lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 22 Nov 2022 16:15:04 +0100
From:   Vasily Gorbik <gor@...ux.ibm.com>
To:     Coiby Xu <coxu@...hat.com>
Cc:     kexec@...ts.infradead.org, Matthew Garrett <mjg59@...f.ucam.org>,
        Jiri Bohac <jbohac@...e.cz>,
        David Howells <dhowells@...hat.com>,
        Philipp Rudo <prudo@...hat.com>, linux-s390@...r.kernel.org,
        Heiko Carstens <hca@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        James Morris <jmorris@...ei.org>,
        Matthew Garrett <mjg59@...gle.com>,
        open list <linux-kernel@...r.kernel.org>,
        Peter Oberparleiter <oberpar@...ux.ibm.com>
Subject: Re: [PATCH] lockdown: s390: kexec_file: don't skip signature
 verification when not secure IPLed

On Mon, Nov 21, 2022 at 03:27:15PM +0800, Coiby Xu wrote:
> --- a/arch/s390/kernel/machine_kexec_file.c
> +++ b/arch/s390/kernel/machine_kexec_file.c
> @@ -33,10 +33,6 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
>  	unsigned long sig_len;
>  	int ret;
>  
> -	/* Skip signature verification when not secure IPLed. */
> -	if (!ipl_secure_flag)
> -		return 0;

Looking at s390_verify_sig() especially before commit 0828c4a39be5
("kexec, KEYS, s390: Make use of built-in and secondary keyring for
signature verification") I think this condition actually expresses
2 things:
1. the firmware is secure IPL capable and secure IPL keys are
   provided and present in platform keyring.
2. secure IPL is enabled.

Wouldn't this change have implications for machines with older firmware
which doesn't support secure IPL? In this case platform keyring won't
have any secure IPL keys (since firmware doesn't provide them)
and any properly signed kernels will be rejected for kexec in this
function. Unless secure IPL keys are also present in built-in or secondary
keyring (which is possible after commit 0828c4a39be5) - is that what
distributions normally do?

Powered by blists - more mailing lists