Re: [PATCH] fix kexec_file_load failure in case Secure Boot enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/13/18 at 09:38am, Justin Forbes wrote:
> On Tue, Jun 12, 2018 at 5:03 AM, Dave Young <dyoung@xxxxxxxxxx> wrote:
> 
> > Fedora bug
> > https://bugzilla.redhat.com/show_bug.cgi?id=1470995
> >
> > With Fedora kernels on Secure Boot enabled machine kexec_file_load
> > fails because kernel can not use any keys other than kernel builtin
> > keyring.  verify_pefile_signature() requires caller to pass 1UL as
> > the keyring pointer to use other keyring.
> >
> > Posted a fix in upstream, but no response for long time.  Thus going
> > with a Fedora fix same as what the module code does.
> >
> > Latest upstream effort:
> > https://www.spinics.net/lists/kernel/msg2825184.html
> >
> > Signed-off-by: Dave Young <dyoung@xxxxxxxxxx>
> >
> 
> I would really like to hear David Howell's opinion on this before we
> consider carrying it.  I have CCed him.

Justin, thanks for adding cc,  I'm also waiting for his review in
upstream.  But forgot to add him for the Fedora patch.

Since our module code already takes this workaround, for kexec it is
pretty safe.  I tested this patch with a scratch build,  pesigned the
kernel with a temp key, import it in mokutil.  The build works well for
me.

If the 1UL passing is wrong then we should drop the module patch as
well as this one and take some reasonable fix.

> 
> Thanks,
> Justin
> 
> 
> > ---
> >  kernel.spec                                 |  3 ++
> >  kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++
> >  2 files changed, 35 insertions(+)
> >  create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch
> >
> > diff --git a/kernel.spec b/kernel.spec
> > index d5e16d7f..7a20da1e 100644
> > --- a/kernel.spec
> > +++ b/kernel.spec
> > @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch
> >  # rhbz 1431375
> >  Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
> >
> > +# rhbz 1470995
> > +Patch503: kexec-bzimage-verify-pe-signature-fix.patch
> > +
> >  # END OF PATCH DEFINITIONS
> >
> >  %endif
> > diff --git a/kexec-bzimage-verify-pe-signature-fix.patch
> > b/kexec-bzimage-verify-pe-signature-fix.patch
> > new file mode 100644
> > index 00000000..866b74b9
> > --- /dev/null
> > +++ b/kexec-bzimage-verify-pe-signature-fix.patch
> > @@ -0,0 +1,32 @@
> > +From: Dave Young <dyoung@xxxxxxxxxx>
> > +
> > +Fix kexec_file_load pefile signature verification
> > +
> > +Similar with Fix-for-module-sig-verification.patch, kexec_file syscall
> > also
> > +need pass 1UL to verify_pefile_signature so that secondary keys can be
> > used.
> > +
> > +Fedora bug
> > +https://bugzilla.redhat.com/show_bug.cgi?id=1470995
> > +
> > +Latest upstream effort is below:
> > +https://www.spinics.net/lists/kernel/msg2825184.html
> > +
> > +Ideally this need an upstream fix, but since nobody response we can
> > workaround
> > +it like the module code did.
> > +
> > +Signed-off-by: Dave Young <dyoung@xxxxxxxxxx>
> > +---
> > + arch/x86/kernel/kexec-bzimage64.c |    2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c
> > ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c
> > +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade
> > + static int bzImage64_verify_sig(const char *kernel, unsigned long
> > kernel_len)
> > + {
> > +       return verify_pefile_signature(kernel, kernel_len,
> > +-                                     NULL,
> > ++                                     (void *)1UL,
> > +                                      VERIFYING_KEXEC_PE_SIGNATURE);
> > + }
> > + #endif
> > --
> > 2.17.0
> > _______________________________________________
> > kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/kernel@
> > lists.fedoraproject.org/message/RYRV32S4Z6F7WGR3BEIXVWOGX6XV3JSQ/
> >
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx/message/QC4XAVP7DIHQOM37F5WQPNBPI2SZR3UR/




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux