lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20181105175549.10506-1-cascardo@canonical.com>
Date:   Mon,  5 Nov 2018 15:55:49 -0200
From:   Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To:     David Howells <dhowells@...hat.com>
Cc:     linux-kernel@...r.kernel.org, kexec@...ts.infradead.org,
        Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
Subject: [PATCH v2] lockdown: allow kexec_file of unsigned images when not under lockdown

If CONFIG_KEXEC_VERIFY_SIG is enabled, kexec -s with an unsigned image will
fail requiring an image signed with a trusted key. However, that same
kernel will allow kexec to load and boot a kernel, if kexec_file_load is
not used.

Now, lockdown brings a solution to this inconsistency. However, as it is,
it will still prevent an unsigned image to be loaded with kexec -s when the
system is not under lockdown, while still allowing kexec to work.

At the same time, with lockdown, kexec_file_load would still work when
CONFIG_KEXEC_VERIFY_SIG is disabled.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
---

v2:
fixed build failure, s/#elif/#else/

---
 kernel/kexec_file.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index e5bcd94c1efb..b1f0373014c1 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -140,10 +140,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 					   image->kernel_buf_len);
 	if (ret) {
 		pr_debug("kernel signature verification failed.\n");
-		goto out;
+	} else {
+		pr_debug("kernel signature verification successful.\n");
 	}
-	pr_debug("kernel signature verification successful.\n");
+#else
+	ret = -EPERM;
 #endif
+	if (ret && kernel_is_locked_down("kexec of unsigned images"))
+		goto out;
+	else
+		ret = 0;
+
 	/* It is possible that there no initramfs is being loaded */
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
-- 
2.19.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ