From patchwork Wed Jun 22 22:37:32 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mehmet Kayaalp X-Patchwork-Id: 9193895 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 916DC601C0 for ; Wed, 22 Jun 2016 22:39:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83C592841F for ; Wed, 22 Jun 2016 22:39:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 783E328422; Wed, 22 Jun 2016 22:39:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 296D22841F for ; Wed, 22 Jun 2016 22:39:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751604AbcFVWje (ORCPT ); Wed, 22 Jun 2016 18:39:34 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:36762 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752002AbcFVWjd (ORCPT ); Wed, 22 Jun 2016 18:39:33 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u5MMcpiR056825 for ; Wed, 22 Jun 2016 18:39:32 -0400 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0b-001b2d01.pphosted.com with ESMTP id 23q6r51rnp-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 22 Jun 2016 18:39:32 -0400 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 22 Jun 2016 16:39:31 -0600 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 22 Jun 2016 16:39:29 -0600 X-IBM-Helo: d03dlp01.boulder.ibm.com X-IBM-MailFrom: mkayaalp@linux.vnet.ibm.com Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 363CB1FF001E; Wed, 22 Jun 2016 16:39:13 -0600 (MDT) Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u5MMdT7m37355686; Wed, 22 Jun 2016 15:39:29 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4D0BA136043; Wed, 22 Jun 2016 16:39:29 -0600 (MDT) Received: from dogbert.watson.ibm.com (unknown [9.2.195.165]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id B2F05136040; Wed, 22 Jun 2016 16:39:28 -0600 (MDT) From: Mehmet Kayaalp To: David Howells , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, keyrings@vger.kernel.org Cc: Mimi Zohar , George Wilson , Stefan Berger , Mehmet Kayaalp Subject: [PATCH 2/3 v2] KEYS: Insert incompressible bytes to vmlinux to reserve space in bzImage Date: Wed, 22 Jun 2016 18:37:32 -0400 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1466635053-30512-1-git-send-email-mkayaalp@linux.vnet.ibm.com> References: <1466635053-30512-1-git-send-email-mkayaalp@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16062222-0016-0000-0000-000004049EEC X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16062222-0017-0000-0000-00003074F1B6 Message-Id: <1466635053-30512-3-git-send-email-mkayaalp@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-06-22_12:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1606220231 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Call insert-sys-cert script with null file to ensure that random bytes are inserted to the space reserved with CONFIG_SYSTEM_EXTRA_CERTIFICATE, before compressing the vmlinux. This results in an uncompressed reserved area inside the bzImage as well, so that it can be replaced with an actual certificate later (after the bzImage is distributed). Cross compilation is not supported yet. Signed-off-by: Mehmet Kayaalp Tested-by: Stefan Berger Acked-by: Mimi Zohar --- arch/x86/boot/compressed/Makefile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index f135688..5b15e56 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -88,8 +88,16 @@ vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o $(obj)/vmlinux: $(vmlinux-objs-y) FORCE $(call if_changed,ld) +quiet_cmd_inscert = INSCERT /dev/null to $< + cmd_inscert = scripts/insert-sys-cert -b $< -c /dev/null > /dev/null + OBJCOPYFLAGS_vmlinux.bin := -R .comment -S $(obj)/vmlinux.bin: vmlinux FORCE +ifndef CROSS_COMPILE +ifeq ("$(CONFIG_SYSTEM_EXTRA_CERTIFICATE)", "y") + $(call if_changed,inscert) +endif +endif $(call if_changed,objcopy) targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs