+ kexec-do-not-verify-the-signature-without-the-lockdown-or-mandatory-signature.patch added to -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The patch titled
     Subject: kexec: do not verify the signature without the lockdown or mandatory signature
has been added to the -mm tree.  Its filename is
     kexec-do-not-verify-the-signature-without-the-lockdown-or-mandatory-signature.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/kexec-do-not-verify-the-signature-without-the-lockdown-or-mandatory-signature.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/kexec-do-not-verify-the-signature-without-the-lockdown-or-mandatory-signature.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Lianbo Jiang <lijiang@xxxxxxxxxx>
Subject: kexec: do not verify the signature without the lockdown or mandatory signature

Signature verification is an important security feature, to protect system
from being attacked with a kernel of unknown origin.  Kexec rebooting is a
way to replace the running kernel, hence need be secured carefully.

In the current code of handling signature verification of kexec kernel,
the logic is very twisted.  It mixes signature verification, IMA signature
appraising and kexec lockdown.

If there is no KEXEC_SIG_FORCE, kexec kernel image doesn't have one of
signature, the supported crypto, and key, we don't think this is wrong,
Unless kexec lockdown is executed.  IMA is considered as another kind of
signature appraising method.

If kexec kernel image has signature/crypto/key, it has to go through the
signature verification and pass.  Otherwise it's seen as verification
failure, and won't be loaded.

Seems kexec kernel image with an unqualified signature is even worse than
those w/o signature at all, this sounds very unreasonable.  E.g.  If
people get a unsigned kernel to load, or a kernel signed with expired key,
which one is more dangerous?

So, here, let's simplify the logic to improve code readability.  If the
KEXEC_SIG_FORCE enabled or kexec lockdown enabled, signature verification
is mandated.  Otherwise, we lift the bar for any kernel image.

Link: http://lkml.kernel.org/r/20200602045952.27487-1-lijiang@xxxxxxxxxx
Signed-off-by: Lianbo Jiang <lijiang@xxxxxxxxxx>
Reviewed-by: Jiri Bohac <jbohac@xxxxxxx>
Acked-by: Dave Young <dyoung@xxxxxxxxxx>
Acked-by: Baoquan He <bhe@xxxxxxxxxx>
Cc: James Morris <jmorris@xxxxxxxxx>
Cc: Matthew Garrett <mjg59@xxxxxxxxxx>
Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 kernel/kexec_file.c |   36 +++++++-----------------------------
 1 file changed, 7 insertions(+), 29 deletions(-)

--- a/kernel/kexec_file.c~kexec-do-not-verify-the-signature-without-the-lockdown-or-mandatory-signature
+++ a/kernel/kexec_file.c
@@ -181,34 +181,19 @@ void kimage_file_post_load_cleanup(struc
 static int
 kimage_validate_signature(struct kimage *image)
 {
-	const char *reason;
 	int ret;
 
 	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
 					   image->kernel_buf_len);
-	switch (ret) {
-	case 0:
-		break;
-
-		/* Certain verification errors are non-fatal if we're not
-		 * checking errors, provided we aren't mandating that there
-		 * must be a valid signature.
-		 */
-	case -ENODATA:
-		reason = "kexec of unsigned image";
-		goto decide;
-	case -ENOPKG:
-		reason = "kexec of image with unsupported crypto";
-		goto decide;
-	case -ENOKEY:
-		reason = "kexec of image with unavailable key";
-	decide:
+	if (ret) {
+
 		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-			pr_notice("%s rejected\n", reason);
+			pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
 			return ret;
 		}
 
-		/* If IMA is guaranteed to appraise a signature on the kexec
+		/*
+		 * If IMA is guaranteed to appraise a signature on the kexec
 		 * image, permit it even if the kernel is otherwise locked
 		 * down.
 		 */
@@ -216,17 +201,10 @@ kimage_validate_signature(struct kimage
 		    security_locked_down(LOCKDOWN_KEXEC))
 			return -EPERM;
 
-		return 0;
-
-		/* All other errors are fatal, including nomem, unparseable
-		 * signatures and signature check failures - even if signatures
-		 * aren't required.
-		 */
-	default:
-		pr_notice("kernel signature verification failed (%d).\n", ret);
+		pr_debug("kernel signature verification failed (%d).\n", ret);
 	}
 
-	return ret;
+	return 0;
 }
 #endif
 
_

Patches currently in -mm which might be from lijiang@xxxxxxxxxx are

kexec-do-not-verify-the-signature-without-the-lockdown-or-mandatory-signature.patch




[Index of Archives]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux