From: Vivek Goyal <vgoyal@redhat.com>
To: linux-kernel@vger.kernel.org, kexec@lists.infradead.org
Cc: ebiederm@xmission.com, hpa@zytor.com, mjg59@srcf.ucam.org,
bp@alien8.de, akpm@linux-foundation.org, dhowells@redhat.com,
Vivek Goyal <vgoyal@redhat.com>
Subject: [PATCH 0/1] kexec: verify bzImage signature
Date: Wed, 9 Jul 2014 14:24:06 -0400 [thread overview]
Message-ID: <1404930247-7546-1-git-send-email-vgoyal@redhat.com> (raw)
Hi,
This is the final piece of the puzzle of verifying kernel image signature
during kexec_file_load() syscall.
It relies on following two patch series.
- kexec_file_load() syscall patches
https://lkml.org/lkml/2014/6/26/497
This patch series is now available in -mm tree.
- PE File parsing and signature verification
http://thread.gmane.org/gmane.linux.kernel/1742967
This patch series is also available here.
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-modsign.git/log/?h=pefile
This patch calls into PE file routines to verify signature of bzImage. If
signature are valid, kexec_file_load() succeeds otherwise it fails.
Two new config options have been intorduced. First one is
CONFIG_KEXEC_VERIFY_SIG. This option enforces that kernel has to be
validly signed otherwise kernel load will fail. If this option is not
set, no signature verification will be done. Only exception will be
when secureboot is enabled. In that case signature verification should
be automatically enforced when secureboot is enabled. But that will
happen when secureboot patches are merged.
Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG. This option
enables signature verification support on bzImage. If this option is
not set and previous one is set, kernel image loading will fail because
kernel does not have support to verify signature of bzImage.
I tested these patches with both "pesign" and "sbsign" signed bzImages.
I used signing_key.priv key and signing_key.x509 cert for signing as
generated during kernel build process (if module signing is enabled).
Used following method to sign bzImage.
pesign
======
- Convert DER format cert to PEM format cert
openssl x509 -in signing_key.x509 -inform DER -out signing_key.x509.PEM -outform
PEM
- Generate a .p12 file from existing cert and private key file
openssl pkcs12 -export -out kernel-key.p12 -inkey signing_key.priv -in
signing_key.x509.PEM
- Import .p12 file into pesign db
pk12util -i /tmp/kernel-key.p12 -d /etc/pki/pesign
- Sign bzImage
pesign -i /boot/vmlinuz-3.16.0-rc3+ -o /boot/vmlinuz-3.16.0-rc3+.signed.pesign
-c "Glacier signing key - Magrathea" -s
sbsign
======
sbsign --key signing_key.priv --cert signing_key.x509.PEM --output
/boot/vmlinuz-3.16.0-rc3+.signed.sbsign /boot/vmlinuz-3.16.0-rc3+
Thanks
Vivek
Vivek Goyal (1):
kexec: Verify the signature of signed PE bzImage
arch/x86/Kconfig | 22 ++++++++++++++++++++++
arch/x86/kernel/kexec-bzimage64.c | 21 +++++++++++++++++++++
arch/x86/kernel/machine_kexec_64.c | 11 +++++++++++
include/linux/kexec.h | 3 +++
kernel/kexec.c | 15 +++++++++++++++
5 files changed, 72 insertions(+)
--
1.9.0
next reply other threads:[~2014-07-09 18:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-09 18:24 Vivek Goyal [this message]
2014-07-09 18:24 ` [PATCH 1/1] kexec: Verify the signature of signed PE bzImage Vivek Goyal
2014-07-24 14:16 ` Vivek Goyal
2014-07-24 22:07 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1404930247-7546-1-git-send-email-vgoyal@redhat.com \
--to=vgoyal@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=hpa@zytor.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox