Previously Theodore Ts'o brought up an issue about kexec_load syscall bypassing
signature verification:
https://lkml.org/lkml/2015/6/14/280
Because we have two kexec load syscall, one kexec_load, another kexec_file_load,
the latter one was introduced by Vivek Goyal, it is mainly for supporting UEFI
secure boot. kexec_file_load verifies kernel signature, but even if with
CONFIG_KEXEC_VERIFY_SIG=y and CONFIG_KEXEC_FILE=y, kexec-tools still can use
old syscall and bypass signature verification.
KEXEC_FILE can also be used without UEFI, so kexec can always verify kernel
signature for security purpose.
The suggestion in above thread is add a new Kconfig option for kexec common
code, here I use KEXEC_CORE, KEXEC and KEXEC_FILE select KEXEC_CORE so one can
compile only KEXEC_FILE without old kexec_load syscall.
There's checkpatch warnings and errors, I would like to send furthuer cleanup
patches after this series. Please let me know if you have other suggestions.
checkpatch errors are for cases such as assign a value to static variables.
PATCH 3/3 can be sort out from the series if people do not like. It is a
cleanup for a macro.
Below is the diffstat of the patches:
---
arch/arm/Kconfig | 4
arch/ia64/Kconfig | 4
arch/m68k/Kconfig | 4
arch/mips/Kconfig | 4
arch/powerpc/Kconfig | 4
arch/sh/Kconfig | 4
arch/tile/Kconfig | 4
arch/x86/Kconfig | 6
arch/x86/boot/header.S | 2
arch/x86/include/asm/kdebug.h | 5
arch/x86/kernel/Makefile | 4
arch/x86/kernel/kvmclock.c | 4
arch/x86/kernel/reboot.c | 4
arch/x86/kernel/setup.c | 2
arch/x86/kernel/vmlinux.lds.S | 2
arch/x86/kvm/vmx.c | 8
arch/x86/platform/efi/efi.c | 4
arch/x86/platform/uv/uv_nmi.c | 6
drivers/firmware/efi/Kconfig | 2
drivers/pci/pci-driver.c | 2
include/linux/kexec.h | 12
init/initramfs.c | 4
kernel/Makefile | 2
kernel/events/core.c | 2
kernel/kexec.c | 2633 ------------------------------------------
kernel/kexec_core.c | 1594 +++++++++++++++++++++++++
kernel/kexec_file.c | 1044 ++++++++++++++++
kernel/kexec_internal.h | 22
kernel/ksysfs.c | 6
kernel/printk/printk.c | 2
kernel/reboot.c | 2
kernel/sysctl.c | 2
32 files changed, 2745 insertions(+), 2659 deletions(-)
Thanks
Dave
On 07/13/15 at 10:13am, Dave Young wrote:
> Previously Theodore Ts'o brought up an issue about kexec_load syscall bypassing
> signature verification:
> https://lkml.org/lkml/2015/6/14/280
>
> Because we have two kexec load syscall, one kexec_load, another kexec_file_load,
> the latter one was introduced by Vivek Goyal, it is mainly for supporting UEFI
> secure boot. kexec_file_load verifies kernel signature, but even if with
> CONFIG_KEXEC_VERIFY_SIG=y and CONFIG_KEXEC_FILE=y, kexec-tools still can use
> old syscall and bypass signature verification.
>
> KEXEC_FILE can also be used without UEFI, so kexec can always verify kernel
> signature for security purpose.
>
> The suggestion in above thread is add a new Kconfig option for kexec common
> code, here I use KEXEC_CORE, KEXEC and KEXEC_FILE select KEXEC_CORE so one can
> compile only KEXEC_FILE without old kexec_load syscall.
>
> There's checkpatch warnings and errors, I would like to send furthuer cleanup
> patches after this series. Please let me know if you have other suggestions.
> checkpatch errors are for cases such as assign a value to static variables.
>
> PATCH 3/3 can be sort out from the series if people do not like. It is a
> cleanup for a macro.
Since it is not related to the Kconfig cleanup thus I will drop it in
next update, will send out as a standalone patch later.
Also there's a kexec-tools patch needed for testing KEXEC_FILE only, I forgot
to mention, will take it in cover letter when I repost:
---
kexec/crashdump-elf.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- kexec-tools.orig/kexec/crashdump-elf.c
+++ kexec-tools/kexec/crashdump-elf.c
@@ -145,11 +145,12 @@ int FUNC(struct kexec_info *info,
count_cpu = nr_cpus;
for (i = 0; count_cpu > 0; i++) {
- if (get_note_info(i, ¬es_addr, ¬es_len) < 0) {
- /* This cpu is not present. Skip it. */
- continue;
- }
+ int ret;
+
+ ret = get_note_info(i, ¬es_addr, ¬es_len);
count_cpu--;
+ if (ret < 0) /* This cpu is not present. Skip it. */
+ continue;
phdr = (PHDR *) bufp;
bufp += sizeof(PHDR);
Thanks
Dave
On 07/15/15 at 05:16pm, Dave Young wrote:
> On 07/13/15 at 10:13am, Dave Young wrote:
> > Previously Theodore Ts'o brought up an issue about kexec_load syscall bypassing
> > signature verification:
> > https://lkml.org/lkml/2015/6/14/280
> >
> > Because we have two kexec load syscall, one kexec_load, another kexec_file_load,
> > the latter one was introduced by Vivek Goyal, it is mainly for supporting UEFI
> > secure boot. kexec_file_load verifies kernel signature, but even if with
> > CONFIG_KEXEC_VERIFY_SIG=y and CONFIG_KEXEC_FILE=y, kexec-tools still can use
> > old syscall and bypass signature verification.
> >
> > KEXEC_FILE can also be used without UEFI, so kexec can always verify kernel
> > signature for security purpose.
> >
> > The suggestion in above thread is add a new Kconfig option for kexec common
> > code, here I use KEXEC_CORE, KEXEC and KEXEC_FILE select KEXEC_CORE so one can
> > compile only KEXEC_FILE without old kexec_load syscall.
> >
> > There's checkpatch warnings and errors, I would like to send furthuer cleanup
> > patches after this series. Please let me know if you have other suggestions.
> > checkpatch errors are for cases such as assign a value to static variables.
> >
> > PATCH 3/3 can be sort out from the series if people do not like. It is a
> > cleanup for a macro.
>
> Since it is not related to the Kconfig cleanup thus I will drop it in
> next update, will send out as a standalone patch later.
>
> Also there's a kexec-tools patch needed for testing KEXEC_FILE only, I forgot
> to mention, will take it in cover letter when I repost:
BTW, it is the case below:
kernel: CONFIG_KEXEC_FILE only,
kexec-tools: do not use '-s' option, it should check kexec_load(2) earlier
and fail out. but below code is still a fix to a code problem.
kexec -s -p work ok without the fix.
>
> ---
> kexec/crashdump-elf.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> --- kexec-tools.orig/kexec/crashdump-elf.c
> +++ kexec-tools/kexec/crashdump-elf.c
> @@ -145,11 +145,12 @@ int FUNC(struct kexec_info *info,
>
> count_cpu = nr_cpus;
> for (i = 0; count_cpu > 0; i++) {
> - if (get_note_info(i, ¬es_addr, ¬es_len) < 0) {
> - /* This cpu is not present. Skip it. */
> - continue;
> - }
> + int ret;
> +
> + ret = get_note_info(i, ¬es_addr, ¬es_len);
> count_cpu--;
> + if (ret < 0) /* This cpu is not present. Skip it. */
> + continue;
>
> phdr = (PHDR *) bufp;
> bufp += sizeof(PHDR);
>
> Thanks
> Dave
>
> _______________________________________________
> kexec mailing list
> [email protected]
> http://lists.infradead.org/mailman/listinfo/kexec
>
>