Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3662045img; Mon, 25 Mar 2019 15:11:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqzXu7UshOdNNg3D6MRiZPDh2Tg989BXdP2huAUZGgYBnh5ZXtIJ5/ISQtGrZ0M+nGZX+MzN X-Received: by 2002:a63:5054:: with SMTP id q20mr25501153pgl.414.1553551863898; Mon, 25 Mar 2019 15:11:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553551863; cv=none; d=google.com; s=arc-20160816; b=vqiKU7CawLVaYJBGtXykfTMlS/6EitOa2gzu2rDm5v2VO/EPcaDBMvL8MAujOZEZsQ EBdv89qxJiePRUDQkYeNz8veD8DQ2DsnHxKe/MAI3g6tnMwy76JJvO65+RQp/RbEGIa/ DWNjK68tfXf5IvXVzYuaewGJZrwK5cJC+oUlqc0/iCwZLDGXd1a+B7a0H1iwwy4pxvlW 3AWwqw2x2ciCLvRahxZPL2jrypKH40UmroTKCB5KOO5SQA9PGO16bb1hozzpwiirol2d 2PZFzATvgxZ1Bz0cP07lUp+a3X0E53jEV6Q6h7q5Wd2b6cyDIRJ9zNahNCpb+yulHklz Oabg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=7kY2QswyjJGeL+pn4tYPdCA7RsaJvP9HYM3SbJBAroA=; b=MrOBxQmwMp0XmumLzSazDqKWLZIerEc97ZEFSJwe3oRyx7JRw36BhEDS+yxhtfqPMD T1142fUYvrSNurShkCKeOokKD+LG3kCo9IsJidDFe0+ebk+Amh0SI9aUwRGoIrD0kspO M77wECL3AbUucAUjgjLBWSHxF3s2jQxchnqa/herh+xS0BBX8QXhfiUChlEnghPUPHWX nau69Hp03FQWEOjm0VtJni0XoMhzP/bVQWrp8WdnKa8FcimUzt8h3XBsLBurLjOhLDIY GNjVl38bWdkvoYfpC0Xsm9IsSJ9NYGWE2GtQAq5UcsocXsbY1vlTgFMqFFV3MpBWsQPH yZgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fH0qiocH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r11si14335566pga.249.2019.03.25.15.10.48; Mon, 25 Mar 2019 15:11:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fH0qiocH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730634AbfCYWKE (ORCPT + 99 others); Mon, 25 Mar 2019 18:10:04 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:45818 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730599AbfCYWKE (ORCPT ); Mon, 25 Mar 2019 18:10:04 -0400 Received: by mail-pf1-f201.google.com with SMTP id u78so10583051pfa.12 for ; Mon, 25 Mar 2019 15:10:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7kY2QswyjJGeL+pn4tYPdCA7RsaJvP9HYM3SbJBAroA=; b=fH0qiocHX6D+ppy2Eb2sLQX8da74DNy4n+Yf3JdgbVVnZVss6gDkp1UF1+MGC2phbK 2NBWddi7f2z/Wu3m54i5eKH/R4ZFC0dfsbWbsi7wjjvdiXztgfcwoANfoRbKTWGV11Ox O7ujjDZ+mouLArSBowSQ4PA+vt20BnzkqiisjM/P8QlkDazsrGEnu22inRsXUFU58SKo npGx7kKT6YGhJ5/PFGUpQNyqmLnNdDrYsK6YhukC5jDlhucYthSguWENoUMr1AxXeOQL 7F5RzqoGTTPj6r5z8tby7xgqZCjecOc7zlaPi/sKuGLihdVXmTOAnj3cDW/s0XM89yz/ XjJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7kY2QswyjJGeL+pn4tYPdCA7RsaJvP9HYM3SbJBAroA=; b=VdEoy5F3mN4VTwoGMuIqEHC+0JivtrGjpSzLLy3ER2E853BoljCEhEs94WyKSgHMZa IzgmtwE2UpV7TNmUzO0fCCkl7SBtOQ+aABT7o198wiQhY4M3BLguyJnbRlsIVgXmlzyU 0MtRHOxrMfnSKjZ1LjUcXFEOBQMF8ToaBj5YRybvTgqRi+QT+Zj3QevHdoQz5C1y0See s6sRMfWWxfthC+1sDQnA9Eal77tIP8JIMR4H5i4g4uQ0gWDt3JXdCxhFyMzfPWWmTmf2 PrSq1P++sRW/vCx9Sw+0AIBStqv9YRl/j3YzNWNdGzfJeKitVxfiX+8Yk8RCvJ02Q+TG xjag== X-Gm-Message-State: APjAAAX9XxlwFzu/be63x1vXA7eQPmOepkWI8tgmi/Qn4THbmjx9yq9i A6nMXUfqA8KLfLj5QSyhRBNTl1pcMpmHGftOfEkNyQ== X-Received: by 2002:a65:4547:: with SMTP id x7mr24808022pgr.350.1553551803393; Mon, 25 Mar 2019 15:10:03 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:29 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-3-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 02/27] Enforce module signatures if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Jiri Bohac , Matthew Garrett , Jessica Yu Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got. Note that the X.509 code doesn't check for key expiry as the RTC might not be valid or might not have been transferred to the kernel's clock yet. This does not yet integrate with setups that pin module loading to dm-verity backed filesystems. If lockdown is enabled, loading unsigned modules from an integrity-assured filesystem will fail. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.] Signed-off-by: David Howells Reviewed-by: Jiri Bohac Signed-off-by: Matthew Garrett Cc: Jessica Yu --- kernel/module.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 2ad1b5239910..9a377c6ea200 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2767,8 +2767,9 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, int flags) { - int err = -ENOKEY; + int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; /* @@ -2783,16 +2784,40 @@ static int module_sig_check(struct load_info *info, int flags) err = mod_verify_sig(mod, info); } - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; + /* We don't permit modules to be loaded into trusted kernels + * without a valid signature on them, but if we're not + * enforcing, certain errors are non-fatal. + */ + case -ENODATA: + reason = "Loading of unsigned module"; + goto decide; + case -ENOPKG: + reason = "Loading of module with unsupported crypto"; + goto decide; + case -ENOKEY: + reason = "Loading of module with unavailable key"; + decide: + if (is_module_sig_enforced()) { + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - return err; + if (kernel_is_locked_down(reason)) + return -EPERM; + return 0; + + /* All other errors are fatal, including nomem, unparseable + * signatures and signature check failures - even if signatures + * aren't required. + */ + default: + return err; + } } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags) -- 2.21.0.392.gf8f6787159e-goog