[PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed

public inbox for linux-s390@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed
@ 2022-11-21  7:27 Coiby Xu
  2022-11-22 15:15 ` Vasily Gorbik
  0 siblings, 1 reply; 3+ messages in thread
From: Coiby Xu @ 2022-11-21  7:27 UTC (permalink / raw)
  To: kexec
  Cc: Matthew Garrett, Jiri Bohac, David Howells, Philipp Rudo,
	linux-s390, Heiko Carstens, Vasily Gorbik, Alexander Gordeev,
	Christian Borntraeger, Sven Schnelle, James Morris,
	Matthew Garrett, open list

Currently for s390, lockdown doesn't prevent unsigned kernel image from
being kexec'ed when secure IPL is disabled. Fix it by always verifying
the signature regardless secure IPL is enabled or not.

Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down")

Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Jiri Bohac <jbohac@suse.cz>
Cc: David Howells <dhowells@redhat.com>
Cc: Philipp Rudo <prudo@redhat.com>
Cc: kexec@lists.infradead.org
Cc: linux-s390@vger.kernel.org
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 arch/s390/kernel/machine_kexec_file.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index fc6d5f58debe..627685426ac2 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -33,10 +33,6 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
 	unsigned long sig_len;
 	int ret;
 
-	/* Skip signature verification when not secure IPLed. */
-	if (!ipl_secure_flag)
-		return 0;
-
 	if (marker_len > kernel_len)
 		return -EKEYREJECTED;
 
-- 
2.38.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed
  2022-11-21  7:27 [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed Coiby Xu
@ 2022-11-22 15:15 ` Vasily Gorbik
  2022-11-23  0:52   ` Coiby Xu
  0 siblings, 1 reply; 3+ messages in thread
From: Vasily Gorbik @ 2022-11-22 15:15 UTC (permalink / raw)
  To: Coiby Xu
  Cc: kexec, Matthew Garrett, Jiri Bohac, David Howells, Philipp Rudo,
	linux-s390, Heiko Carstens, Alexander Gordeev,
	Christian Borntraeger, Sven Schnelle, James Morris,
	Matthew Garrett, open list, Peter Oberparleiter

On Mon, Nov 21, 2022 at 03:27:15PM +0800, Coiby Xu wrote:
> --- a/arch/s390/kernel/machine_kexec_file.c
> +++ b/arch/s390/kernel/machine_kexec_file.c
> @@ -33,10 +33,6 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
>  	unsigned long sig_len;
>  	int ret;
>  
> -	/* Skip signature verification when not secure IPLed. */
> -	if (!ipl_secure_flag)
> -		return 0;

Looking at s390_verify_sig() especially before commit 0828c4a39be5
("kexec, KEYS, s390: Make use of built-in and secondary keyring for
signature verification") I think this condition actually expresses
2 things:
1. the firmware is secure IPL capable and secure IPL keys are
   provided and present in platform keyring.
2. secure IPL is enabled.

Wouldn't this change have implications for machines with older firmware
which doesn't support secure IPL? In this case platform keyring won't
have any secure IPL keys (since firmware doesn't provide them)
and any properly signed kernels will be rejected for kexec in this
function. Unless secure IPL keys are also present in built-in or secondary
keyring (which is possible after commit 0828c4a39be5) - is that what
distributions normally do?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed
  2022-11-22 15:15 ` Vasily Gorbik
@ 2022-11-23  0:52   ` Coiby Xu
  0 siblings, 0 replies; 3+ messages in thread
From: Coiby Xu @ 2022-11-23  0:52 UTC (permalink / raw)
  To: Vasily Gorbik
  Cc: kexec, Matthew Garrett, Jiri Bohac, David Howells, Philipp Rudo,
	linux-s390, Heiko Carstens, Alexander Gordeev,
	Christian Borntraeger, Sven Schnelle, James Morris,
	Matthew Garrett, open list, Peter Oberparleiter

On Tue, Nov 22, 2022 at 04:15:04PM +0100, Vasily Gorbik wrote:
>On Mon, Nov 21, 2022 at 03:27:15PM +0800, Coiby Xu wrote:
>> --- a/arch/s390/kernel/machine_kexec_file.c
>> +++ b/arch/s390/kernel/machine_kexec_file.c
>> @@ -33,10 +33,6 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
>>  	unsigned long sig_len;
>>  	int ret;
>>
>> -	/* Skip signature verification when not secure IPLed. */
>> -	if (!ipl_secure_flag)
>> -		return 0;
>
>Looking at s390_verify_sig() especially before commit 0828c4a39be5
>("kexec, KEYS, s390: Make use of built-in and secondary keyring for
>signature verification") I think this condition actually expresses
>2 things:
>1. the firmware is secure IPL capable and secure IPL keys are
>   provided and present in platform keyring.
>2. secure IPL is enabled.
>
>Wouldn't this change have implications for machines with older firmware
>which doesn't support secure IPL? In this case platform keyring won't
>have any secure IPL keys (since firmware doesn't provide them)
>and any properly signed kernels will be rejected for kexec in this
>function. Unless secure IPL keys are also present in built-in or secondary
>keyring (which is possible after commit 0828c4a39be5) - is that what
>distributions normally do?

Thanks for pointing me to the above commit and reminding me older
firmware doesn't support secure IPL! But I don't think this change will
break machines with older firmwares which doesn't support secure IPL.
Distributions like Fedora/RHEL have downstream-only patch that enable
lockdown automatically when secure boot is enabled. Since there is no
secure IPL, lockdown won't be enabled which means
kimage_validate_signature (kernel/kexec_file.c) doesn't enforce
signature verification (sorry I should change the commit subject which
is misleading). For the case where users manually enables lockdown, I
assume they know what lockdown means and expect signature verification
to be enforced instead to be silently bypassed.

-- 
Best regards,
Coiby


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-11-23  0:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-21  7:27 [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed Coiby Xu
2022-11-22 15:15 ` Vasily Gorbik
2022-11-23  0:52   ` Coiby Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox