Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp578106ybm; Wed, 27 May 2020 02:50:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7ELzyDQMp4xTmMciJlWS6hLrieFaSIzNePzvyqXv0he4OuiFDLvxbdj0pBGROXF5hZxnh X-Received: by 2002:a17:906:5243:: with SMTP id y3mr5403614ejm.193.1590573046580; Wed, 27 May 2020 02:50:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590573046; cv=none; d=google.com; s=arc-20160816; b=ypUCwnKJvw/+/q/5wZSWTbycpz9sQAQadZCmtwHnFBjGTRdNEF5EjX74mfrXBv3nM0 QoIDlSY3kxK5OHRhdbWtHoPMVZuTcelcIG38epWBvl4Oh2Wlgny6PURqk9UE30C08TUt PKoaBnn3y1XQ4fODHxbX8ocOjjhlWljCqR02kSxjWplP435WNrTvmP2wRq0lePyWQTXW RTyxB2owE+HYp869aFdsHqtljKLpUQhe5dwKPy3Fpxp+3ShsscD5KeFqPFFTOBCorh0W lJeVolbQ2905sxr7oyyOokHBWq1uWXeseQlKVhGp9YcHYCYbZeCl64Ab0IGzgh1T4dHR 42NQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:dkim-signature; bh=HNBN9I3GKdXmb2gltM0hVnCri1z/6RmaleZWAYCiNNc=; b=qUMcb1PR9mUGluArOb58n4QkBy5pcl9vI6LLe5jm5HYkqVYgE2IFrDdiA7kSdlgp7S QDcOkQ8qwclNsLgS1f+rPPXw1Qv897pKJ0WjEwgINEGlFTmCmwhh9Jf9a+ElRXzDNgWm yLJBhP5JtPC3OV40g1T+qWDupW6nTRUDsglRdm5MDs+ns/ofqvPVgt2JBLEeqBIWXz92 acW9FRRg2nXuIENTBEgj4RjaIpjyYT/TpS3ODw/x3QrWBqPZsDky38GpZG5qTiwNMYWO UEMILsNCvVZA3VP6vJrUjWJ8eoYazu0HzUjv8L2lQIL0NXB7QbVBKvViiFcapPRErKiQ dyvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gUSb8iPi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f26si1968917ejj.168.2020.05.27.02.50.23; Wed, 27 May 2020 02:50:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gUSb8iPi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728619AbgE0EI0 (ORCPT + 99 others); Wed, 27 May 2020 00:08:26 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:50363 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726907AbgE0EI0 (ORCPT ); Wed, 27 May 2020 00:08:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1590552505; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HNBN9I3GKdXmb2gltM0hVnCri1z/6RmaleZWAYCiNNc=; b=gUSb8iPiSV1yZCj2FGk9zYK9P3wsioZHPOCbPI7noTqaoybMDxuvHOEKER8n4C3lJUDw03 bvA5WSQEChtWPPgi2yRKIyuKo/qgEmfVToWDNBTsr53EaVTJtiwEMBqAJ8CEWgNJfhuMgH raWbJWLNm2Nn2BRmFiqU3/bCqFxuOWU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-324-KavK4lNnP42joJdk9iYHfQ-1; Wed, 27 May 2020 00:08:23 -0400 X-MC-Unique: KavK4lNnP42joJdk9iYHfQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C940E100A61D; Wed, 27 May 2020 04:08:21 +0000 (UTC) Received: from [10.72.12.206] (ovpn-12-206.pek2.redhat.com [10.72.12.206]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BC64D648DB; Wed, 27 May 2020 04:08:15 +0000 (UTC) Subject: Re: [PATCH] kexec: Do not verify the signature without the lockdown or mandatory signature From: lijiang To: Jiri Bohac Cc: linux-kernel@vger.kernel.org, kexec@lists.infradead.org, ebiederm@xmission.com, jmorris@namei.org, mjg59@google.com, dyoung@redhat.com, bhe@redhat.com References: <20200525052351.24134-1-lijiang@redhat.com> <20200526135935.ffkfulsjf7xrep63@dwarf.suse.cz> <07a65a70-3764-f62f-705c-049b8d409316@redhat.com> Message-ID: <4da44e94-a839-2033-29d2-90bebd4ee1e2@redhat.com> Date: Wed, 27 May 2020 12:08:12 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <07a65a70-3764-f62f-705c-049b8d409316@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2020年05月27日 11:15, lijiang 写道: > 在 2020年05月26日 21:59, Jiri Bohac 写道: >> On Mon, May 25, 2020 at 01:23:51PM +0800, Lianbo Jiang wrote: >>> So, here, let's simplify the logic to improve code readability. If the >>> KEXEC_SIG_FORCE enabled or kexec lockdown enabled, signature verification >>> is mandated. Otherwise, we lift the bar for any kernel image. >> >> I agree completely; in fact that was my intention when >> introducing the code, but I got overruled about the return codes: >> https://lore.kernel.org/lkml/20180119125425.l72meyyc2qtrriwe@dwarf.suse.cz/ >> >> I like this simplification very much, except this part: >> >>> + if (ret) { >>> + pr_debug("kernel signature verification failed (%d).\n", ret); >> >> ... >> >>> - pr_notice("kernel signature verification failed (%d).\n", ret); >> >> I think the log level should stay at most PR_NOTICE when the >> verification failure results in rejecting the kernel. Perhaps >> even lower. >> > > Thank you for the comment, Jiri Bohac. > > I like the idea of staying at most PR_NOTICE, but the pr_notice() will output > some messages that kernel could want to ignore, such as the case you mentioned > below. > >> In case verification is not enforced and the failure is >> ignored, KERN_DEBUG seems reasonable. >> > > Yes, good understanding. It seems that the pr_debug() is still a good option here? > Any other thoughts? > Or the following change looks better? What's your opinion? static int kimage_validate_signature(struct kimage *image) { int ret; ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, image->kernel_buf_len); if (ret) { if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { pr_notice("Enforced kernel signature verification failed (%d).\n", ret); return ret; } /* * If IMA is guaranteed to appraise a signature on the kexec * image, permit it even if the kernel is otherwise locked * down. */ if (!ima_appraise_signature(READING_KEXEC_IMAGE) && security_locked_down(LOCKDOWN_KEXEC)) return -EPERM; pr_debug("kernel signature verification failed (%d).\n", ret); } return 0; } Thanks. Lianbo > Thanks. > Lianbo > > >> Regards, >>