| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z8hFeYKVraybzy10@MiWiFi-R3L-srv>
Date: Wed, 5 Mar 2025 20:37:13 +0800
From: Baoquan He <bhe@...hat.com>
To: steven chen <chenste@...ux.microsoft.com>
Cc: zohar@...ux.ibm.com, stefanb@...ux.ibm.com,
roberto.sassu@...weicloud.com, roberto.sassu@...wei.com,
eric.snowberg@...cle.com, ebiederm@...ssion.com,
paul@...l-moore.com, code@...icks.com, bauermann@...abnow.com,
linux-integrity@...r.kernel.org, kexec@...ts.infradead.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
madvenka@...ux.microsoft.com, nramas@...ux.microsoft.com,
James.Bottomley@...senpartnership.com, vgoyal@...hat.com,
dyoung@...hat.com
Subject: Re: [PATCH v9 3/7] ima: kexec: skip IMA segment validation after
kexec soft reboot
On 03/04/25 at 11:03am, steven chen wrote:
> The kexec_calculate_store_digests() function calculates and stores the
> digest of the segment during the kexec_file_load syscall, where the
> IMA segment is also allocated.
>
> With this series, the IMA segment will be updated with the measurement
> log at the kexec execute stage when a soft reboot is initiated.
> Therefore, the digests should be updated for the IMA segment in the
> normal case.
>
> The content of memory segments carried over to the new kernel during the
> kexec systemcall can be changed at kexec 'execute' stage, but the size
> and the location of the memory segments cannot be changed at kexec
> 'execute' stage.
>
> However, during the kexec execute stage, if kexec_calculate_store_digests()
> API is call to update the digest, it does not reuse the same memory segment
~ called
> allocated during the kexec 'load' stage and the new memory segment required
> cannot be transferred/mapped to the new kernel.
>
> As a result, digest verification will fail in verify_sha256_digest()
> after a kexec soft reboot into the new kernel. Therefore, the digest
> calculation/verification of the IMA segment needs to be skipped.
>
> To address this, skip the calculation and storage of the digest for the
> IMA segment in kexec_calculate_store_digests() so that it is not added
> to the purgatory_sha_regions.
>
> Since verify_sha256_digest() only verifies 'purgatory_sha_regions',
> no change is needed in verify_sha256_digest() in this context.
>
> With this change, the IMA segment is not included in the digest
> calculation, storage, and verification.
>
> Signed-off-by: Tushar Sugandhi <tusharsu@...ux.microsoft.com>
> Cc: Eric Biederman <ebiederm@...ssion.com>
> Cc: Baoquan He <bhe@...hat.com>
> Cc: Vivek Goyal <vgoyal@...hat.com>
> Cc: Dave Young <dyoung@...hat.com>
> Signed-off-by: steven chen <chenste@...ux.microsoft.com>
> Reviewed-by: Stefan Berger <stefanb@...ux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
> ---
> include/linux/kexec.h | 3 +++
> kernel/kexec_file.c | 22 ++++++++++++++++++++++
> security/integrity/ima/ima_kexec.c | 3 +++
> 3 files changed, 28 insertions(+)
Other than the nit, LGTM.
>
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 7d6b12f8b8d0..107e726f2ef3 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -362,6 +362,9 @@ struct kimage {
>
> phys_addr_t ima_buffer_addr;
> size_t ima_buffer_size;
> +
> + unsigned long ima_segment_index;
> + bool is_ima_segment_index_set;
> #endif
>
> /* Core ELF header buffer */
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 3eedb8c226ad..606132253c79 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -38,6 +38,21 @@ void set_kexec_sig_enforced(void)
> }
> #endif
>
> +#ifdef CONFIG_IMA_KEXEC
> +static bool check_ima_segment_index(struct kimage *image, int i)
> +{
> + if (image->is_ima_segment_index_set && i == image->ima_segment_index)
> + return true;
> + else
> + return false;
> +}
> +#else
> +static bool check_ima_segment_index(struct kimage *image, int i)
> +{
> + return false;
> +}
> +#endif
> +
> static int kexec_calculate_store_digests(struct kimage *image);
>
> /* Maximum size in bytes for kernel/initrd files. */
> @@ -764,6 +779,13 @@ static int kexec_calculate_store_digests(struct kimage *image)
> if (ksegment->kbuf == pi->purgatory_buf)
> continue;
>
> + /*
> + * Skip the segment if ima_segment_index is set and matches
> + * the current index
> + */
> + if (check_ima_segment_index(image, i))
> + continue;
> +
> ret = crypto_shash_update(desc, ksegment->kbuf,
> ksegment->bufsz);
> if (ret)
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 6195df128482..0465beca8867 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -169,6 +169,7 @@ void ima_add_kexec_buffer(struct kimage *image)
> kbuf.buffer = kexec_buffer;
> kbuf.bufsz = kexec_buffer_size;
> kbuf.memsz = kexec_segment_size;
> + image->is_ima_segment_index_set = false;
> ret = kexec_add_buffer(&kbuf);
> if (ret) {
> pr_err("Error passing over kexec measurement buffer.\n");
> @@ -179,6 +180,8 @@ void ima_add_kexec_buffer(struct kimage *image)
> image->ima_buffer_addr = kbuf.mem;
> image->ima_buffer_size = kexec_segment_size;
> image->ima_buffer = kexec_buffer;
> + image->ima_segment_index = image->nr_segments - 1;
> + image->is_ima_segment_index_set = true;
>
> /*
> * kexec owns kexec_buffer after kexec_add_buffer() is called
> --
> 2.25.1
>
Powered by blists - more mailing lists