Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp804781ybl; Wed, 28 Aug 2019 05:40:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqzI2XO9QtzaeePSpQ61OvNNOXUv08J1JXIx+28Os8ToNC1kyrKVgw0ZkY8Ee53XPl7qG4wI X-Received: by 2002:a17:902:7c12:: with SMTP id x18mr4175018pll.123.1566996048339; Wed, 28 Aug 2019 05:40:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566996048; cv=none; d=google.com; s=arc-20160816; b=YdGkL9XaElFgR7EQDYn4RyD7L7rFmGUSrAK3iGTV/J0oe+O9lJWcSpRrOuTtB1fpUC fa8LgVuUX6w3ArB6BB2DGzCgqBzfFPtkEpuV+s3VAocJRaErVyJgYxkBJZS7iMoqhWKe +4za8qAbHfyzOeXhxtJBWcVQhaIQH+3J/rcKhBiT3hU/JfPz1RCJAikYRaYtVo4iT3b8 A0vAHP39TpZEsxnFe2yTdXiCeWgBG6+Nmltg8tLRKXrOtVUus5pX25bg+LrjnPw9y7w8 0IxMUcuG1TAmkRub/rKK2+0sZTgiREN4tXGsNlZg2pgc2pqyp9ozPM3zTJ1vbJNHW7Jn NBwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=BAT73t8TGRdURlTqpgiePTKDvbRARSlgC1tmsaksc/A=; b=TVu28mZRgWM/GkshUx+pKH7QWrK99m5hy5BoTe63zCwDAOb/NBEcSH/OnojX2d9Jk9 QEWmEvyGzGQ7bgJS5/cNR5cYEXc3m6fSoReiUqYmH3o30TYRRBMZNbr0DX5M5CwkBL9t 7iQkl006y8eUe8y+OHOGZe0uGeER5uJIedGyVSVf+HDUnknKaGIWhqE/L2uAGca4yYBu cZCVpiWcc0mWXtSY/9gyBBrHsc2xHRZAfU61eENxfb0a92Ika6AazMzT09cpWPycRgQM PE9w8XrjtL4qLQ5A1aph4AsuY6I3VJcj0AxZQ3kpUSbxaMvzw7MGbmBQfCQMc1Cs11bL V1/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n128si2111983pgn.82.2019.08.28.05.40.27; Wed, 28 Aug 2019 05:40:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726428AbfH1Mj1 (ORCPT + 99 others); Wed, 28 Aug 2019 08:39:27 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:4666 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726300AbfH1Mj1 (ORCPT ); Wed, 28 Aug 2019 08:39:27 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x7SCZkuG063679 for ; Wed, 28 Aug 2019 08:39:25 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2unr2640jt-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 28 Aug 2019 08:39:25 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 28 Aug 2019 13:39:23 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 28 Aug 2019 13:39:19 +0100 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x7SCdHOH55574588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 28 Aug 2019 12:39:17 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5E37EA4064; Wed, 28 Aug 2019 12:39:17 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1646CA4060; Wed, 28 Aug 2019 12:39:16 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.85.129.156]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 28 Aug 2019 12:39:15 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Thiago Jung Bauermann , Petr Vorel , Jessica Yu , Dave Young , shuah , linux-kselftest@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Subject: [PATCH] sefltest/ima: support appended signatures (modsig) Date: Wed, 28 Aug 2019 08:39:06 -0400 X-Mailer: git-send-email 2.7.5 X-TM-AS-GCONF: 00 x-cbid: 19082812-0012-0000-0000-00000343E072 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19082812-0013-0000-0000-0000217E1D40 Message-Id: <1566995946-6582-1-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-08-28_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=752 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908280134 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Detect and allow appended signatures. Signed-off-by: Mimi Zohar --- .../selftests/kexec/test_kexec_file_load.sh | 38 +++++++++++++++++++--- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index fa7c24e8eefb..2ff600388c30 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -37,11 +37,20 @@ is_ima_sig_required() # sequentially. As a result, a policy rule may be defined, but # might not necessarily be used. This test assumes if a policy # rule is specified, that is the intent. + + # First check for appended signature (modsig), then xattr if [ $ima_read_policy -eq 1 ]; then check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ - "appraise_type=imasig" + "appraise_type=imasig|modsig" ret=$? - [ $ret -eq 1 ] && log_info "IMA signature required"; + if [ $ret -eq 1 ]; then + log_info "IMA or appended(modsig) signature required" + else + check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi fi return $ret } @@ -84,6 +93,22 @@ check_for_imasig() return $ret } +# Return 1 for appended signature (modsig) found and 0 for not found. +check_for_modsig() +{ + local module_sig_string="~Module signature appended~" + local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)" + local ret=0 + + if [ "$sig" == "$module_sig_string" ]; then + ret=1 + log_info "kexec kernel image modsig signed" + else + log_info "kexec kernel image not modsig signed" + fi + return $ret +} + kexec_file_load_test() { local succeed_msg="kexec_file_load succeeded" @@ -98,7 +123,8 @@ kexec_file_load_test() # In secureboot mode with an architecture specific # policy, make sure either an IMA or PE signature exists. if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ - [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then + [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \ + && [ $ima_modsig -eq 0 ]; then log_fail "$succeed_msg (missing sig)" fi @@ -107,7 +133,8 @@ kexec_file_load_test() log_fail "$succeed_msg (missing PE sig)" fi - if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_modsig -eq 0 ]; then log_fail "$succeed_msg (missing IMA sig)" fi @@ -204,5 +231,8 @@ pe_signed=$? check_for_imasig ima_signed=$? +check_for_modsig +ima_modsig=$? + # Test loading the kernel image via kexec_file_load syscall kexec_file_load_test -- 2.7.5