| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <d95f7c6865bcad5ee37dcbec240e79aa742f5e1d.1641822505.git.msuchanek@suse.de>
Date: Mon, 10 Jan 2022 14:49:54 +0100
From: Michal Suchanek <msuchanek@...e.de>
To: keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-integrity@...r.kernel.org
Cc: Michal Suchanek <msuchanek@...e.de>, kexec@...ts.infradead.org,
Philipp Rudo <prudo@...hat.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Nayna <nayna@...ux.vnet.ibm.com>, Rob Herring <robh@...nel.org>,
linux-s390@...r.kernel.org, Vasily Gorbik <gor@...ux.ibm.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Heiko Carstens <hca@...ux.ibm.com>,
Jessica Yu <jeyu@...nel.org>, linux-kernel@...r.kernel.org,
David Howells <dhowells@...hat.com>,
Christian Borntraeger <borntraeger@...ibm.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Paul Mackerras <paulus@...ba.org>,
Hari Bathini <hbathini@...ux.ibm.com>,
Alexander Gordeev <agordeev@...ux.ibm.com>,
linuxppc-dev@...ts.ozlabs.org,
Frank van der Linden <fllinden@...zon.com>,
Thiago Jung Bauermann <bauerman@...ux.ibm.com>,
Daniel Axtens <dja@...ens.net>, buendgen@...ibm.com,
Michael Ellerman <mpe@...erman.id.au>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Sven Schnelle <svens@...ux.ibm.com>,
Baoquan He <bhe@...hat.com>,
linux-security-module@...r.kernel.org
Subject: [PATCH v4 2/6] powerpc/kexec_file: Add KEXEC_SIG support.
Copy the code from s390x
Both powerpc and s390x use appended signature format (as opposed to EFI
based patforms using PE format).
Signed-off-by: Michal Suchanek <msuchanek@...e.de>
---
v3: - Philipp Rudo <prudo@...hat.com>: Update the comit message with
explanation why the s390 code is usable on powerpc.
- Include correct header for mod_check_sig
- Nayna <nayna@...ux.vnet.ibm.com>: Mention additional IMA features
in kconfig text
---
arch/powerpc/Kconfig | 16 ++++++++++++++++
arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index dea74d7717c0..1cde9b6c5987 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -560,6 +560,22 @@ config KEXEC_FILE
config ARCH_HAS_KEXEC_PURGATORY
def_bool KEXEC_FILE
+config KEXEC_SIG
+ bool "Verify kernel signature during kexec_file_load() syscall"
+ depends on KEXEC_FILE && MODULE_SIG_FORMAT
+ help
+ This option makes kernel signature verification mandatory for
+ the kexec_file_load() syscall.
+
+ In addition to that option, you need to enable signature
+ verification for the corresponding kernel image type being
+ loaded in order for this to work.
+
+ Note: on powerpc IMA_ARCH_POLICY also implements kexec'ed kernel
+ verification. In addition IMA adds kernel hashes to the measurement
+ list, extends IMA PCR in the TPM, and implements kernel image
+ blacklist by hash.
+
config RELOCATABLE
bool "Build a relocatable kernel"
depends on PPC64 || (FLATMEM && (44x || FSL_BOOKE))
diff --git a/arch/powerpc/kexec/elf_64.c b/arch/powerpc/kexec/elf_64.c
index eeb258002d1e..98d1cb5135b4 100644
--- a/arch/powerpc/kexec/elf_64.c
+++ b/arch/powerpc/kexec/elf_64.c
@@ -23,6 +23,7 @@
#include <linux/of_fdt.h>
#include <linux/slab.h>
#include <linux/types.h>
+#include <linux/module_signature.h>
static void *elf64_load(struct kimage *image, char *kernel_buf,
unsigned long kernel_len, char *initrd,
@@ -151,7 +152,42 @@ static void *elf64_load(struct kimage *image, char *kernel_buf,
return ret ? ERR_PTR(ret) : NULL;
}
+#ifdef CONFIG_KEXEC_SIG
+int elf64_verify_sig(const char *kernel, unsigned long kernel_len)
+{
+ const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
+ struct module_signature *ms;
+ unsigned long sig_len;
+ int ret;
+
+ if (marker_len > kernel_len)
+ return -EKEYREJECTED;
+
+ if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING,
+ marker_len))
+ return -EKEYREJECTED;
+ kernel_len -= marker_len;
+
+ ms = (void *)kernel + kernel_len - sizeof(*ms);
+ ret = mod_check_sig(ms, kernel_len, "kexec");
+ if (ret)
+ return ret;
+
+ sig_len = be32_to_cpu(ms->sig_len);
+ kernel_len -= sizeof(*ms) + sig_len;
+
+ return verify_pkcs7_signature(kernel, kernel_len,
+ kernel + kernel_len, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+}
+#endif /* CONFIG_KEXEC_SIG */
+
const struct kexec_file_ops kexec_elf64_ops = {
.probe = kexec_elf_probe,
.load = elf64_load,
+#ifdef CONFIG_KEXEC_SIG
+ .verify_sig = elf64_verify_sig,
+#endif
};
--
2.31.1
Powered by blists - more mailing lists