If CONFIG_KEXEC_VERIFY_SIG is enabled, kexec -s with an unsigned image will
fail requiring an image signed with a trusted key. However, that same
kernel will allow kexec to load and boot a kernel, if kexec_file_load is
not used.
Now, lockdown brings a solution to this inconsistency. However, as it is,
it will still prevent an unsigned image to be loaded with kexec -s when the
system is not under lockdown, while still allowing kexec to work.
At the same time, with lockdown, kexec_file_load would still work when
CONFIG_KEXEC_VERIFY_SIG is disabled.
Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
---
kernel/kexec_file.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 35cf0ad29718..b64f32fda9ca 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -211,10 +211,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
image->kernel_buf_len);
if (ret) {
pr_debug("kernel signature verification failed.\n");
- goto out;
+ } else {
+ pr_debug("kernel signature verification successful.\n");
}
- pr_debug("kernel signature verification successful.\n");
+#elif
+ ret = -EPERM;
#endif
+ if (ret && kernel_is_locked_down("kexec of unsigned images"))
+ goto out;
+ else
+ ret = 0;
+
/* It is possible that there no initramfs is being loaded */
if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
--
2.19.1
Hi Thadeu,
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v4.19 next-20181102]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Thadeu-Lima-de-Souza-Cascardo/lockdown-allow-kexec_file-of-unsigned-images-when-not-under-lockdown/20181102-123838
config: x86_64-randconfig-x002-201843 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All error/warnings (new ones prefixed by >>):
In file included from include/asm-generic/bug.h:5:0,
from arch/x86/include/asm/bug.h:47,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/mm.h:9,
from kernel/kexec_file.c:15:
kernel/kexec_file.c: In function 'kimage_file_prepare_segments':
>> kernel/kexec_file.c:222:13: error: implicit declaration of function 'kernel_is_locked_down'; did you mean 'kernel_sigaction'? [-Werror=implicit-function-declaration]
if (ret && kernel_is_locked_down("kexec of unsigned images"))
^
include/linux/compiler.h:58:30: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> kernel/kexec_file.c:222:2: note: in expansion of macro 'if'
if (ret && kernel_is_locked_down("kexec of unsigned images"))
^~
cc1: some warnings being treated as errors
vim +222 kernel/kexec_file.c
182
183 /*
184 * In file mode list of segments is prepared by kernel. Copy relevant
185 * data from user space, do error checking, prepare segment list
186 */
187 static int
188 kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
189 const char __user *cmdline_ptr,
190 unsigned long cmdline_len, unsigned flags)
191 {
192 int ret = 0;
193 void *ldata;
194 loff_t size;
195
196 ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
197 &size, INT_MAX, READING_KEXEC_IMAGE);
198 if (ret)
199 return ret;
200 image->kernel_buf_len = size;
201
202 /* IMA needs to pass the measurement list to the next kernel. */
203 ima_add_kexec_buffer(image);
204
205 /* Call arch image probe handlers */
206 ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
207 image->kernel_buf_len);
208 if (ret)
209 goto out;
210
211 #ifdef CONFIG_KEXEC_VERIFY_SIG
212 ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
213 image->kernel_buf_len);
214 if (ret) {
215 pr_debug("kernel signature verification failed.\n");
216 } else {
217 pr_debug("kernel signature verification successful.\n");
218 }
219 #elif
220 ret = -EPERM;
221 #endif
> 222 if (ret && kernel_is_locked_down("kexec of unsigned images"))
223 goto out;
224 else
225 ret = 0;
226
227 /* It is possible that there no initramfs is being loaded */
228 if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
229 ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
230 &size, INT_MAX,
231 READING_KEXEC_INITRAMFS);
232 if (ret)
233 goto out;
234 image->initrd_buf_len = size;
235 }
236
237 if (cmdline_len) {
238 image->cmdline_buf = memdup_user(cmdline_ptr, cmdline_len);
239 if (IS_ERR(image->cmdline_buf)) {
240 ret = PTR_ERR(image->cmdline_buf);
241 image->cmdline_buf = NULL;
242 goto out;
243 }
244
245 image->cmdline_buf_len = cmdline_len;
246
247 /* command line should be a string with last byte null */
248 if (image->cmdline_buf[cmdline_len - 1] != '\0') {
249 ret = -EINVAL;
250 goto out;
251 }
252 }
253
254 /* Call arch image load handlers */
255 ldata = arch_kexec_kernel_image_load(image);
256
257 if (IS_ERR(ldata)) {
258 ret = PTR_ERR(ldata);
259 goto out;
260 }
261
262 image->image_loader_data = ldata;
263 out:
264 /* In case of error, free up all allocated memory in this function */
265 if (ret)
266 kimage_file_post_load_cleanup(image);
267 return ret;
268 }
269
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation