* [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled
@ 2022-12-30 6:58 Coiby Xu
2022-12-30 6:58 ` [PATCH v3 2/2] selftests/kexec: enable lockdown tests Coiby Xu
2023-01-03 14:42 ` [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled Mimi Zohar
0 siblings, 2 replies; 4+ messages in thread
From: Coiby Xu @ 2022-12-30 6:58 UTC (permalink / raw)
To: kexec
Cc: Mimi Zohar, Matthew Garrett, Jiri Bohac, David Howells,
linux-integrity, Eric Biederman, Matthew Garrett, James Morris,
open list
A kernel builder may not enable KEXEC_SIG and some architectures like
ppc64 simply don't have KEXEC_SIG. In these cases, unless both
IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent
unsigned kernel image from being kexec'ed via the kexec_file_load
syscall whereas it could prevent one via the kexec_load syscall. Mandate
signature verification for those cases.
Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down")
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Jiri Bohac <jbohac@suse.cz>
Cc: David Howells <dhowells@redhat.com>
Cc: kexec@lists.infradead.org
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Coiby Xu <coxu@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
v3
- add lockdown tests to explain why kexec_file_load failed [Mimi]
v2
- collect reviewed-by tag from Mimi
- s/mandate_signatute_verification/mandate_signature_verification [Mimi]
- return the status of kexec_image_verify_sig correctly when signature
verification is not mandated
---
kernel/kexec_file.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index dd5983010b7b..2c1054ab21ef 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -125,6 +125,17 @@ void kimage_file_post_load_cleanup(struct kimage *image)
image->image_loader_data = NULL;
}
+static bool mandate_signature_verification(void)
+{
+ /*
+ * If IMA is guaranteed to appraise a signature on the kexec
+ * image, permit it even if the kernel is otherwise locked
+ * down.
+ */
+ return !ima_appraise_signature(READING_KEXEC_IMAGE) &&
+ security_locked_down(LOCKDOWN_KEXEC);
+}
+
#ifdef CONFIG_KEXEC_SIG
#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
@@ -168,13 +179,7 @@ kimage_validate_signature(struct kimage *image)
return ret;
}
- /*
- * If IMA is guaranteed to appraise a signature on the kexec
- * image, permit it even if the kernel is otherwise locked
- * down.
- */
- if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
- security_locked_down(LOCKDOWN_KEXEC))
+ if (mandate_signature_verification())
return -EPERM;
pr_debug("kernel signature verification failed (%d).\n", ret);
@@ -211,10 +216,13 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
#ifdef CONFIG_KEXEC_SIG
ret = kimage_validate_signature(image);
-
+#else
+ if (mandate_signature_verification())
+ ret = -EPERM;
+#endif
if (ret)
goto out;
-#endif
+
/* It is possible that there no initramfs is being loaded */
if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
ret = kernel_read_file_from_fd(initrd_fd, 0, &image->initrd_buf,
--
2.38.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 2/2] selftests/kexec: enable lockdown tests
2022-12-30 6:58 [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled Coiby Xu
@ 2022-12-30 6:58 ` Coiby Xu
2023-01-03 13:48 ` Mimi Zohar
2023-01-03 14:42 ` [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled Mimi Zohar
1 sibling, 1 reply; 4+ messages in thread
From: Coiby Xu @ 2022-12-30 6:58 UTC (permalink / raw)
To: kexec
Cc: Mimi Zohar, linux-integrity, Shuah Khan,
open list:KERNEL SELFTEST FRAMEWORK, open list
When lockdown is enabled, kexec_load syscall should always fail.
For kexec_file_load, when lockdown is enabled, it should
- fail of missing PE signature when KEXEC_SIG is enabled
- fail of missing IMA signature when KEXEC_SIG is disabled
Before this patch, test_kexec_load.sh fails (false positive) and
test_kexec_file_load.sh fails without a reason when lockdown enabled and
KEXEC_SIG disabled,
# kexec_load failed [FAIL]
not ok 1 selftests: kexec: test_kexec_load.sh # exit=1
# kexec_file_load failed [PASS]
ok 2 selftests: kexec: test_kexec_file_load.sh
After this patch, test_kexec_load.sh succeeds and
test_kexec_file_load.sh fails with the correct reason when lockdown
enabled and KEXEC_SIG disabled,
# kexec_load failed [PASS]
ok 1 selftests: kexec: test_kexec_load.sh
# kexec_file_load failed (missing IMA sig) [PASS]
ok 2 selftests: kexec: test_kexec_file_load.sh
Cc: kexec@lists.infradead.org
Cc: linux-integrity@vger.kernel.org
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
.../selftests/kexec/kexec_common_lib.sh | 16 +++++++++++
.../selftests/kexec/test_kexec_file_load.sh | 27 +++++++++++++++++++
.../selftests/kexec/test_kexec_load.sh | 12 ++++++---
3 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh
index 641ef05863b2..06c298b46788 100755
--- a/tools/testing/selftests/kexec/kexec_common_lib.sh
+++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
@@ -110,6 +110,22 @@ get_secureboot_mode()
return $secureboot_mode;
}
+is_lockdown_enabled()
+{
+ local ret=0
+
+ if [ -f /sys/kernel/security/lockdown ] \
+ && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then
+ ret=1
+ fi
+
+ if [ $ret -eq 0 ]; then
+ log_info "lockdown not enabled"
+ fi
+
+ return $ret
+}
+
require_root_privileges()
{
if [ $(id -ru) -ne 0 ]; then
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index c9ccb3c93d72..790f96938083 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -139,6 +139,16 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing IMA sig)"
fi
+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
+ log_fail "$succeed_msg (missing PE sig)"
+ fi
+
+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \
+ && [ $ima_modsig -eq 0 ]; then
+ log_fail "$succeed_msg (missing IMA sig)"
+ fi
+
if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
&& [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
&& [ $ima_read_policy -eq 0 ]; then
@@ -181,6 +191,16 @@ kexec_file_load_test()
log_pass "$failed_msg (possibly missing IMA sig)"
fi
+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
+ log_pass "$failed_msg (missing PE sig)"
+ fi
+
+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \
+ && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then
+ log_pass "$failed_msg (missing IMA sig)"
+ fi
+
log_pass "$failed_msg"
return 0
}
@@ -215,6 +235,10 @@ kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
"kexec signed kernel image required"
kexec_sig_required=$?
+kconfig_enabled "CONFIG_KEXEC_SIG=y" \
+ "KEXEC_SIG enabled"
+kexec_sig_enabled=$?
+
kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
"PE signed kernel image required"
pe_sig_required=$?
@@ -225,6 +249,9 @@ ima_sig_required=$?
get_secureboot_mode
secureboot=$?
+is_lockdown_enabled
+lockdown=$?
+
# Are there pe and ima signatures
if [ "$(get_arch)" == 'ppc64le' ]; then
pe_signed=0
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 49c6aa929137..0542887866c0 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -28,18 +28,24 @@ arch_policy=$?
get_secureboot_mode
secureboot=$?
-# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
+is_lockdown_enabled
+lockdown=$?
+
+# kexec_load should fail in either
+# a) secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
+# or
+# b) lockdown enabled
kexec --load $KERNEL_IMAGE > /dev/null 2>&1
if [ $? -eq 0 ]; then
kexec --unload
- if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
+ if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then
log_fail "kexec_load succeeded"
elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
log_info "Either IMA or the IMA arch policy is not enabled"
fi
log_pass "kexec_load succeeded"
else
- if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
+ if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then
log_pass "kexec_load failed"
else
log_fail "kexec_load failed"
--
2.38.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v3 2/2] selftests/kexec: enable lockdown tests
2022-12-30 6:58 ` [PATCH v3 2/2] selftests/kexec: enable lockdown tests Coiby Xu
@ 2023-01-03 13:48 ` Mimi Zohar
0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2023-01-03 13:48 UTC (permalink / raw)
To: Coiby Xu, kexec
Cc: linux-integrity, Shuah Khan, open list:KERNEL SELFTEST FRAMEWORK,
open list
Hi Coiby,
On Fri, 2022-12-30 at 14:58 +0800, Coiby Xu wrote:
> When lockdown is enabled, kexec_load syscall should always fail.
>
> For kexec_file_load, when lockdown is enabled, it should
> - fail of missing PE signature when KEXEC_SIG is enabled
> - fail of missing IMA signature when KEXEC_SIG is disabled
Appended kernel image signatures are supported, but differently on
powerpc and s390. For s390, KEXEC_SIG is enabled. For completeness
the above statements should reflect appended signatures.
>
> Before this patch, test_kexec_load.sh fails (false positive) and
> test_kexec_file_load.sh fails without a reason when lockdown enabled and
> KEXEC_SIG disabled,
>
> # kexec_load failed [FAIL]
> not ok 1 selftests: kexec: test_kexec_load.sh # exit=1
> # kexec_file_load failed [PASS]
> ok 2 selftests: kexec: test_kexec_file_load.sh
>
> After this patch, test_kexec_load.sh succeeds and
> test_kexec_file_load.sh fails with the correct reason when lockdown
> enabled and KEXEC_SIG disabled,
>
> # kexec_load failed [PASS]
> ok 1 selftests: kexec: test_kexec_load.sh
> # kexec_file_load failed (missing IMA sig) [PASS]
> ok 2 selftests: kexec: test_kexec_file_load.sh
>
> Cc: kexec@lists.infradead.org
> Cc: linux-integrity@vger.kernel.org
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
> .../selftests/kexec/kexec_common_lib.sh | 16 +++++++++++
> .../selftests/kexec/test_kexec_file_load.sh | 27 +++++++++++++++++++
> .../selftests/kexec/test_kexec_load.sh | 12 ++++++---
> 3 files changed, 52 insertions(+), 3 deletions(-)
>
> diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh
> index 641ef05863b2..06c298b46788 100755
> --- a/tools/testing/selftests/kexec/kexec_common_lib.sh
> +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
> @@ -110,6 +110,22 @@ get_secureboot_mode()
> return $secureboot_mode;
> }
>
> +is_lockdown_enabled()
> +{
> + local ret=0
> +
> + if [ -f /sys/kernel/security/lockdown ] \
> + && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then
> + ret=1
> + fi
> +
> + if [ $ret -eq 0 ]; then
> + log_info "lockdown not enabled"
> + fi
> +
> + return $ret
> +}
> +
> require_root_privileges()
> {
> if [ $(id -ru) -ne 0 ]; then
> diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
> index c9ccb3c93d72..790f96938083 100755
> --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
> +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
> @@ -139,6 +139,16 @@ kexec_file_load_test()
> log_fail "$succeed_msg (missing IMA sig)"
> fi
>
> + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
> + && [ $pe_signed -eq 0 ]; then
> + log_fail "$succeed_msg (missing PE sig)"
> + fi
CONFIG_KEXEC_SIG being enabled does not require signature verification
to be enforced. When the CONFIG_IMA_ARCH_POLICY is enabled, IMA
requires kexec signature verification. Also on s390, CONFIG_KEXEC_SIG
verifies an appended signature, not a PE signature. Instead of the
"missing PE sig" message, perhaps indicate lockdown requires kexec
signature verification.
> +
> + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \
> + && [ $ima_modsig -eq 0 ]; then
> + log_fail "$succeed_msg (missing IMA sig)"
> + fi
> +
Similarly, only if IMA is enabled and requires the kexec signature
verficiation should this message be emitted. Perhaps a single generic
lockdown message would be sufficient for both.
> if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
> && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
> && [ $ima_read_policy -eq 0 ]; then
> @@ -181,6 +191,16 @@ kexec_file_load_test()
> log_pass "$failed_msg (possibly missing IMA sig)"
> fi
>
> + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
> + && [ $pe_signed -eq 0 ]; then
> + log_pass "$failed_msg (missing PE sig)"
> + fi
> +
> + if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \
> + && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then
> + log_pass "$failed_msg (missing IMA sig)"
> + fi
> +
Similar comments as above.
--
thanks,
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled
2022-12-30 6:58 [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled Coiby Xu
2022-12-30 6:58 ` [PATCH v3 2/2] selftests/kexec: enable lockdown tests Coiby Xu
@ 2023-01-03 14:42 ` Mimi Zohar
1 sibling, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2023-01-03 14:42 UTC (permalink / raw)
To: Coiby Xu, kexec
Cc: Matthew Garrett, Jiri Bohac, David Howells, linux-integrity,
Eric Biederman, Matthew Garrett, James Morris, open list
Hi Coiby,
On Fri, 2022-12-30 at 14:58 +0800, Coiby Xu wrote:
> A kernel builder may not enable KEXEC_SIG and some architectures like
> ppc64 simply don't have KEXEC_SIG. In these cases, unless both
> IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent
> unsigned kernel image from being kexec'ed via the kexec_file_load
> syscall whereas it could prevent one via the kexec_load syscall. Mandate
> signature verification for those cases.
The phrase "unless both IMA_ARCH_POLICY and secure boot also enabled"
doesn't reflect the code. IMA could contain a custom policy rule which
requires the kexec kernel image signature verification as well. Refer
to the comment now in mandate_signature_verification().
thanks,
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-01-03 17:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-30 6:58 [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled Coiby Xu
2022-12-30 6:58 ` [PATCH v3 2/2] selftests/kexec: enable lockdown tests Coiby Xu
2023-01-03 13:48 ` Mimi Zohar
2023-01-03 14:42 ` [PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox