lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 9 Aug 2013 11:32:26 -0400
From:	Vivek Goyal <vgoyal@...hat.com>
To:	Matthew Garrett <matthew.garrett@...ula.com>
Cc:	"kexec@...ts.infradead.org" <kexec@...ts.infradead.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] kexec: Disable at runtime if the kernel enforces module
 signing

On Fri, Aug 09, 2013 at 03:07:13PM +0000, Matthew Garrett wrote:
> On Fri, 2013-08-09 at 07:02 -0400, Vivek Goyal wrote:
> > On Fri, Aug 09, 2013 at 03:36:37AM -0400, Matthew Garrett wrote:
> > > kexec permits the loading and execution of arbitrary code in ring 0, which
> > > is something that module signing enforcement is meant to prevent. It makes
> > > sense to disable kexec in this situation.
> > > 
> > 
> > But in the process we wipe out running kernel's context and boot into a new
> > kernel. So how different it is than root booting a new kernel through BIOS
> > which does not enforce module signing.
> 
> What wipes the current kernel's context? KEXEC_JUMP is explicitly
> designed to allow you to hop back and forth, but even without it you
> should be able to reconstruct the original context. And there's no need
> to boot a new kernel, either. All the attacker needs is the physical
> address of the sig_enforce boolean, and then they launch a simple kexec
> payload that simply flips that back and returns to the original kernel -
> it's not like kexec limits you to booting Linux.
> 
> > Also it would be nice if we introduce new features, then we make other
> > features work with those new features instead of disabling existing
> > features and leave it to other people to make them work.
> 
> Sure, it'd be nice if security features got introduced with
> consideration to other kernel features that allow them to be
> circumvented, but this approach seems better than making them
> incompatible at the Kconfig level.

So how would one go about making kexec work when module signature
enforcement is on?

I guess same solution which is required to make it work with secureboot.
Sign /sbin/kexec and let /sbin/kexec very signature of kernel. IOW, any
code which runs at priviliged level should be signature verified with
keys in system_keyring.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ