From patchwork Thu Aug 22 11:01:54 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chun-Yi Lee X-Patchwork-Id: 2848189 Return-Path: X-Original-To: patchwork-linux-pm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id B7286BF546 for ; Thu, 22 Aug 2013 11:06:27 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3BC692061B for ; Thu, 22 Aug 2013 11:06:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4A92120617 for ; Thu, 22 Aug 2013 11:06:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753887Ab3HVLGO (ORCPT ); Thu, 22 Aug 2013 07:06:14 -0400 Received: from mail-pb0-f45.google.com ([209.85.160.45]:42027 "EHLO mail-pb0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753859Ab3HVLGL (ORCPT ); Thu, 22 Aug 2013 07:06:11 -0400 Received: by mail-pb0-f45.google.com with SMTP id mc17so1620540pbc.4 for ; Thu, 22 Aug 2013 04:06:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wQWxs+9xDJv5mM/l/2F8D2AVI6EDvYCKJ2qH895o9d4=; b=VrgS3cvGqj1aV8VZiKRg7L+BbulaJ7yPFsMv1SxWdnJ6YJP6UFfxfsV2KnTj6Z/cZs 9g8hfDzOl+axi3W6NQZ5e4fHz3KVXFqb062PQor4HB/Ho07KD5dTuxRs4Iuj1aESiX1m Up++jeSvlBXg/Aoq8i5jKu7I8TTkN2qo/W5Td2GNUu8+LuazAnOcOGjMRQ9qaPQr6Kid Kk2HJzIwofzBg0GGj8+0eMxZmiUm7UGPVH5mAjOUqc2YTlcgMdxMkJX03JNr6EAwbWJB D46awDMmUEVd05JVO8O88pk7xOZIOPtrN4xwmLqStQ/SCp/V0qWb9Kn7AKdevyQZsswk 6Ebg== X-Received: by 10.68.216.33 with SMTP id on1mr4809252pbc.107.1377169570744; Thu, 22 Aug 2013 04:06:10 -0700 (PDT) Received: from localhost.localdomain ([130.57.30.250]) by mx.google.com with ESMTPSA id ht5sm14182603pbb.29.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 22 Aug 2013 04:06:09 -0700 (PDT) From: "Lee, Chun-Yi" To: linux-kernel@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-pm@vger.kernel.org, linux-crypto@vger.kernel.org, opensuse-kernel@opensuse.org, David Howells , "Rafael J. Wysocki" , Matthew Garrett , Len Brown , Pavel Machek , Josh Boyer , Vojtech Pavlik , Matt Fleming , James Bottomley , Greg KH , JKosina@suse.com, Rusty Russell , Herbert Xu , "David S. Miller" , "H. Peter Anvin" , Michal Marek , Gary Lin , Vivek Goyal , "Lee, Chun-Yi" Subject: [PATCH 15/18] Hibernate: adapt to UEFI secure boot with signature check Date: Thu, 22 Aug 2013 19:01:54 +0800 Message-Id: <1377169317-5959-16-git-send-email-jlee@suse.com> X-Mailer: git-send-email 1.6.0.2 In-Reply-To: <1377169317-5959-1-git-send-email-jlee@suse.com> References: <1377169317-5959-1-git-send-email-jlee@suse.com> Sender: linux-pm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pm@vger.kernel.org X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In current solution, the snapshot signature check used the RSA key-pair that are generated by bootloader(e.g. shim) and pass the key-pair to kernel through EFI variables. I choice to binding the snapshot signature check mechanism with UEFI secure boot for provide stronger protection of hibernate. Current behavior is following: + UEFI Secure Boot ON, Kernel found key-pair from shim: Will do the S4 signature check. + UEFI Secure Boot ON, Kernel didn't find key-pair from shim: Will lock down S4 function. + UEFI Secure Boot OFF Will NOT do the S4 signature check. Ignore any keys from bootloader. v2: Replace sign_key_data_loaded() by skey_data_available() to check sign key data is available for hibernate. Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- kernel/power/hibernate.c | 36 +++++++++++++++++- kernel/power/main.c | 11 +++++- kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++-------------------- kernel/power/swap.c | 4 +- kernel/power/user.c | 11 +++++ 5 files changed, 112 insertions(+), 45 deletions(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index c545b15..0f19f3d 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ #include #include #include +#include #include "power.h" @@ -632,7 +633,14 @@ static void power_down(void) int hibernate(void) { int error; - int skey_error; + +#ifdef CONFIG_SNAPSHOT_VERIFICATION + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) { +#else + if (!capable(CAP_COMPROMISE_KERNEL)) { +#endif + return -EPERM; + } lock_system_sleep(); /* The snapshot device should not be opened while we're running */ @@ -799,6 +807,15 @@ static int software_resume(void) if (error) goto Unlock; +#ifdef CONFIG_SNAPSHOT_VERIFICATION + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) { +#else + if (!capable(CAP_COMPROMISE_KERNEL)) { +#endif + mutex_unlock(&pm_mutex); + return -EPERM; + } + /* The snapshot device should not be opened while we're running */ if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { error = -EBUSY; @@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, int i; char *start = buf; +#ifdef CONFIG_SNAPSHOT_VERIFICATION + if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) { +#else + if (efi_enabled(EFI_SECURE_BOOT)) { +#endif + buf += sprintf(buf, "[%s]\n", "disabled"); + return buf-start; + } + for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { if (!hibernation_modes[i]) continue; @@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, char *p; int mode = HIBERNATION_INVALID; +#ifdef CONFIG_SNAPSHOT_VERIFICATION + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) { +#else + if (!capable(CAP_COMPROMISE_KERNEL)) { +#endif + return -EPERM; + } + p = memchr(buf, '\n', n); len = p ? p - buf : n; diff --git a/kernel/power/main.c b/kernel/power/main.c index 1d1bf63..47bf300 100644 --- a/kernel/power/main.c +++ b/kernel/power/main.c @@ -15,6 +15,7 @@ #include #include #include +#include #include "power.h" @@ -301,7 +302,15 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, } #endif #ifdef CONFIG_HIBERNATION - s += sprintf(s, "%s\n", "disk"); + if (!efi_enabled(EFI_SECURE_BOOT)) { + s += sprintf(s, "%s\n", "disk"); +#ifdef CONFIG_SNAPSHOT_VERIFICATION + } else if (skey_data_available()) { + s += sprintf(s, "%s\n", "disk"); +#endif + } else { + s += sprintf(s, "\n"); + } #else if (s != buf) /* convert the last space to a newline */ diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c index cf3d69c..36c7157 100644 --- a/kernel/power/snapshot.c +++ b/kernel/power/snapshot.c @@ -860,7 +860,8 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn) BUG_ON(!PageHighMem(page)); - if (swsusp_page_is_sign_key(page)) + if (!capable(CAP_COMPROMISE_KERNEL) && + swsusp_page_is_sign_key(page)) return NULL; if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) || @@ -925,7 +926,8 @@ static struct page *saveable_page(struct zone *zone, unsigned long pfn) BUG_ON(PageHighMem(page)); - if (swsusp_page_is_sign_key(page)) + if (!capable(CAP_COMPROMISE_KERNEL) && + swsusp_page_is_sign_key(page)) return NULL; if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page)) @@ -1056,35 +1058,37 @@ copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm) #ifdef CONFIG_SNAPSHOT_VERIFICATION struct page *d_page; void *hash_buffer = NULL; - struct crypto_shash *tfm; - struct shash_desc *desc; - u8 *digest; + struct crypto_shash *tfm = NULL; + struct shash_desc *desc = NULL; + u8 *digest = NULL; size_t digest_size, desc_size; struct key *s4_sign_key; struct public_key_signature *pks; int ret; ret = -ENOMEM; - tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0); - if (IS_ERR(tfm)) { - pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm)); - return PTR_ERR(tfm); - } + if (!capable(CAP_COMPROMISE_KERNEL)) { + tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0); + if (IS_ERR(tfm)) { + pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm)); + return PTR_ERR(tfm); + } - desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); - digest_size = crypto_shash_digestsize(tfm); - digest = kzalloc(digest_size + desc_size, GFP_KERNEL); - if (!digest) { - pr_err("digest allocate fail"); - ret = -ENOMEM; - goto error_digest; + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) { + pr_err("digest allocate fail"); + ret = -ENOMEM; + goto error_digest; + } + desc = (void *) digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash; } - desc = (void *) digest + digest_size; - desc->tfm = tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; - ret = crypto_shash_init(desc); - if (ret < 0) - goto error_shash; #endif /* CONFIG_SNAPSHOT_VERIFICATION */ for_each_populated_zone(zone) { @@ -1106,24 +1110,29 @@ copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm) copy_data_page(dst_pfn, pfn); #ifdef CONFIG_SNAPSHOT_VERIFICATION - /* Generate digest */ - d_page = pfn_to_page(dst_pfn); - if (PageHighMem(d_page)) { - void *kaddr; - kaddr = kmap_atomic(d_page); - copy_page(buffer, kaddr); - kunmap_atomic(kaddr); - hash_buffer = buffer; - } else { - hash_buffer = page_address(d_page); + if (!capable(CAP_COMPROMISE_KERNEL)) { + /* Generate digest */ + d_page = pfn_to_page(dst_pfn); + if (PageHighMem(d_page)) { + void *kaddr; + kaddr = kmap_atomic(d_page); + copy_page(buffer, kaddr); + kunmap_atomic(kaddr); + hash_buffer = buffer; + } else { + hash_buffer = page_address(d_page); + } + ret = crypto_shash_update(desc, hash_buffer, PAGE_SIZE); + if (ret) + goto error_shash; } - ret = crypto_shash_update(desc, hash_buffer, PAGE_SIZE); - if (ret) - goto error_shash; #endif } #ifdef CONFIG_SNAPSHOT_VERIFICATION + if (capable(CAP_COMPROMISE_KERNEL)) + goto skip_sign; + crypto_shash_final(desc, digest); if (ret) goto error_shash; @@ -1153,6 +1162,8 @@ copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm) kfree(pks); kfree(digest); crypto_free_shash(tfm); + +skip_sign: #endif /* CONFIG_SNAPSHOT_VERIFICATION */ return 0; @@ -2382,9 +2393,11 @@ int snapshot_write_next(struct snapshot_handle *handle) /* Allocate void * array to keep buffer point for generate hash, * h_buf will freed in snapshot_image_verify(). */ - h_buf = kmalloc(sizeof(void *) * nr_copy_pages, GFP_KERNEL); - if (!h_buf) - pr_err("Allocate hash buffer fail!"); + if (!capable(CAP_COMPROMISE_KERNEL)) { + h_buf = kmalloc(sizeof(void *) * nr_copy_pages, GFP_KERNEL); + if (!h_buf) + pr_err("Allocate hash buffer fail!"); + } #endif error = memory_bm_create(©_bm, GFP_ATOMIC, PG_ANY); @@ -2414,7 +2427,7 @@ int snapshot_write_next(struct snapshot_handle *handle) if (IS_ERR(handle->buffer)) return PTR_ERR(handle->buffer); #ifdef CONFIG_SNAPSHOT_VERIFICATION - if (h_buf) + if (!capable(CAP_COMPROMISE_KERNEL) && h_buf) *h_buf = handle->buffer; #endif } @@ -2428,7 +2441,7 @@ int snapshot_write_next(struct snapshot_handle *handle) if (handle->buffer != buffer) handle->sync_read = 0; #ifdef CONFIG_SNAPSHOT_VERIFICATION - if (h_buf) + if (!capable(CAP_COMPROMISE_KERNEL) && h_buf) *(h_buf + (handle->cur - nr_meta_pages - 1)) = handle->buffer; /* Keep the buffer of sign key in snapshot */ if (pfn == skey_data_buf_pfn) diff --git a/kernel/power/swap.c b/kernel/power/swap.c index b5f8ce1..40225d7 100644 --- a/kernel/power/swap.c +++ b/kernel/power/swap.c @@ -1005,7 +1005,7 @@ static int load_image(struct swap_map_handle *handle, if (!snapshot_image_loaded(snapshot)) ret = -ENODATA; #ifdef CONFIG_SNAPSHOT_VERIFICATION - else { + else if (!capable(CAP_COMPROMISE_KERNEL)) { ret = snapshot_image_verify(); if (ret) pr_info("PM: snapshot signature check FAIL: %d\n", ret); @@ -1370,7 +1370,7 @@ out_finish: } } #ifdef CONFIG_SNAPSHOT_VERIFICATION - if (!ret) { + if (!ret && !capable(CAP_COMPROMISE_KERNEL)) { ret = snapshot_image_verify(); if (ret) pr_info("PM: snapshot signature check FAIL: %d\n", ret); diff --git a/kernel/power/user.c b/kernel/power/user.c index 27b21ee..690f148 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -48,6 +48,14 @@ static int snapshot_open(struct inode *inode, struct file *filp) struct snapshot_data *data; int error; +#ifdef CONFIG_SNAPSHOT_VERIFICATION + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) { +#else + if (!capable(CAP_COMPROMISE_KERNEL)) { +#endif + return -EPERM; + } + lock_system_sleep(); if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { @@ -255,6 +263,8 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, break; } #ifdef CONFIG_SNAPSHOT_VERIFICATION + if (capable(CAP_COMPROMISE_KERNEL)) + goto skip_verify; if (!snapshot_image_verify()) { pr_info("PM: snapshot signature check SUCCESS!\n"); snapshot_fill_s4_skey(); @@ -263,6 +273,7 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, error = -EPERM; break; } +skip_verify: #endif error = hibernation_restore(data->platform_support); break;