Subject: [PATCH v2] lockdown: allow kexec_file of unsigned images when not under lockdown

If CONFIG_KEXEC_VERIFY_SIG is enabled, kexec -s with an unsigned image will
fail requiring an image signed with a trusted key. However, that same
kernel will allow kexec to load and boot a kernel, if kexec_file_load is
not used.

Now, lockdown brings a solution to this inconsistency. However, as it is,
it will still prevent an unsigned image to be loaded with kexec -s when the
system is not under lockdown, while still allowing kexec to work.

At the same time, with lockdown, kexec_file_load would still work when
CONFIG_KEXEC_VERIFY_SIG is disabled.

Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
---

v2:
fixed build failure, s/#elif/#else/

---
kernel/kexec_file.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index e5bcd94c1efb..b1f0373014c1 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -140,10 +140,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
image->kernel_buf_len);
if (ret) {
pr_debug("kernel signature verification failed.\n");
- goto out;
+ } else {
+ pr_debug("kernel signature verification successful.\n");
}
- pr_debug("kernel signature verification successful.\n");
+#else
+ ret = -EPERM;
#endif
+ if (ret && kernel_is_locked_down("kexec of unsigned images"))
+ goto out;
+ else
+ ret = 0;
+
/* It is possible that there no initramfs is being loaded */
if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
--
2.19.1



2018-11-07 03:45:04

by kernel test robot

[permalink] [raw]
Subject: Re: [PATCH v2] lockdown: allow kexec_file of unsigned images when not under lockdown

Hi Thadeu,

I love your patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v4.20-rc1 next-20181106]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url: https://github.com/0day-ci/linux/commits/Thadeu-Lima-de-Souza-Cascardo/lockdown-allow-kexec_file-of-unsigned-images-when-not-under-lockdown/20181106-081252
config: x86_64-fedora-25 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64

All errors (new ones prefixed by >>):

kernel/kexec_file.c: In function 'kimage_file_prepare_segments':
>> kernel/kexec_file.c:220:13: error: implicit declaration of function 'kernel_is_locked_down'; did you mean 'kernel_sigaction'? [-Werror=implicit-function-declaration]
if (ret && kernel_is_locked_down("kexec of unsigned images"))
^~~~~~~~~~~~~~~~~~~~~
kernel_sigaction
cc1: some warnings being treated as errors

vim +220 kernel/kexec_file.c

180
181 /*
182 * In file mode list of segments is prepared by kernel. Copy relevant
183 * data from user space, do error checking, prepare segment list
184 */
185 static int
186 kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
187 const char __user *cmdline_ptr,
188 unsigned long cmdline_len, unsigned flags)
189 {
190 int ret = 0;
191 void *ldata;
192 loff_t size;
193
194 ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
195 &size, INT_MAX, READING_KEXEC_IMAGE);
196 if (ret)
197 return ret;
198 image->kernel_buf_len = size;
199
200 /* IMA needs to pass the measurement list to the next kernel. */
201 ima_add_kexec_buffer(image);
202
203 /* Call arch image probe handlers */
204 ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
205 image->kernel_buf_len);
206 if (ret)
207 goto out;
208
209 #ifdef CONFIG_KEXEC_VERIFY_SIG
210 ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
211 image->kernel_buf_len);
212 if (ret) {
213 pr_debug("kernel signature verification failed.\n");
214 } else {
215 pr_debug("kernel signature verification successful.\n");
216 }
217 #else
218 ret = -EPERM;
219 #endif
> 220 if (ret && kernel_is_locked_down("kexec of unsigned images"))
221 goto out;
222 else
223 ret = 0;
224
225 /* It is possible that there no initramfs is being loaded */
226 if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
227 ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
228 &size, INT_MAX,
229 READING_KEXEC_INITRAMFS);
230 if (ret)
231 goto out;
232 image->initrd_buf_len = size;
233 }
234
235 if (cmdline_len) {
236 image->cmdline_buf = memdup_user(cmdline_ptr, cmdline_len);
237 if (IS_ERR(image->cmdline_buf)) {
238 ret = PTR_ERR(image->cmdline_buf);
239 image->cmdline_buf = NULL;
240 goto out;
241 }
242
243 image->cmdline_buf_len = cmdline_len;
244
245 /* command line should be a string with last byte null */
246 if (image->cmdline_buf[cmdline_len - 1] != '\0') {
247 ret = -EINVAL;
248 goto out;
249 }
250 }
251
252 /* Call arch image load handlers */
253 ldata = arch_kexec_kernel_image_load(image);
254
255 if (IS_ERR(ldata)) {
256 ret = PTR_ERR(ldata);
257 goto out;
258 }
259
260 image->image_loader_data = ldata;
261 out:
262 /* In case of error, free up all allocated memory in this function */
263 if (ret)
264 kimage_file_post_load_cleanup(image);
265 return ret;
266 }
267

---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation


Attachments:
(No filename) (4.07 kB)
.config.gz (47.69 kB)
Download all attachments