From: Vivek Goyal <vgoyal@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>, Greg KH <greg@kroah.com>,
kexec@lists.infradead.org, LKML <linux-kernel@vger.kernel.org>,
Peter Jones <pjones@redhat.com>, Torsten Duwe <duwe@lst.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec
Date: Thu, 2 Jan 2014 15:39:12 -0500 [thread overview]
Message-ID: <20140102203912.GB22822@redhat.com> (raw)
In-Reply-To: <CAGXu5jKJ88J-++nvkPVvghkXbN+_mB=T1siSDF7yoXQ-d-ONxg@mail.gmail.com>
On Fri, Dec 20, 2013 at 03:20:16PM -0800, Kees Cook wrote:
> On Fri, Dec 20, 2013 at 3:11 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
> > Vivek Goyal <vgoyal@redhat.com> writes:
> >
> >> On Thu, Dec 19, 2013 at 01:54:39PM +0100, Torsten Duwe wrote:
> >>> On Tue, Nov 26, 2013 at 09:27:59AM -0500, Vivek Goyal wrote:
> >
> >>> IMO it's up to user land to search lists of certificates, and present
> >>> only the final chain of trust to the kernel for checking.
> >>>
> >>> ELF is the preferred format for most sane OSes and firmware, and a detached
> >>> signature would probably be simplest to check. If we have the choice,
> >>> without restrictions from braindead boot loaders, ELF should be first.
> >>> And if the pesigning isn't usable and another sig is needed anyway,
> >>> why not apply that to vmlinux(.gz) ?
> >>
> >> I have yet to look deeper into it that if we can sign elf images and
> >> just use elf loader. And can use space extract the elf image out of
> >> a bzImage and pass it to kernel.
> >>
> >> Even if it is doable, one disadvantage seemed to be that extracted
> >> elf images will have to be written to a file so thta it's file descriptor
> >> can be passed to kernel. And that assumed writable root and we chrome
> >> folks seems to have setups where root is not writable.
> >
> > In that case the chrome folks would simply have to use an ELF format
> > kernel and not a bzImage.
>
> If we're doing fd origin verification (not signatures), can't we
> continue to use a regular bzImage?
If secureboot is enabled, it enforces module signature verification. I
think similar will happen for kexec too. How would kernel know that on
a secureboot platform fd original verification will happen and it is
sufficient.
I personally want to support bzImage as well (apart from ELF) because
distributions has been shipping bzImage for a long time and I don't
want to enforce a change there because of secureboot. It is not necessary.
Right now I am thinking more about storing detached bzImage signatures
and passing those signatures to kexec system call.
Thanks
Vivek
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Torsten Duwe <duwe@lst.de>, Matthew Garrett <mjg59@srcf.ucam.org>,
Greg KH <greg@kroah.com>, LKML <linux-kernel@vger.kernel.org>,
kexec@lists.infradead.org, "H. Peter Anvin" <hpa@zytor.com>,
Peter Jones <pjones@redhat.com>
Subject: Re: [PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec
Date: Thu, 2 Jan 2014 15:39:12 -0500 [thread overview]
Message-ID: <20140102203912.GB22822@redhat.com> (raw)
In-Reply-To: <CAGXu5jKJ88J-++nvkPVvghkXbN+_mB=T1siSDF7yoXQ-d-ONxg@mail.gmail.com>
On Fri, Dec 20, 2013 at 03:20:16PM -0800, Kees Cook wrote:
> On Fri, Dec 20, 2013 at 3:11 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
> > Vivek Goyal <vgoyal@redhat.com> writes:
> >
> >> On Thu, Dec 19, 2013 at 01:54:39PM +0100, Torsten Duwe wrote:
> >>> On Tue, Nov 26, 2013 at 09:27:59AM -0500, Vivek Goyal wrote:
> >
> >>> IMO it's up to user land to search lists of certificates, and present
> >>> only the final chain of trust to the kernel for checking.
> >>>
> >>> ELF is the preferred format for most sane OSes and firmware, and a detached
> >>> signature would probably be simplest to check. If we have the choice,
> >>> without restrictions from braindead boot loaders, ELF should be first.
> >>> And if the pesigning isn't usable and another sig is needed anyway,
> >>> why not apply that to vmlinux(.gz) ?
> >>
> >> I have yet to look deeper into it that if we can sign elf images and
> >> just use elf loader. And can use space extract the elf image out of
> >> a bzImage and pass it to kernel.
> >>
> >> Even if it is doable, one disadvantage seemed to be that extracted
> >> elf images will have to be written to a file so thta it's file descriptor
> >> can be passed to kernel. And that assumed writable root and we chrome
> >> folks seems to have setups where root is not writable.
> >
> > In that case the chrome folks would simply have to use an ELF format
> > kernel and not a bzImage.
>
> If we're doing fd origin verification (not signatures), can't we
> continue to use a regular bzImage?
If secureboot is enabled, it enforces module signature verification. I
think similar will happen for kexec too. How would kernel know that on
a secureboot platform fd original verification will happen and it is
sufficient.
I personally want to support bzImage as well (apart from ELF) because
distributions has been shipping bzImage for a long time and I don't
want to enforce a change there because of secureboot. It is not necessary.
Right now I am thinking more about storing detached bzImage signatures
and passing those signatures to kexec system call.
Thanks
Vivek
next prev parent reply other threads:[~2014-01-02 20:39 UTC|newest]
Thread overview: 180+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-20 17:50 [PATCH 0/6] kexec: A new system call to allow in kernel loading Vivek Goyal
2013-11-20 17:50 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 1/6] kexec: Export vmcoreinfo note size properly Vivek Goyal
2013-11-20 17:50 ` Vivek Goyal
2013-11-21 18:59 ` Greg KH
2013-11-21 18:59 ` Greg KH
2013-11-21 19:08 ` Vivek Goyal
2013-11-21 19:08 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 2/6] kexec: Move segment verification code in a separate function Vivek Goyal
2013-11-20 17:50 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 3/6] resource: Provide new functions to walk through resources Vivek Goyal
2013-11-20 17:50 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec Vivek Goyal
2013-11-20 17:50 ` Vivek Goyal
2013-11-21 19:03 ` Greg KH
2013-11-21 19:03 ` Greg KH
2013-11-21 19:06 ` Matthew Garrett
2013-11-21 19:06 ` Matthew Garrett
2013-11-21 19:13 ` Vivek Goyal
2013-11-21 19:13 ` Vivek Goyal
2013-11-21 19:19 ` Matthew Garrett
2013-11-21 19:19 ` Matthew Garrett
2013-11-21 19:24 ` Vivek Goyal
2013-11-21 19:24 ` Vivek Goyal
2013-11-22 18:57 ` Vivek Goyal
2013-11-22 18:57 ` Vivek Goyal
2013-11-23 3:39 ` Eric W. Biederman
2013-11-23 3:39 ` Eric W. Biederman
2013-11-25 16:39 ` Vivek Goyal
2013-11-25 16:39 ` Vivek Goyal
2013-11-26 12:23 ` Eric W. Biederman
2013-11-26 12:23 ` Eric W. Biederman
2013-11-26 14:27 ` Vivek Goyal
2013-11-26 14:27 ` Vivek Goyal
2013-12-19 12:54 ` Torsten Duwe
2013-12-19 12:54 ` Torsten Duwe
2013-12-20 14:19 ` Vivek Goyal
2013-12-20 14:19 ` Vivek Goyal
2013-12-20 23:11 ` Eric W. Biederman
2013-12-20 23:11 ` Eric W. Biederman
2013-12-20 23:20 ` Kees Cook
2013-12-20 23:20 ` Kees Cook
2013-12-21 11:38 ` Torsten Duwe
2013-12-21 11:38 ` Torsten Duwe
2014-01-02 20:39 ` Vivek Goyal [this message]
2014-01-02 20:39 ` Vivek Goyal
2014-01-02 20:56 ` H. Peter Anvin
2014-01-02 20:56 ` H. Peter Anvin
2014-01-06 21:33 ` Josh Boyer
2014-01-06 21:33 ` Josh Boyer
2014-01-07 4:22 ` H. Peter Anvin
2014-01-07 4:22 ` H. Peter Anvin
2013-12-20 23:20 ` H. Peter Anvin
2013-12-20 23:20 ` H. Peter Anvin
2013-12-21 1:32 ` Eric W. Biederman
2013-12-21 1:32 ` Eric W. Biederman
2013-12-21 3:32 ` H. Peter Anvin
2013-12-21 3:32 ` H. Peter Anvin
2013-12-21 12:15 ` Torsten Duwe
2013-12-21 12:15 ` Torsten Duwe
2013-11-21 19:16 ` Vivek Goyal
2013-11-21 19:16 ` Vivek Goyal
2013-11-22 1:03 ` Kees Cook
2013-11-22 1:03 ` Kees Cook
2013-11-22 2:13 ` Vivek Goyal
2013-11-22 2:13 ` Vivek Goyal
2013-11-22 20:42 ` Jiri Kosina
2013-11-22 20:42 ` Jiri Kosina
2014-01-17 19:17 ` Vivek Goyal
2014-01-17 19:17 ` Vivek Goyal
2013-11-29 3:10 ` Baoquan He
2013-11-29 3:10 ` Baoquan He
2013-12-02 15:27 ` WANG Chao
2013-12-02 15:27 ` WANG Chao
2013-12-02 15:44 ` Vivek Goyal
2013-12-02 15:44 ` Vivek Goyal
2013-12-04 1:35 ` Baoquan He
2013-12-04 1:35 ` Baoquan He
2013-12-04 17:19 ` Vivek Goyal
2013-12-04 17:19 ` Vivek Goyal
2013-12-04 1:56 ` Baoquan He
2013-12-04 1:56 ` Baoquan He
2013-12-04 8:19 ` Baoquan He
2013-12-04 8:19 ` Baoquan He
2013-12-04 17:32 ` Vivek Goyal
2013-12-04 17:32 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 5/6] kexec-bzImage: Support for loading bzImage using 64bit entry Vivek Goyal
2013-11-20 17:50 ` Vivek Goyal
2013-11-21 19:07 ` Greg KH
2013-11-21 19:07 ` Greg KH
2013-11-21 19:21 ` Vivek Goyal
2013-11-21 19:21 ` Vivek Goyal
2013-11-22 15:24 ` H. Peter Anvin
2013-11-22 15:24 ` H. Peter Anvin
2013-11-28 11:35 ` Baoquan He
2013-11-28 11:35 ` Baoquan He
2013-12-02 15:36 ` Vivek Goyal
2013-12-02 15:36 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 6/6] kexec: Support for Kexec on panic using new system call Vivek Goyal
2013-11-20 17:50 ` Vivek Goyal
2013-11-28 11:28 ` Baoquan He
2013-11-28 11:28 ` Baoquan He
2013-12-02 15:30 ` Vivek Goyal
2013-12-02 15:30 ` Vivek Goyal
2013-12-04 1:51 ` Baoquan He
2013-12-04 1:51 ` Baoquan He
2013-12-04 17:20 ` Vivek Goyal
2013-12-04 17:20 ` Vivek Goyal
2013-12-04 1:41 ` Baoquan He
2013-12-04 1:41 ` Baoquan He
2013-12-04 17:19 ` Vivek Goyal
2013-12-04 17:19 ` Vivek Goyal
2013-11-21 18:58 ` [PATCH 0/6] kexec: A new system call to allow in kernel loading Greg KH
2013-11-21 18:58 ` Greg KH
2013-11-21 19:07 ` Vivek Goyal
2013-11-21 19:07 ` Vivek Goyal
2013-11-21 19:46 ` Vivek Goyal
2013-11-21 19:46 ` Vivek Goyal
2013-11-21 19:06 ` Geert Uytterhoeven
2013-11-21 19:06 ` Geert Uytterhoeven
2013-11-21 19:14 ` Vivek Goyal
2013-11-21 19:14 ` Vivek Goyal
2013-11-21 23:07 ` Eric W. Biederman
2013-11-21 23:07 ` Eric W. Biederman
2013-11-22 1:28 ` H. Peter Anvin
2013-11-22 1:28 ` H. Peter Anvin
2013-11-22 2:35 ` Vivek Goyal
2013-11-22 2:35 ` Vivek Goyal
2013-11-22 2:40 ` H. Peter Anvin
2013-11-22 2:40 ` H. Peter Anvin
2013-11-22 1:55 ` Vivek Goyal
2013-11-22 1:55 ` Vivek Goyal
2013-11-22 9:09 ` Geert Uytterhoeven
2013-11-22 9:09 ` Geert Uytterhoeven
2013-11-22 13:30 ` Jiri Kosina
2013-11-22 13:30 ` Jiri Kosina
2013-11-22 13:46 ` Vivek Goyal
2013-11-22 13:46 ` Vivek Goyal
2013-11-22 13:50 ` Jiri Kosina
2013-11-22 13:50 ` Jiri Kosina
2013-11-22 15:33 ` Vivek Goyal
2013-11-22 15:33 ` Vivek Goyal
2013-11-22 17:45 ` Kees Cook
2013-11-22 17:45 ` Kees Cook
2013-11-22 13:43 ` Vivek Goyal
2013-11-22 13:43 ` Vivek Goyal
2013-11-22 15:25 ` Geert Uytterhoeven
2013-11-22 15:25 ` Geert Uytterhoeven
2013-11-22 15:33 ` Jiri Kosina
2013-11-22 15:33 ` Jiri Kosina
2013-11-22 15:57 ` Eric Paris
2013-11-22 15:57 ` Eric Paris
2013-11-22 16:04 ` Jiri Kosina
2013-11-22 16:04 ` Jiri Kosina
2013-11-22 16:08 ` Vivek Goyal
2013-11-22 16:08 ` Vivek Goyal
2013-11-22 13:34 ` Eric W. Biederman
2013-11-22 13:34 ` Eric W. Biederman
2013-11-22 14:19 ` Vivek Goyal
2013-11-22 14:19 ` Vivek Goyal
2013-11-22 19:48 ` Greg KH
2013-11-22 19:48 ` Greg KH
2013-11-23 3:23 ` Eric W. Biederman
2013-11-23 3:23 ` Eric W. Biederman
2013-12-04 19:34 ` Vivek Goyal
2013-12-04 19:34 ` Vivek Goyal
2013-12-05 4:10 ` Eric W. Biederman
2013-12-05 4:10 ` Eric W. Biederman
2013-11-25 10:04 ` Michael Holzheu
2013-11-25 10:04 ` Michael Holzheu
2013-11-25 15:36 ` Vivek Goyal
2013-11-25 15:36 ` Vivek Goyal
2013-11-25 16:15 ` Michael Holzheu
2013-11-25 16:15 ` Michael Holzheu
2013-11-22 0:55 ` HATAYAMA Daisuke
2013-11-22 0:55 ` HATAYAMA Daisuke
2013-11-22 2:03 ` Vivek Goyal
2013-11-22 2:03 ` Vivek Goyal
2013-12-03 13:23 ` Baoquan He
2013-12-03 13:23 ` Baoquan He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140102203912.GB22822@redhat.com \
--to=vgoyal@redhat.com \
--cc=duwe@lst.de \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.