[PATCH] kexec: Disable at runtime if the kernel enforces module signing

[PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Matthew Garrett]

kexec permits the loading and execution of arbitrary code in ring 0, which
is something that module signing enforcement is meant to prevent. It makes
sense to disable kexec in this situation.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
 include/linux/module.h |  4 ++++
 kernel/kexec.c         | 10 ++++++++++
 kernel/module.c        |  4 ++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/include/linux/module.h b/include/linux/module.h
index 46f1ea0..2871ab2 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -29,6 +29,10 @@
 
 #define MODULE_NAME_LEN MAX_PARAM_PREFIX_LEN
 
+#ifdef CONFIG_MODULE_SIG
+extern bool sig_enforce;
+#endif
+
 struct modversion_info
 {
 	unsigned long crc;
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 59f7b55..297a268a 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -32,6 +32,7 @@
 #include <linux/vmalloc.h>
 #include <linux/swap.h>
 #include <linux/syscore_ops.h>
+#include <linux/module.h>
 
 #include <asm/page.h>
 #include <asm/uaccess.h>
@@ -1645,6 +1646,15 @@ int kernel_kexec(void)
 		goto Unlock;
 	}
 
+#ifdef CONFIG_MODULE_SIG
+	/*
+	 * Kexec makes it trivial to evade module signing, so forbid it when
+	 * the kernel requires signatures
+	 */
+	if (sig_enforce)
+		return -EPERM;
+#endif
+
 #ifdef CONFIG_KEXEC_JUMP
 	if (kexec_image->preserve_context) {
 		lock_system_sleep();
diff --git a/kernel/module.c b/kernel/module.c
index 2069158..58f6e21 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
 
 #ifdef CONFIG_MODULE_SIG
 #ifdef CONFIG_MODULE_SIG_FORCE
-static bool sig_enforce = true;
+bool sig_enforce = true;
 #else
-static bool sig_enforce = false;
+bool sig_enforce = false;
 
 static int param_set_bool_enable_only(const char *val,
 				      const struct kernel_param *kp)
-- 
1.8.3.1

Re: [PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Vivek Goyal]

On Fri, Aug 09, 2013 at 03:36:37AM -0400, Matthew Garrett wrote:
> kexec permits the loading and execution of arbitrary code in ring 0, which
> is something that module signing enforcement is meant to prevent. It makes
> sense to disable kexec in this situation.
> 

But in the process we wipe out running kernel's context and boot into a new
kernel. So how different it is than root booting a new kernel through BIOS
which does not enforce module signing.

Also it would be nice if we introduce new features, then we make other
features work with those new features instead of disabling existing
features and leave it to other people to make them work.

Thanks
Vivek

> Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
> ---
>  include/linux/module.h |  4 ++++
>  kernel/kexec.c         | 10 ++++++++++
>  kernel/module.c        |  4 ++--
>  3 files changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/module.h b/include/linux/module.h
> index 46f1ea0..2871ab2 100644
> --- a/include/linux/module.h
> +++ b/include/linux/module.h
> @@ -29,6 +29,10 @@
>  
>  #define MODULE_NAME_LEN MAX_PARAM_PREFIX_LEN
>  
> +#ifdef CONFIG_MODULE_SIG
> +extern bool sig_enforce;
> +#endif
> +
>  struct modversion_info
>  {
>  	unsigned long crc;
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index 59f7b55..297a268a 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -32,6 +32,7 @@
>  #include <linux/vmalloc.h>
>  #include <linux/swap.h>
>  #include <linux/syscore_ops.h>
> +#include <linux/module.h>
>  
>  #include <asm/page.h>
>  #include <asm/uaccess.h>
> @@ -1645,6 +1646,15 @@ int kernel_kexec(void)
>  		goto Unlock;
>  	}
>  
> +#ifdef CONFIG_MODULE_SIG
> +	/*
> +	 * Kexec makes it trivial to evade module signing, so forbid it when
> +	 * the kernel requires signatures
> +	 */
> +	if (sig_enforce)
> +		return -EPERM;
> +#endif
> +
>  #ifdef CONFIG_KEXEC_JUMP
>  	if (kexec_image->preserve_context) {
>  		lock_system_sleep();
> diff --git a/kernel/module.c b/kernel/module.c
> index 2069158..58f6e21 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
>  
>  #ifdef CONFIG_MODULE_SIG
>  #ifdef CONFIG_MODULE_SIG_FORCE
> -static bool sig_enforce = true;
> +bool sig_enforce = true;
>  #else
> -static bool sig_enforce = false;
> +bool sig_enforce = false;
>  
>  static int param_set_bool_enable_only(const char *val,
>  				      const struct kernel_param *kp)
> -- 
> 1.8.3.1
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Matthew Garrett]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1625 bytes --]

On Fri, 2013-08-09 at 07:02 -0400, Vivek Goyal wrote:
> On Fri, Aug 09, 2013 at 03:36:37AM -0400, Matthew Garrett wrote:
> > kexec permits the loading and execution of arbitrary code in ring 0, which
> > is something that module signing enforcement is meant to prevent. It makes
> > sense to disable kexec in this situation.
> > 
> 
> But in the process we wipe out running kernel's context and boot into a new
> kernel. So how different it is than root booting a new kernel through BIOS
> which does not enforce module signing.

What wipes the current kernel's context? KEXEC_JUMP is explicitly
designed to allow you to hop back and forth, but even without it you
should be able to reconstruct the original context. And there's no need
to boot a new kernel, either. All the attacker needs is the physical
address of the sig_enforce boolean, and then they launch a simple kexec
payload that simply flips that back and returns to the original kernel -
it's not like kexec limits you to booting Linux.

> Also it would be nice if we introduce new features, then we make other
> features work with those new features instead of disabling existing
> features and leave it to other people to make them work.

Sure, it'd be nice if security features got introduced with
consideration to other kernel features that allow them to be
circumvented, but this approach seems better than making them
incompatible at the Kconfig level.

-- 
Matthew Garrett | mjg59@srcf.ucam.org
ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥

Re: [PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Vivek Goyal]

On Fri, Aug 09, 2013 at 03:07:13PM +0000, Matthew Garrett wrote:
> On Fri, 2013-08-09 at 07:02 -0400, Vivek Goyal wrote:
> > On Fri, Aug 09, 2013 at 03:36:37AM -0400, Matthew Garrett wrote:
> > > kexec permits the loading and execution of arbitrary code in ring 0, which
> > > is something that module signing enforcement is meant to prevent. It makes
> > > sense to disable kexec in this situation.
> > > 
> > 
> > But in the process we wipe out running kernel's context and boot into a new
> > kernel. So how different it is than root booting a new kernel through BIOS
> > which does not enforce module signing.
> 
> What wipes the current kernel's context? KEXEC_JUMP is explicitly
> designed to allow you to hop back and forth, but even without it you
> should be able to reconstruct the original context. And there's no need
> to boot a new kernel, either. All the attacker needs is the physical
> address of the sig_enforce boolean, and then they launch a simple kexec
> payload that simply flips that back and returns to the original kernel -
> it's not like kexec limits you to booting Linux.
> 

Yes, wiping out part is not right. We do some preparation to get ready
to jump to root specified code. Never paid too much of attnetion to
how much work it is to undo what kexec syscall did and reconstruct
the original state.

Thanks
Vivek

Re: [PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Vivek Goyal]

On Fri, Aug 09, 2013 at 03:07:13PM +0000, Matthew Garrett wrote:
> On Fri, 2013-08-09 at 07:02 -0400, Vivek Goyal wrote:
> > On Fri, Aug 09, 2013 at 03:36:37AM -0400, Matthew Garrett wrote:
> > > kexec permits the loading and execution of arbitrary code in ring 0, which
> > > is something that module signing enforcement is meant to prevent. It makes
> > > sense to disable kexec in this situation.
> > > 
> > 
> > But in the process we wipe out running kernel's context and boot into a new
> > kernel. So how different it is than root booting a new kernel through BIOS
> > which does not enforce module signing.
> 
> What wipes the current kernel's context? KEXEC_JUMP is explicitly
> designed to allow you to hop back and forth, but even without it you
> should be able to reconstruct the original context. And there's no need
> to boot a new kernel, either. All the attacker needs is the physical
> address of the sig_enforce boolean, and then they launch a simple kexec
> payload that simply flips that back and returns to the original kernel -
> it's not like kexec limits you to booting Linux.
> 
> > Also it would be nice if we introduce new features, then we make other
> > features work with those new features instead of disabling existing
> > features and leave it to other people to make them work.
> 
> Sure, it'd be nice if security features got introduced with
> consideration to other kernel features that allow them to be
> circumvented, but this approach seems better than making them
> incompatible at the Kconfig level.

So how would one go about making kexec work when module signature
enforcement is on?

I guess same solution which is required to make it work with secureboot.
Sign /sbin/kexec and let /sbin/kexec very signature of kernel. IOW, any
code which runs at priviliged level should be signature verified with
keys in system_keyring.

Thanks
Vivek

Re: [PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Vivek Goyal]

On Fri, Aug 09, 2013 at 03:07:13PM +0000, Matthew Garrett wrote:
> On Fri, 2013-08-09 at 07:02 -0400, Vivek Goyal wrote:
> > On Fri, Aug 09, 2013 at 03:36:37AM -0400, Matthew Garrett wrote:
> > > kexec permits the loading and execution of arbitrary code in ring 0, which
> > > is something that module signing enforcement is meant to prevent. It makes
> > > sense to disable kexec in this situation.
> > > 
> > 
> > But in the process we wipe out running kernel's context and boot into a new
> > kernel. So how different it is than root booting a new kernel through BIOS
> > which does not enforce module signing.
> 
> What wipes the current kernel's context? KEXEC_JUMP is explicitly
> designed to allow you to hop back and forth, but even without it you
> should be able to reconstruct the original context. And there's no need
> to boot a new kernel, either. All the attacker needs is the physical
> address of the sig_enforce boolean, and then they launch a simple kexec
> payload that simply flips that back and returns to the original kernel -
> it's not like kexec limits you to booting Linux.

Also what about all the other patches you had for secureboot where you
closed down all the paths where root could write to kernel memory. So
if you want to protect sig_enforce boolean, then you need to close down
all these paths irrespective of secureboot?

Thanks
Vivek

Re: [PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Matthew Garrett]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 770 bytes --]

On Fri, 2013-08-09 at 11:35 -0400, Vivek Goyal wrote:

> Also what about all the other patches you had for secureboot where you
> closed down all the paths where root could write to kernel memory. So
> if you want to protect sig_enforce boolean, then you need to close down
> all these paths irrespective of secureboot?

Fair point. The bar is slightly higher there, but yes, it seems
reasonable to say that enforcing module signing (and, come to think of
it, modules_disabled) should also lock down the other obvious mechanisms
for root to get code into the kernel.

-- 
Matthew Garrett | mjg59@srcf.ucam.org
ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥