Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp739724ybt; Wed, 17 Jun 2020 12:40:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxac5x95X2oQ1ycYn6hsDd8tA9Uh+y2R4cNUxpAJeHTv0L0Eh7tIl+/FH4IgEkOttEN6s1/ X-Received: by 2002:aa7:c2c4:: with SMTP id m4mr669717edp.299.1592422820644; Wed, 17 Jun 2020 12:40:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592422820; cv=none; d=google.com; s=arc-20160816; b=C8id8uVgBG5n5rKwiggt7GkoyBs3iWQTczwTqpCwkTf0rQ4fW2gX5fiw3YDE/qcth/ bpAcgxbfyoFZEA3H2bC0RBL4nu8Ro+IG6RE1IEiryqd6Xk00Vm+CgJLOb1iaaR8vozvI GGZLZ3ONV+NBgAsqjibhHbXlgDUgm3NZN51ID2txcZOM9Xw95DbGidk2efkXjvLSVkcI IwK0wVo/+bnmCA2Cjn52ZxRIV4LSlvTjiDNcbEiwrrDbJG0/AV3gI93MpqnOolR/eoqb w1UIeTOrW9oL2zpzFaE+JmeNkQyyhXbN36liPDZoyv3m8++xYkKcFlyT13dte59C9c+B 8eSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=wML2ExZRtiiK8f73GWFUrSvdnp0JzEa/VLhQGsb/ijc=; b=oaIy1AB9qWlcm2OaU5FyOlnnvv+N/To993h3OtHhJyV+5cXf/GkdcTcQbjrWO6HJQh YKvFJFpDKtwposcx6y7zvNwtxYrfZmiu6Xsc1wIj8OffQ3AdUfD6KAdziYRuGWgvhsMa Gcdq621MKo8avxxakJyoRZUX2kSn4sh3kRvCuU94FXru7+GROUzswk+OZis7Mr+bc7f6 oHzdvfTY6/aWRs8Wss8UUJJ27e2Jqhx73jgwVFcaNj/AMtcUPmJSzPHPDqi16ztUBE0B rg26ldkZFIL03x/yvDm8fXS7efVZOMkcOOIyWWNEle6D8H0tFWIpHpTsX3E6ro0Up98h h/tA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=b3Th9T2S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t3si592056eds.73.2020.06.17.12.39.57; Wed, 17 Jun 2020 12:40:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=b3Th9T2S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726867AbgFQThc (ORCPT + 99 others); Wed, 17 Jun 2020 15:37:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:34936 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726540AbgFQThc (ORCPT ); Wed, 17 Jun 2020 15:37:32 -0400 Received: from X1 (nat-ab2241.sltdut.senawave.net [162.218.216.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9F4C82073E; Wed, 17 Jun 2020 19:37:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592422651; bh=MmQpNycHMc+CvYJVky1PDDcVkBa9imkx5orsNbgASoE=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=b3Th9T2SGaIyOvzLlpMjuoNQNJ0zBrBNSlo3mWaDNKJWd+iDi7X5yEfqXKi7xGfFc 3BdLKznyEOdOe/MHQcBu42lX0p271ow9uSkR6pRuC4Cri6Vnu2LZi0Vqeq4sTR5Lmy Z4/uNda7jlXD4LRp6IV5JV5R3s4v8pLokrYfRYjc= Date: Wed, 17 Jun 2020 12:37:31 -0700 From: Andrew Morton To: Lianbo Jiang Cc: linux-kernel@vger.kernel.org, kexec@lists.infradead.org, ebiederm@xmission.com, jbohac@suse.cz, jmorris@namei.org, mjg59@google.com, dyoung@redhat.com, bhe@redhat.com Subject: Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature Message-Id: <20200617123731.0dbb039a053a2ef610af59fb@linux-foundation.org> In-Reply-To: <20200602045952.27487-1-lijiang@redhat.com> References: <20200602045952.27487-1-lijiang@redhat.com> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2 Jun 2020 12:59:52 +0800 Lianbo Jiang wrote: > Signature verification is an important security feature, to protect > system from being attacked with a kernel of unknown origin. Kexec > rebooting is a way to replace the running kernel, hence need be > secured carefully. I'm finding this changelog quite hard to understand, > In the current code of handling signature verification of kexec kernel, > the logic is very twisted. It mixes signature verification, IMA signature > appraising and kexec lockdown. > > If there is no KEXEC_SIG_FORCE, kexec kernel image doesn't have one of > signature, the supported crypto, and key, we don't think this is wrong, I think this is saying that in the absence of KEXEC_SIG_FORCE and if the signature/crypto/key are all incorrect, the kexec still succeeds, but it should not. > Unless kexec lockdown is executed. IMA is considered as another kind of > signature appraising method. > > If kexec kernel image has signature/crypto/key, it has to go through the > signature verification and pass. Otherwise it's seen as verification > failure, and won't be loaded. I don't know if this is describing the current situation or the post-patch situation. > Seems kexec kernel image with an unqualified signature is even worse than > those w/o signature at all, this sounds very unreasonable. E.g. If people > get a unsigned kernel to load, or a kernel signed with expired key, which > one is more dangerous? > > So, here, let's simplify the logic to improve code readability. If the > KEXEC_SIG_FORCE enabled or kexec lockdown enabled, signature verification > is mandated. Otherwise, we lift the bar for any kernel image. I think the whole thing needs a rewrite. Start out by fully describing the current situation. THen describe what is wrong with it, and why. Then describe the proposed change. Or something along these lines. The changelog should also make clear the end-user impact of the patch. In sufficient detail for others to decide which kernel version(s) should be patched. Your recommendations will also be valuable - which kernel version(s) do you think should be patched, and why?