lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 17 Jun 2014 09:24:26 -0400
From:	Vivek Goyal <vgoyal@...hat.com>
To:	Borislav Petkov <bp@...en8.de>
Cc:	linux-kernel@...r.kernel.org, kexec@...ts.infradead.org,
	ebiederm@...ssion.com, hpa@...or.com, mjg59@...f.ucam.org,
	greg@...ah.com, jkosina@...e.cz, dyoung@...hat.com,
	chaowang@...hat.com, bhe@...hat.com, akpm@...ux-foundation.org
Subject: Re: [RFC PATCH 00/13][V3] kexec: A new system call to allow in
 kernel loading

On Mon, Jun 16, 2014 at 11:13:28PM +0200, Borislav Petkov wrote:
> On Tue, Jun 03, 2014 at 09:06:49AM -0400, Vivek Goyal wrote:
> > This patch series does not do kernel signature verification yet. I
> > plan to post another patch series for that. Now bzImage is already
> > signed with PKCS7 signature I plan to parse and verify those
> > signatures.
> 
> Btw, do you have a brief outline on how you are going to do the
> extension to signature verification? Nothing formal, just enough of an
> outline that I can see where in the flow it will be plugged in.
> 
> I was wondering how the whole signature signing and verification will
> be done, i.e., where do I get the signature, how and who will verify it
> (I'm guessing the purgatory code), etc, etc.

Hi Boris,

I am still working on signing patches. I have uploaded them here for you
to have a look.

http://people.redhat.com/vgoyal/kdump-secureboot/in-kernel-kexec/bzimage-sig-verification/

Last patch should give you a good idea how signature verification hooks
into kexec.

Signature verification patches are based on David Howell's work.

There is no purgatory involved here. Once we have copied kernel image
into kernel space, first thing we do is call into arch image loader
and ask it to verify signature of image. And bzImage loader in turn
calls into helper functions which can parse a PE signed file and
verify image signature.

I have yet to cleanup the code, implement a config option which enforces
signature verification.

Automatic enforncement of signature verification if secureboot is
enabled will happen once matthew's secureboot patches are merged 
into mainline.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ