > > appended signature and updates the existing test messages > > appropriately. > > > > Reviewed-by: Petr Vorel <pvorel@suse.cz> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > --- > > Thanks Mimi. This commit log looks good. My Ack for the patch > to go through the IMA tree. > > Acked-by: Shuah Khan <skhan@linuxfoundation.org> Thanks! Mimi
Hello Mimi, Mimi Zohar <zohar@linux.ibm.com> writes: > In addition to the PE/COFF and IMA xattr signatures, the kexec kernel > image can be signed with an appended signature, using the same > scripts/sign-file tool that is used to sign kernel modules. > > This patch adds support for detecting a kernel image signed with an > appended signature and updates the existing test messages > appropriately. > > Reviewed-by: Petr Vorel <pvorel@suse.cz> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Thanks for doing this! Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
On Wed, 2019-08-28 at 20:38 -0300, Thiago Jung Bauermann wrote: > Hello Mimi, > > Mimi Zohar <zohar@linux.ibm.com> writes: > > > In addition to the PE/COFF and IMA xattr signatures, the kexec kernel > > image can be signed with an appended signature, using the same > > scripts/sign-file tool that is used to sign kernel modules. > > > > This patch adds support for detecting a kernel image signed with an > > appended signature and updates the existing test messages > > appropriately. > > > > Reviewed-by: Petr Vorel <pvorel@suse.cz> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > Thanks for doing this! You're welcome. This isn't in lieu of a proper regression test that verifies the IMA measurement list template modsig and d-modsig data fields. That still needs to be written. thanks, Mimi
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index fa7c24e8eefb..2ff600388c30 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -37,11 +37,20 @@ is_ima_sig_required() # sequentially. As a result, a policy rule may be defined, but # might not necessarily be used. This test assumes if a policy # rule is specified, that is the intent. + + # First check for appended signature (modsig), then xattr if [ $ima_read_policy -eq 1 ]; then check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ - "appraise_type=imasig" + "appraise_type=imasig|modsig" ret=$? - [ $ret -eq 1 ] && log_info "IMA signature required"; + if [ $ret -eq 1 ]; then + log_info "IMA or appended(modsig) signature required" + else + check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi fi return $ret } @@ -84,6 +93,22 @@ check_for_imasig() return $ret } +# Return 1 for appended signature (modsig) found and 0 for not found. +check_for_modsig() +{ + local module_sig_string="~Module signature appended~" + local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)" + local ret=0 + + if [ "$sig" == "$module_sig_string" ]; then + ret=1 + log_info "kexec kernel image modsig signed" + else + log_info "kexec kernel image not modsig signed" + fi + return $ret +} + kexec_file_load_test() { local succeed_msg="kexec_file_load succeeded" @@ -98,7 +123,8 @@ kexec_file_load_test() # In secureboot mode with an architecture specific # policy, make sure either an IMA or PE signature exists. if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ - [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then + [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \ + && [ $ima_modsig -eq 0 ]; then log_fail "$succeed_msg (missing sig)" fi @@ -107,7 +133,8 @@ kexec_file_load_test() log_fail "$succeed_msg (missing PE sig)" fi - if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_modsig -eq 0 ]; then log_fail "$succeed_msg (missing IMA sig)" fi @@ -204,5 +231,8 @@ pe_signed=$? check_for_imasig ima_signed=$? +check_for_modsig +ima_modsig=$? + # Test loading the kernel image via kexec_file_load syscall kexec_file_load_test