| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Aug 2013 19:01:54 +0800
From: "Lee, Chun-Yi" <joeyli.kernel@...il.com>
To: linux-kernel@...r.kernel.org
Cc: linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org,
linux-pm@...r.kernel.org, linux-crypto@...r.kernel.org,
opensuse-kernel@...nsuse.org, David Howells <dhowells@...hat.com>,
"Rafael J. Wysocki" <rjw@...k.pl>,
Matthew Garrett <mjg59@...f.ucam.org>,
Len Brown <len.brown@...el.com>, Pavel Machek <pavel@....cz>,
Josh Boyer <jwboyer@...hat.com>,
Vojtech Pavlik <vojtech@...e.cz>,
Matt Fleming <matt.fleming@...el.com>,
James Bottomley <james.bottomley@...senpartnership.com>,
Greg KH <gregkh@...uxfoundation.org>, JKosina@...e.com,
Rusty Russell <rusty@...tcorp.com.au>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
"H. Peter Anvin" <hpa@...or.com>, Michal Marek <mmarek@...e.cz>,
Gary Lin <GLin@...e.com>, Vivek Goyal <vgoyal@...hat.com>,
"Lee, Chun-Yi" <jlee@...e.com>
Subject: [PATCH 15/18] Hibernate: adapt to UEFI secure boot with signature check
In current solution, the snapshot signature check used the RSA key-pair
that are generated by bootloader(e.g. shim) and pass the key-pair to
kernel through EFI variables. I choice to binding the snapshot
signature check mechanism with UEFI secure boot for provide stronger
protection of hibernate. Current behavior is following:
+ UEFI Secure Boot ON, Kernel found key-pair from shim:
Will do the S4 signature check.
+ UEFI Secure Boot ON, Kernel didn't find key-pair from shim:
Will lock down S4 function.
+ UEFI Secure Boot OFF
Will NOT do the S4 signature check.
Ignore any keys from bootloader.
v2:
Replace sign_key_data_loaded() by skey_data_available() to check sign key data
is available for hibernate.
Reviewed-by: Jiri Kosina <jkosina@...e.cz>
Signed-off-by: Lee, Chun-Yi <jlee@...e.com>
---
kernel/power/hibernate.c | 36 +++++++++++++++++-
kernel/power/main.c | 11 +++++-
kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++--------------------
kernel/power/swap.c | 4 +-
kernel/power/user.c | 11 +++++
5 files changed, 112 insertions(+), 45 deletions(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index c545b15..0f19f3d 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -29,6 +29,7 @@
#include <linux/ctype.h>
#include <linux/genhd.h>
#include <linux/key.h>
+#include <linux/efi.h>
#include "power.h"
@@ -632,7 +633,14 @@ static void power_down(void)
int hibernate(void)
{
int error;
- int skey_error;
+
+#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
+#else
+ if (!capable(CAP_COMPROMISE_KERNEL)) {
+#endif
+ return -EPERM;
+ }
lock_system_sleep();
/* The snapshot device should not be opened while we're running */
@@ -799,6 +807,15 @@ static int software_resume(void)
if (error)
goto Unlock;
+#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) {
+#else
+ if (!capable(CAP_COMPROMISE_KERNEL)) {
+#endif
+ mutex_unlock(&pm_mutex);
+ return -EPERM;
+ }
+
/* The snapshot device should not be opened while we're running */
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
error = -EBUSY;
@@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
int i;
char *start = buf;
+#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) {
+#else
+ if (efi_enabled(EFI_SECURE_BOOT)) {
+#endif
+ buf += sprintf(buf, "[%s]\n", "disabled");
+ return buf-start;
+ }
+
for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
if (!hibernation_modes[i])
continue;
@@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
char *p;
int mode = HIBERNATION_INVALID;
+#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
+#else
+ if (!capable(CAP_COMPROMISE_KERNEL)) {
+#endif
+ return -EPERM;
+ }
+
p = memchr(buf, '\n', n);
len = p ? p - buf : n;
diff --git a/kernel/power/main.c b/kernel/power/main.c
index 1d1bf63..47bf300 100644
--- a/kernel/power/main.c
+++ b/kernel/power/main.c
@@ -15,6 +15,7 @@
#include <linux/workqueue.h>
#include <linux/debugfs.h>
#include <linux/seq_file.h>
+#include <linux/efi.h>
#include "power.h"
@@ -301,7 +302,15 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr,
}
#endif
#ifdef CONFIG_HIBERNATION
- s += sprintf(s, "%s\n", "disk");
+ if (!efi_enabled(EFI_SECURE_BOOT)) {
+ s += sprintf(s, "%s\n", "disk");
+#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ } else if (skey_data_available()) {
+ s += sprintf(s, "%s\n", "disk");
+#endif
+ } else {
+ s += sprintf(s, "\n");
+ }
#else
if (s != buf)
/* convert the last space to a newline */
diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index cf3d69c..36c7157 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -860,7 +860,8 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn)
BUG_ON(!PageHighMem(page));
- if (swsusp_page_is_sign_key(page))
+ if (!capable(CAP_COMPROMISE_KERNEL) &&
+ swsusp_page_is_sign_key(page))
return NULL;
if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) ||
@@ -925,7 +926,8 @@ static struct page *saveable_page(struct zone *zone, unsigned long pfn)
BUG_ON(PageHighMem(page));
- if (swsusp_page_is_sign_key(page))
+ if (!capable(CAP_COMPROMISE_KERNEL) &&
+ swsusp_page_is_sign_key(page))
return NULL;
if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page))
@@ -1056,35 +1058,37 @@ copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
#ifdef CONFIG_SNAPSHOT_VERIFICATION
struct page *d_page;
void *hash_buffer = NULL;
- struct crypto_shash *tfm;
- struct shash_desc *desc;
- u8 *digest;
+ struct crypto_shash *tfm = NULL;
+ struct shash_desc *desc = NULL;
+ u8 *digest = NULL;
size_t digest_size, desc_size;
struct key *s4_sign_key;
struct public_key_signature *pks;
int ret;
ret = -ENOMEM;
- tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0);
- if (IS_ERR(tfm)) {
- pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm));
- return PTR_ERR(tfm);
- }
+ if (!capable(CAP_COMPROMISE_KERNEL)) {
+ tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0);
+ if (IS_ERR(tfm)) {
+ pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm));
+ return PTR_ERR(tfm);
+ }
- desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
- digest_size = crypto_shash_digestsize(tfm);
- digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
- if (!digest) {
- pr_err("digest allocate fail");
- ret = -ENOMEM;
- goto error_digest;
+ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
+ digest_size = crypto_shash_digestsize(tfm);
+ digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
+ if (!digest) {
+ pr_err("digest allocate fail");
+ ret = -ENOMEM;
+ goto error_digest;
+ }
+ desc = (void *) digest + digest_size;
+ desc->tfm = tfm;
+ desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+ ret = crypto_shash_init(desc);
+ if (ret < 0)
+ goto error_shash;
}
- desc = (void *) digest + digest_size;
- desc->tfm = tfm;
- desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
- ret = crypto_shash_init(desc);
- if (ret < 0)
- goto error_shash;
#endif /* CONFIG_SNAPSHOT_VERIFICATION */
for_each_populated_zone(zone) {
@@ -1106,24 +1110,29 @@ copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
copy_data_page(dst_pfn, pfn);
#ifdef CONFIG_SNAPSHOT_VERIFICATION
- /* Generate digest */
- d_page = pfn_to_page(dst_pfn);
- if (PageHighMem(d_page)) {
- void *kaddr;
- kaddr = kmap_atomic(d_page);
- copy_page(buffer, kaddr);
- kunmap_atomic(kaddr);
- hash_buffer = buffer;
- } else {
- hash_buffer = page_address(d_page);
+ if (!capable(CAP_COMPROMISE_KERNEL)) {
+ /* Generate digest */
+ d_page = pfn_to_page(dst_pfn);
+ if (PageHighMem(d_page)) {
+ void *kaddr;
+ kaddr = kmap_atomic(d_page);
+ copy_page(buffer, kaddr);
+ kunmap_atomic(kaddr);
+ hash_buffer = buffer;
+ } else {
+ hash_buffer = page_address(d_page);
+ }
+ ret = crypto_shash_update(desc, hash_buffer, PAGE_SIZE);
+ if (ret)
+ goto error_shash;
}
- ret = crypto_shash_update(desc, hash_buffer, PAGE_SIZE);
- if (ret)
- goto error_shash;
#endif
}
#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ if (capable(CAP_COMPROMISE_KERNEL))
+ goto skip_sign;
+
crypto_shash_final(desc, digest);
if (ret)
goto error_shash;
@@ -1153,6 +1162,8 @@ copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
kfree(pks);
kfree(digest);
crypto_free_shash(tfm);
+
+skip_sign:
#endif /* CONFIG_SNAPSHOT_VERIFICATION */
return 0;
@@ -2382,9 +2393,11 @@ int snapshot_write_next(struct snapshot_handle *handle)
/* Allocate void * array to keep buffer point for generate hash,
* h_buf will freed in snapshot_image_verify().
*/
- h_buf = kmalloc(sizeof(void *) * nr_copy_pages, GFP_KERNEL);
- if (!h_buf)
- pr_err("Allocate hash buffer fail!");
+ if (!capable(CAP_COMPROMISE_KERNEL)) {
+ h_buf = kmalloc(sizeof(void *) * nr_copy_pages, GFP_KERNEL);
+ if (!h_buf)
+ pr_err("Allocate hash buffer fail!");
+ }
#endif
error = memory_bm_create(©_bm, GFP_ATOMIC, PG_ANY);
@@ -2414,7 +2427,7 @@ int snapshot_write_next(struct snapshot_handle *handle)
if (IS_ERR(handle->buffer))
return PTR_ERR(handle->buffer);
#ifdef CONFIG_SNAPSHOT_VERIFICATION
- if (h_buf)
+ if (!capable(CAP_COMPROMISE_KERNEL) && h_buf)
*h_buf = handle->buffer;
#endif
}
@@ -2428,7 +2441,7 @@ int snapshot_write_next(struct snapshot_handle *handle)
if (handle->buffer != buffer)
handle->sync_read = 0;
#ifdef CONFIG_SNAPSHOT_VERIFICATION
- if (h_buf)
+ if (!capable(CAP_COMPROMISE_KERNEL) && h_buf)
*(h_buf + (handle->cur - nr_meta_pages - 1)) = handle->buffer;
/* Keep the buffer of sign key in snapshot */
if (pfn == skey_data_buf_pfn)
diff --git a/kernel/power/swap.c b/kernel/power/swap.c
index b5f8ce1..40225d7 100644
--- a/kernel/power/swap.c
+++ b/kernel/power/swap.c
@@ -1005,7 +1005,7 @@ static int load_image(struct swap_map_handle *handle,
if (!snapshot_image_loaded(snapshot))
ret = -ENODATA;
#ifdef CONFIG_SNAPSHOT_VERIFICATION
- else {
+ else if (!capable(CAP_COMPROMISE_KERNEL)) {
ret = snapshot_image_verify();
if (ret)
pr_info("PM: snapshot signature check FAIL: %d\n", ret);
@@ -1370,7 +1370,7 @@ out_finish:
}
}
#ifdef CONFIG_SNAPSHOT_VERIFICATION
- if (!ret) {
+ if (!ret && !capable(CAP_COMPROMISE_KERNEL)) {
ret = snapshot_image_verify();
if (ret)
pr_info("PM: snapshot signature check FAIL: %d\n", ret);
diff --git a/kernel/power/user.c b/kernel/power/user.c
index 27b21ee..690f148 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -48,6 +48,14 @@ static int snapshot_open(struct inode *inode, struct file *filp)
struct snapshot_data *data;
int error;
+#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) {
+#else
+ if (!capable(CAP_COMPROMISE_KERNEL)) {
+#endif
+ return -EPERM;
+ }
+
lock_system_sleep();
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
@@ -255,6 +263,8 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd,
break;
}
#ifdef CONFIG_SNAPSHOT_VERIFICATION
+ if (capable(CAP_COMPROMISE_KERNEL))
+ goto skip_verify;
if (!snapshot_image_verify()) {
pr_info("PM: snapshot signature check SUCCESS!\n");
snapshot_fill_s4_skey();
@@ -263,6 +273,7 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd,
error = -EPERM;
break;
}
+skip_verify:
#endif
error = hibernation_restore(data->platform_support);
break;
--
1.6.4.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists