Received: by 10.223.176.46 with SMTP id f43csp960221wra; Fri, 19 Jan 2018 04:55:57 -0800 (PST) X-Google-Smtp-Source: ACJfBosfF9x6Q0EeJGoJbGIvEIHiFKWytp0dPdZ9oHvFHtyqKd197HPskDdw3d2uJLPnw+BzDCE1 X-Received: by 10.101.82.68 with SMTP id q4mr1382384pgp.369.1516366556929; Fri, 19 Jan 2018 04:55:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516366556; cv=none; d=google.com; s=arc-20160816; b=qOfHfhqptdvYj9u+QJqFZjzwQjEKzjYXn0t0qhMhtVYfP5/Q3FUWIWCFgFywb5O5tE JDbGteBQLUwiS1P89W2E3mMGR2x2SuZ1uTRGfnLXsMoZw34j7trhnRPDn1e+/eFg8Iyk hq+k/Tfr5FyJ1NwrU6sW1g7w1Jpdc6I9s5l61Znmt3d1IstW6/2otNabxtmYiMzDkp2J q2rofSQ6v3YuRNgZgPRjC/WDQIc/cVselMKO4Hs1Q6F31RQM6jT+kMj8VGn0WlYcIijX aq8BRauD7oyP6IQObud7WlSOW3JQvICUBd6nHfhngzkJ2LMmTEZHfk+G/xfNfg75g43O 4dUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=RN1wSHsprtlu25ouK8AnK7XjyAmHNz7Q6kdv/MBWMHw=; b=H4RRlIhzxTOeE67iV4SHJwugUuENUOe4L2VfDCOsdp4VFh3ICgzzTcKuICvqRK1hl4 tTeeokkF/TFVbjtmqo5f4W6jJ98foF71JAphP/P46NyHrHemMAYSJfVYtDTDCUblmZxI mUk12tCWE6ZgvDPIp4UHPTaQ5fr9WK2sAUcPzTN4JrFapC9jpT3QM4e4kX1Z2CEFHVUu tYgz/UYGQnWIfAQP17tnNKCM02Msfmc9vhO7pJKNj7SAYUUkRFdkDL6RTlwoCIGWm7kH P296pyI7zyasjEye00lYjlV2jbkq7cBtbhgWVkSJnuHBUB8Z/68tyjUc6jxsulS021Zm yKxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v70si6513106pgd.414.2018.01.19.04.55.42; Fri, 19 Jan 2018 04:55:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754727AbeASMyg (ORCPT + 99 others); Fri, 19 Jan 2018 07:54:36 -0500 Received: from mx2.suse.de ([195.135.220.15]:58394 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751200AbeASMy1 (ORCPT ); Fri, 19 Jan 2018 07:54:27 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 42542ABE4; Fri, 19 Jan 2018 12:54:26 +0000 (UTC) Date: Fri, 19 Jan 2018 13:54:25 +0100 From: Jiri Bohac To: David Howells Cc: linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, jforbes@redhat.com, Chun-Yi Lee Subject: Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Message-ID: <20180119125425.l72meyyc2qtrriwe@dwarf.suse.cz> References: <20180116193936.oiycvwlk5xy3gm77@dwarf.suse.cz> <20180111120157.23qceywzi6omvvkb@dwarf.suse.cz> <151024863544.28329.2436580122759221600.stgit@warthog.procyon.org.uk> <151024869793.28329.4817577607302613028.stgit@warthog.procyon.org.uk> <20180111115915.dejachty3l7fwpmf@dwarf.suse.cz> <4582.1516120311@warthog.procyon.org.uk> <24618.1516206864@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <24618.1516206864@warthog.procyon.org.uk> User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 17, 2018 at 04:34:24PM +0000, David Howells wrote: > Jiri Bohac wrote: > > > > If sig_err is -EKEYREJECTED, -EKEYEXPIRED or -EKEYREVOKED then it must fail, > > > even if the signature check isn't forced. > > > > It wasn't my intention to fail in these cases. What additional > > security does this bring? If simply stripping an invalid > > signature from the image before loading will make it pass, why > > should the image with an invalid signature be rejected? > > If there is a signature, then if we're checking signatures, in my opinion we > should check it - and fail if the signature can't be parsed, is revoked, we > have a key and the signature doesn't match - or even if we run out of memory. Key verification may and will fail for lots of reasons which is just going to make a user's life harder. E.g. you want to kexec an old kernel with an expired key. Or your date is just wrong and you get -EKEYEXPIRED. And you don't care about the signing at all; it's just compiled in because your distro also needs to work with secureboot. As a user, you will have to debug what's wrong for no good reason. And an actual attacker will just strip the signature off the image and load it. This makes no sense. > The cases for which enforcement is required are when (a) there is no > signature, (b) we don't support the algorithms used, or (c) we don't have a > key. > > If we're going to completely discard the result, why do your patches even > bother to check the signature at all? I thought that the debug message might be useful. E.g. when you're testing a kernel and you see "kernel signature verification failed" in dmesg then you know this would fail on a system with secure boot. But if ignoring the return code seems like too bad a thing, I would rather skip the signature checking if it's not going to be enforced with lockdown or CONFIG_KEXEC_SIG_FORCE. Also, only now I found that some of the error codes the crypto code returns yield really confusing messages (e.g. kexec_file_load of an unsigned kernel returns -ELIBBAD which makes kexec exit with "kexec_file_load failed: Accessing a corrupted shared library"). Maybe the error code could be unified to -EKEYREJECTED for all sorts of key verification failures? Thanks, -- Jiri Bohac SUSE Labs, Prague, Czechia