| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Jun 2015 09:41:35 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Vivek Goyal <vgoyal@...hat.com> Cc: Dave Young <dyoung@...hat.com>, Josh Boyer <jwboyer@...oraproject.org>, "Theodore Ts'o" <tytso@....edu>, Petr Tesarik <ptesarik@...e.cz>, kexec <kexec@...ts.infradead.org>, "Linux-Kernel\@Vger. Kernel. Org" <linux-kernel@...r.kernel.org>, David Howells <dhowells@...hat.com> Subject: Re: kexec_load(2) bypasses signature verification Vivek Goyal <vgoyal@...hat.com> writes: > On Thu, Jun 18, 2015 at 10:02:09AM +0800, Dave Young wrote: > > [..] >> > Or simply add a new config option KEXEC_VERIFY_SIG_FORCE, so we can return >> > error in kexec_load and print some error message. >> >> Just like below, does this work for you, Ted? >> >> --- >> arch/x86/Kconfig | 7 +++++++ >> kernel/kexec.c | 9 ++++++++- >> 2 files changed, 15 insertions(+), 1 deletion(-) >> >> --- linux.orig/arch/x86/Kconfig >> +++ linux/arch/x86/Kconfig >> @@ -1755,6 +1755,13 @@ config KEXEC_VERIFY_SIG >> verification for the corresponding kernel image type being >> loaded in order for this to work. >> >> +config KEXEC_VERIFY_SIG_FORCE >> + bool "Enforce kexec signature verifying" >> + depends on KEXEC_VERIFY_SIG >> + ---help--- >> + This option disable kexec_load() syscall, only kexec_file_load >> + can be used. >> + > > > Hi Dave, > > I think we might not need a new config option. A new config option makes > it little confusing. KEXEC_VERIFY_SIG already implies KEXEC_VERIFY_SIG_FORCE > (for new syscall). Now extending it to also mean that it should disable old > syscall is confusing. Agreed. > We already have a sysctl knob to disable kexec kernel loading. But that > knob disables it on both the syscalls. > > May be we can just introduce another command line option say > "kexec_verify_sig_force" and this will work across both the syscalls and > will deny loading a unsigned kernel in following two cases. > > - Using old syscall > - Using new syscall if kernel was compiled with KEXEC_VERIFY_SIG=n. > > This should be simple and get us going in short term. > > If we want to disable unsigned kernel loading at compile time, then we > really need to work on decoupling CONFIG_KEXEC and CONFIG_FILE_KEXEC. > Introducing another config option is not the way forward, IMHO. Agreed. I think disabling kexec_load at compile time can be easily justified. Anything at runtime is additional complexity, additional bugs, additional documentation and additional maintenance and needs to justify itself. I currently do not see the case for a magic one time runtime disable of the kexec_load system call. Maybe there is some valid distro case for wanting one kernel to do everything and serve every possible need, but I have not seen that case presented yet. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists