Received: by 10.192.165.156 with SMTP id m28csp933443imm; Wed, 11 Apr 2018 09:29:25 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/9UyjtI1VUBjFQFpZy7DaVOwDFOQKP8uHdU3UIwFOpn/U081qI4OYJbsaCSnt+4vNyG01s X-Received: by 2002:a17:902:2f03:: with SMTP id s3-v6mr6033091plb.274.1523464164994; Wed, 11 Apr 2018 09:29:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523464164; cv=none; d=google.com; s=arc-20160816; b=cNX1idHxUYpSepniYeAhr15qrLSrpO3MyI6r3NF6R6USfJ7i/QgTYRyNRwJVekUPLz TnEXHItVY/MOfPrIlUaHJZqMa52SjqmjSBKk/bA2u1U3sKc8jpF+gIbca+ktlcKv65VE Hic7Jvn7r5isE0YX+wbD2W5dn2pF7zSevBO6ojbzVAxTp25DZOrhA5guxVqnUNzaSJ1a abBOl8pDRJKmbIcJY+ckIgd5mJQ9diH6mAx9eEbW9mhsCLkBjSlnCBOI5dSwOMmY8stb XrZUmcV4GzWr5S4y3yo0dp/LSKYSbpJAf48V6KtRtzG36hufIvWawFEYSCQfXrLxy/+y VwJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:arc-authentication-results; bh=fFyM/onrD4ETCUhyeoi152stm3/Q+OwyIgipM+wTOz8=; b=pzQlOJgXDsyikGHEijA4q/+mNHyabd5Zy//MXOq3F6J7IgEkkulEQp1Owh0iIbVbbM GXzznTctJZE9Qt9174VjrO07W9vFvJaY1XrCblWgLpKuFWTM5grFkhs+uMaqlBTKmRa/ 5RumY9kU/4324wvj+BvEbEL9fVDVYq8upPr+ansPTFDJlsCvf7trVMG0GUSya9GhYZcx LcWfY5Qwql4afkAVM8MJBcgJL5suzir90mmzGaRMeCow1eT4y5Dg4iBdzuPNjE/eQE92 1hDlASLZa/yXr9/70moel+mt2paqImICK/A0ZAlyz53LsQtpQ7y3Yxw+7SNq3xSdvm4e SyBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q11-v6si1414305pli.667.2018.04.11.09.28.42; Wed, 11 Apr 2018 09:29:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754016AbeDKQZL (ORCPT + 99 others); Wed, 11 Apr 2018 12:25:11 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:42750 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752804AbeDKQZH (ORCPT ); Wed, 11 Apr 2018 12:25:07 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DCD2FEAEBF; Wed, 11 Apr 2018 16:25:06 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-8.rdu2.redhat.com [10.10.120.8]) by smtp.corp.redhat.com (Postfix) with ESMTP id EFA7F215CDAF; Wed, 11 Apr 2018 16:25:05 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down From: David Howells To: torvalds@linux-foundation.org Cc: linux-man@vger.kernel.org, linux-api@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org Date: Wed, 11 Apr 2018 17:25:05 +0100 Message-ID: <152346390539.4030.2913584917609215556.stgit@warthog.procyon.org.uk> In-Reply-To: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 11 Apr 2018 16:25:06 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 11 Apr 2018 16:25:06 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If the kernel is locked down, require that all modules have valid signatures that we can verify or that IMA can validate the file. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If IMA will have validated the image, return 0 (okay). (c) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. Signed-off-by: David Howells Reviewed-by: Jiri Bohac cc: "Lee, Chun-Yi" cc: James Morris --- kernel/module.c | 56 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 43 insertions(+), 13 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index a6e43a5806a1..9c1709a05037 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -64,6 +64,7 @@ #include #include #include +#include #include #include "module-internal.h" @@ -2761,10 +2762,12 @@ static inline void kmemleak_load_module(const struct module *mod, #endif #ifdef CONFIG_MODULE_SIG -static int module_sig_check(struct load_info *info, int flags) +static int module_sig_check(struct load_info *info, int flags, + bool can_do_ima_check) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2779,19 +2782,46 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, &info->len); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !sig_enforce) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (sig_enforce) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + if (can_do_ima_check && is_ima_appraise_enabled()) + return 0; + if (kernel_is_locked_down(reason)) + return -EPERM; + return 0; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ -static int module_sig_check(struct load_info *info, int flags) +static int module_sig_check(struct load_info *info, int flags, + bool can_do_ima_check) { return 0; } @@ -3651,13 +3681,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, /* Allocate and load the module: note that size of section 0 is always zero, and we rely on this for optional sections. */ static int load_module(struct load_info *info, const char __user *uargs, - int flags) + int flags, bool can_do_ima_check) { struct module *mod; long err; char *after_dashes; - err = module_sig_check(info, flags); + err = module_sig_check(info, flags, can_do_ima_check); if (err) goto free_copy; @@ -3846,7 +3876,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, if (err) return err; - return load_module(&info, uargs, 0); + return load_module(&info, uargs, 0, false); } SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) @@ -3873,7 +3903,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) info.hdr = hdr; info.len = size; - return load_module(&info, uargs, flags); + return load_module(&info, uargs, flags, true); } static inline int within(unsigned long addr, void *start, unsigned long size)