Fwd: How to extract linux kernel version information from a kernel image?

Fwd: How to extract linux kernel version information from a kernel image?

[Raphael Gianotti]

Forwarding this here since the final intent here is an IMA related 
change to see if anyone has any suggestions.


-------- Forwarded Message --------
Subject: 	How to extract linux kernel version information from a kernel 
image?
Date: 	Fri, 18 Sep 2020 12:47:13 -0700
From: 	Raphael Gianotti <raphgi@linux.microsoft.com>
To: 	linux-kernel@vger.kernel.org



Hi,

I have been investigating a way to extract the version strong from a 
kernel image (e.g., vmlinux). The version string I've been looking at is 
essentially the linux_banner symbol.

We'll use IMA to measure the version string on the kexec system call, 
providing a way for an attestation service, for instance, to attest to 
what version of the kernel is running on the client.

I haven't found a way to extract the version from the image that isn't 
simply searching the whole image for it. I was hoping someone here may 
be able to point me to a better approach to retrieve the linux_banner 
symbol value from an image or  any existing kernel code that does 
similar parsing.

If that matters for any suggestions, my current focus is on ARM64 images 
(if the code ends up having to be arch specific).

Thanks,

-Raphael

Re: Fwd: How to extract linux kernel version information from a kernel image?

[Kayaalp, Mehmet]

On 9/24/20 4:05 PM, Raphael Gianotti wrote:
> 
> Forwarding this here since the final intent here is an IMA related
> change to see if anyone has any suggestions.
> 
> 
> -------- Forwarded Message --------
> Subject:        How to extract linux kernel version information from a 
> kernel
> image?
> Date:   Fri, 18 Sep 2020 12:47:13 -0700
> From:   Raphael Gianotti <raphgi@linux.microsoft.com>
> To:     linux-kernel@vger.kernel.org
> 
> 
> 
> Hi,
> 
> I have been investigating a way to extract the version strong from a
> kernel image (e.g., vmlinux). The version string I've been looking at is
> essentially the linux_banner symbol.
> 
> We'll use IMA to measure the version string on the kexec system call,
> providing a way for an attestation service, for instance, to attest to
> what version of the kernel is running on the client.
> 
> I haven't found a way to extract the version from the image that isn't
> simply searching the whole image for it. I was hoping someone here may
> be able to point me to a better approach to retrieve the linux_banner
> symbol value from an image or  any existing kernel code that does
> similar parsing.
> 
> If that matters for any suggestions, my current focus is on ARM64 images
> (if the code ends up having to be arch specific).
> 
> Thanks,
> 
> -Raphael
> 

In Linux/x86 Boot Protocol [1], the kernel header contains a pointer to 
the kernel_version string at offset 020E (2-byte value):

     # hexdump -s 0x020E -n 2 -e '/2 "%x"' 
/boot/vmlinuz-5.4.0-48-generic; echo
     3900

Starting after the header (512 bytes), the string is 0x3900 bytes into 
the vmlinuz file:

     # dd bs=1 skip=$((0x3900+512)) if=/boot/vmlinuz-5.4.0-48-generic 
|tr -s '\000' '\n'|head -n 1
     5.4.0-48-generic (buildd@lcy01-amd64-010) #52-Ubuntu SMP Thu Sep 10 
10:58:49 UTC 2020

In ARM64, the vmlinux is stripped of symbols and compressed into the 
bzImage. To find the linux_banner, System.map file is needed:

     # grep ' linux_banner$' /boot/System.map-5.4.0-48-generic
     ffff800010df00d0 R linux_banner

The offset into the file can be found by subtracting the load address:

     # grep ' _head$' /boot/System.map-5.4.0-48-generic
     ffff800010080000 t _head

     # zcat /boot/vmlinuz-5.4.0-48-generic | dd bs=1 
skip=$((0xffff800010df00d0-0xffff800010080000)) | tr -s '\000' '\n' | 
head -n 1
     Linux version 5.4.0-48-generic (buildd@bos02-arm64-053) (gcc 
version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #52-Ubuntu SMP Thu Sep 10 
11:01:50 UTC 2020 (Ubuntu 5.4.0-48.52-generic 5.4.60)

[1]: https://www.kernel.org/doc/html/latest/x86/boot.html

Mehmet

Re: Fwd: How to extract linux kernel version information from a kernel image?

[Raphael Gianotti]

On 9/25/2020 4:06 PM, Kayaalp, Mehmet wrote:
> On 9/24/20 4:05 PM, Raphael Gianotti wrote:
>> Forwarding this here since the final intent here is an IMA related
>> change to see if anyone has any suggestions.
>>
>>
>> -------- Forwarded Message --------
>> Subject:        How to extract linux kernel version information from a
>> kernel
>> image?
>> Date:   Fri, 18 Sep 2020 12:47:13 -0700
>> From:   Raphael Gianotti <raphgi@linux.microsoft.com>
>> To:     linux-kernel@vger.kernel.org
>>
>>
>>
>> Hi,
>>
>> I have been investigating a way to extract the version strong from a
>> kernel image (e.g., vmlinux). The version string I've been looking at is
>> essentially the linux_banner symbol.
>>
>> We'll use IMA to measure the version string on the kexec system call,
>> providing a way for an attestation service, for instance, to attest to
>> what version of the kernel is running on the client.
>>
>> I haven't found a way to extract the version from the image that isn't
>> simply searching the whole image for it. I was hoping someone here may
>> be able to point me to a better approach to retrieve the linux_banner
>> symbol value from an image or  any existing kernel code that does
>> similar parsing.
>>
>> If that matters for any suggestions, my current focus is on ARM64 images
>> (if the code ends up having to be arch specific).
>>
>> Thanks,
>>
>> -Raphael
>>
> In Linux/x86 Boot Protocol [1], the kernel header contains a pointer to
> the kernel_version string at offset 020E (2-byte value):
>
>       # hexdump -s 0x020E -n 2 -e '/2 "%x"'
> /boot/vmlinuz-5.4.0-48-generic; echo
>       3900
>
> Starting after the header (512 bytes), the string is 0x3900 bytes into
> the vmlinuz file:
>
>       # dd bs=1 skip=$((0x3900+512)) if=/boot/vmlinuz-5.4.0-48-generic
> |tr -s '\000' '\n'|head -n 1
>       5.4.0-48-generic (buildd@lcy01-amd64-010) #52-Ubuntu SMP Thu Sep 10
> 10:58:49 UTC 2020
>
> In ARM64, the vmlinux is stripped of symbols and compressed into the
> bzImage. To find the linux_banner, System.map file is needed:
>
>       # grep ' linux_banner$' /boot/System.map-5.4.0-48-generic
>       ffff800010df00d0 R linux_banner
>
> The offset into the file can be found by subtracting the load address:
>
>       # grep ' _head$' /boot/System.map-5.4.0-48-generic
>       ffff800010080000 t _head
>
>       # zcat /boot/vmlinuz-5.4.0-48-generic | dd bs=1
> skip=$((0xffff800010df00d0-0xffff800010080000)) | tr -s '\000' '\n' |
> head -n 1
>       Linux version 5.4.0-48-generic (buildd@bos02-arm64-053) (gcc
> version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #52-Ubuntu SMP Thu Sep 10
> 11:01:50 UTC 2020 (Ubuntu 5.4.0-48.52-generic 5.4.60)
>
> [1]: https://www.kernel.org/doc/html/latest/x86/boot.html
>
> Mehmet

Regarding the arm64 vmlinux files, I've noticed in some, if you run the 
file command for them in the terminal, it does give a "not stripped" 
string in its result. Also, for those files, objdump does print out 
symbols, including linux_banner. I've found that out last Friday and I 
am in the process of looking at what the code for objdump to see how it 
finds the symbols there and see if I can get its value from the image. I 
wonder if I am missing something and that reported linux_banner symbol I 
get from objdump is not what I think it is, so do let me know if I am 
just wasting my time in investigating that when it comes to arm64.

Thanks,

Raphael