[PATCH v5 2/6] powerpc/kexec_file: Add KEXEC_SIG support.
Paul Menzel
pmenzel at molgen.mpg.de
Wed Feb 9 06:44:15 UTC 2022
Dear Michal,
Thank you for the patch.
Am 11.01.22 um 12:37 schrieb Michal Suchanek:
Could you please remove the dot/period at the end of the git commit
message summary?
> Copy the code from s390x
>
> Both powerpc and s390x use appended signature format (as opposed to EFI
> based patforms using PE format).
patforms → platforms
How can this be tested?
> Signed-off-by: Michal Suchanek <msuchanek at suse.de>
> ---
> v3: - Philipp Rudo <prudo at redhat.com>: Update the comit message with
> explanation why the s390 code is usable on powerpc.
> - Include correct header for mod_check_sig
> - Nayna <nayna at linux.vnet.ibm.com>: Mention additional IMA features
> in kconfig text
> ---
> arch/powerpc/Kconfig | 16 ++++++++++++++++
> arch/powerpc/kexec/elf_64.c | 36 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 52 insertions(+)
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index dea74d7717c0..1cde9b6c5987 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -560,6 +560,22 @@ config KEXEC_FILE
> config ARCH_HAS_KEXEC_PURGATORY
> def_bool KEXEC_FILE
>
> +config KEXEC_SIG
> + bool "Verify kernel signature during kexec_file_load() syscall"
> + depends on KEXEC_FILE && MODULE_SIG_FORMAT
> + help
> + This option makes kernel signature verification mandatory for
> + the kexec_file_load() syscall.
> +
> + In addition to that option, you need to enable signature
> + verification for the corresponding kernel image type being
> + loaded in order for this to work.
> +
> + Note: on powerpc IMA_ARCH_POLICY also implements kexec'ed kernel
> + verification. In addition IMA adds kernel hashes to the measurement
> + list, extends IMA PCR in the TPM, and implements kernel image
> + blacklist by hash.
So, what is the takeaway for the user? IMA_ARCH_POLICY is preferred?
What is the disadvantage, and two implementations(?) needed then? More
overhead?
> +
> config RELOCATABLE
> bool "Build a relocatable kernel"
> depends on PPC64 || (FLATMEM && (44x || FSL_BOOKE))
> diff --git a/arch/powerpc/kexec/elf_64.c b/arch/powerpc/kexec/elf_64.c
> index eeb258002d1e..98d1cb5135b4 100644
> --- a/arch/powerpc/kexec/elf_64.c
> +++ b/arch/powerpc/kexec/elf_64.c
> @@ -23,6 +23,7 @@
> #include <linux/of_fdt.h>
> #include <linux/slab.h>
> #include <linux/types.h>
> +#include <linux/module_signature.h>
>
> static void *elf64_load(struct kimage *image, char *kernel_buf,
> unsigned long kernel_len, char *initrd,
> @@ -151,7 +152,42 @@ static void *elf64_load(struct kimage *image, char *kernel_buf,
> return ret ? ERR_PTR(ret) : NULL;
> }
>
> +#ifdef CONFIG_KEXEC_SIG
> +int elf64_verify_sig(const char *kernel, unsigned long kernel_len)
> +{
> + const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
> + struct module_signature *ms;
> + unsigned long sig_len;
Use size_t to match the signature of `verify_pkcs7_signature()`?
> + int ret;
> +
> + if (marker_len > kernel_len)
> + return -EKEYREJECTED;
> +
> + if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING,
> + marker_len))
> + return -EKEYREJECTED;
> + kernel_len -= marker_len;
> +
> + ms = (void *)kernel + kernel_len - sizeof(*ms);
> + ret = mod_check_sig(ms, kernel_len, "kexec");
> + if (ret)
> + return ret;
> +
> + sig_len = be32_to_cpu(ms->sig_len);
> + kernel_len -= sizeof(*ms) + sig_len;
> +
> + return verify_pkcs7_signature(kernel, kernel_len,
> + kernel + kernel_len, sig_len,
> + VERIFY_USE_PLATFORM_KEYRING,
> + VERIFYING_MODULE_SIGNATURE,
> + NULL, NULL);
> +}
> +#endif /* CONFIG_KEXEC_SIG */
> +
> const struct kexec_file_ops kexec_elf64_ops = {
> .probe = kexec_elf_probe,
> .load = elf64_load,
> +#ifdef CONFIG_KEXEC_SIG
> + .verify_sig = elf64_verify_sig,
> +#endif
> };
Kind regards,
Paul
More information about the Linux-security-module-archive
mailing list