In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image can be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.
This patch adds support for detecting a kernel image signed with an
appended signature and updates the existing test messages
appropriately.
Reviewed-by: Petr Vorel <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
---
.../selftests/kexec/test_kexec_file_load.sh | 38 +++++++++++++++++++---
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index fa7c24e8eefb..2ff600388c30 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -37,11 +37,20 @@ is_ima_sig_required()
# sequentially. As a result, a policy rule may be defined, but
# might not necessarily be used. This test assumes if a policy
# rule is specified, that is the intent.
+
+ # First check for appended signature (modsig), then xattr
if [ $ima_read_policy -eq 1 ]; then
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
- "appraise_type=imasig"
+ "appraise_type=imasig|modsig"
ret=$?
- [ $ret -eq 1 ] && log_info "IMA signature required";
+ if [ $ret -eq 1 ]; then
+ log_info "IMA or appended(modsig) signature required"
+ else
+ check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
+ "appraise_type=imasig"
+ ret=$?
+ [ $ret -eq 1 ] && log_info "IMA signature required";
+ fi
fi
return $ret
}
@@ -84,6 +93,22 @@ check_for_imasig()
return $ret
}
+# Return 1 for appended signature (modsig) found and 0 for not found.
+check_for_modsig()
+{
+ local module_sig_string="~Module signature appended~"
+ local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)"
+ local ret=0
+
+ if [ "$sig" == "$module_sig_string" ]; then
+ ret=1
+ log_info "kexec kernel image modsig signed"
+ else
+ log_info "kexec kernel image not modsig signed"
+ fi
+ return $ret
+}
+
kexec_file_load_test()
{
local succeed_msg="kexec_file_load succeeded"
@@ -98,7 +123,8 @@ kexec_file_load_test()
# In secureboot mode with an architecture specific
# policy, make sure either an IMA or PE signature exists.
if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
- [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then
+ [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \
+ && [ $ima_modsig -eq 0 ]; then
log_fail "$succeed_msg (missing sig)"
fi
@@ -107,7 +133,8 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing PE sig)"
fi
- if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
+ if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \
+ && [ $ima_modsig -eq 0 ]; then
log_fail "$succeed_msg (missing IMA sig)"
fi
@@ -204,5 +231,8 @@ pe_signed=$?
check_for_imasig
ima_signed=$?
+check_for_modsig
+ima_modsig=$?
+
# Test loading the kernel image via kexec_file_load syscall
kexec_file_load_test
--
2.7.5
On 8/28/19 9:14 AM, Mimi Zohar wrote:
> In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
> image can be signed with an appended signature, using the same
> scripts/sign-file tool that is used to sign kernel modules.
>
> This patch adds support for detecting a kernel image signed with an
> appended signature and updates the existing test messages
> appropriately.
>
> Reviewed-by: Petr Vorel <[email protected]>
> Signed-off-by: Mimi Zohar <[email protected]>
> ---
Thanks Mimi. This commit log looks good. My Ack for the patch
to go through the IMA tree.
Acked-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
On Wed, 2019-08-28 at 09:53 -0600, shuah wrote:
> On 8/28/19 9:14 AM, Mimi Zohar wrote:
> > In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
> > image can be signed with an appended signature, using the same
> > scripts/sign-file tool that is used to sign kernel modules.
> >
> > This patch adds support for detecting a kernel image signed with an
> > appended signature and updates the existing test messages
> > appropriately.
> >
> > Reviewed-by: Petr Vorel <[email protected]>
> > Signed-off-by: Mimi Zohar <[email protected]>
> > ---
>
> Thanks Mimi. This commit log looks good. My Ack for the patch
> to go through the IMA tree.
>
> Acked-by: Shuah Khan <[email protected]>
Thanks!
Mimi
Hello Mimi,
Mimi Zohar <[email protected]> writes:
> In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
> image can be signed with an appended signature, using the same
> scripts/sign-file tool that is used to sign kernel modules.
>
> This patch adds support for detecting a kernel image signed with an
> appended signature and updates the existing test messages
> appropriately.
>
> Reviewed-by: Petr Vorel <[email protected]>
> Signed-off-by: Mimi Zohar <[email protected]>
Thanks for doing this!
Reviewed-by: Thiago Jung Bauermann <[email protected]>
--
Thiago Jung Bauermann
IBM Linux Technology Center
On Wed, 2019-08-28 at 20:38 -0300, Thiago Jung Bauermann wrote:
> Hello Mimi,
>
> Mimi Zohar <[email protected]> writes:
>
> > In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
> > image can be signed with an appended signature, using the same
> > scripts/sign-file tool that is used to sign kernel modules.
> >
> > This patch adds support for detecting a kernel image signed with an
> > appended signature and updates the existing test messages
> > appropriately.
> >
> > Reviewed-by: Petr Vorel <[email protected]>
> > Signed-off-by: Mimi Zohar <[email protected]>
>
> Thanks for doing this!
You're welcome. This isn't in lieu of a proper regression test that
verifies the IMA measurement list template modsig and d-modsig data
fields. That still needs to be written.
thanks,
Mimi