Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp621246pxb; Tue, 1 Feb 2022 07:09:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJyQ7aCOWeuxZFuxCNXLE5/iswjDH8bxVE5ZN9SG6wSIKZAH00FVlT+e9Ccg80reqzpXqiOv X-Received: by 2002:aa7:c0d4:: with SMTP id j20mr25698676edp.319.1643728175998; Tue, 01 Feb 2022 07:09:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643728175; cv=none; d=google.com; s=arc-20160816; b=q+meguMKjukJ6bTAJto9Eiih2TchMs0DrjB59yXVota00C5/VVQ4zEyh0lLKM5DAUm 87ccC8sdZyyyviLFlJJwdDMrbhIRQud+DEXciPSyd5fuL0Y51uTxPpuuPQRSNomtLrBm npaI5i/jP8RVW/p8E0DWv3p2y6MldZSYWxMjDWfMZWBN/GWldPLpRYZArkuUgK/JxtkU i8GfL7P5kcsxM23g8zuHILpRsjd6ZQw2m8OVcbh8zR+m98PzfrLr3NjK4qYckrcs8jfY ydpjRqDnnSeO1awrhWaCPMj8Kc7CTcK4YQRusPkRes96I+togMTqsAiltGcp5K5nbBud /l+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=RJ3wtlLtaJBB+rGMcpTUIkLwDhDnJi3iDHMFvemCFL0=; b=Ah4afZ3iSvAjFcN9SfRL/b0CKc0N0uUNJ5gqIqTiGB5oXUq+L3df8l401ahB9wIsX7 X6arvT+F2dDnS+3MxH6Pz9YQYWYouWGLlnC1SrgWU0c+fpBgrKnmYQRQm9SQAcSxazfn oMUUUwj7NhvT+XBx9r/k/8LfbVfRJlLbwqpjQ14iYniqYNWytn0xqpUwftkHXd6q5C2M eMS8zLJG4Id1dgb3Bhx3htgo5+JzRnm2PwdkKmBRaq4YeKHRSHVzwIHDO/cj3jPsvFWp 1UpU7tp9dI5p+llHJ8YFTgIlHn1J35qSaDjXuR1lnVYEfUqd2ediRh5b7V3+nrf2gR93 IjSw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EBdFXK1d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dp6si6912432ejc.421.2022.02.01.07.09.03; Tue, 01 Feb 2022 07:09:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EBdFXK1d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356751AbiA3Vdj (ORCPT + 99 others); Sun, 30 Jan 2022 16:33:39 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:32103 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356574AbiA3Vc3 (ORCPT ); Sun, 30 Jan 2022 16:32:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1643578349; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RJ3wtlLtaJBB+rGMcpTUIkLwDhDnJi3iDHMFvemCFL0=; b=EBdFXK1dO2h0iYMra49eKFx5C00EX6cegbqeUzz/rEua1Sb8/k4MPj38MJD0pN8xuE46u3 +Wa+qDWRUgYmcDjBssIAC1M1F7St5kVOIjOnWTiJw0C3avpbAdf6TPCvPw2iJiv+now+/d hpOwrhDbRFNjo5PePJVjXV4q7b8zepU= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-102-DW8Bf2W4Mu2_U7n3wDc_zA-1; Sun, 30 Jan 2022 16:32:27 -0500 X-MC-Unique: DW8Bf2W4Mu2_U7n3wDc_zA-1 Received: by mail-wm1-f71.google.com with SMTP id v185-20020a1cacc2000000b0034906580813so9365031wme.1 for ; Sun, 30 Jan 2022 13:32:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RJ3wtlLtaJBB+rGMcpTUIkLwDhDnJi3iDHMFvemCFL0=; b=5YCdcbyv/hmNo9GX/QNswyTpL7xwua2vbEr/pwMQtVR2SaGFF8RAmaaUzzLYAvgdy2 qiS1SYOcKB76Zry0Q3UMUyWPwQY9lqT/D2bT3mjsnGx4Qk3Q21HFFbVrDzo9EbGW4tOl gAiBwgrplkKtOYsbBcfnMbNLbEanmL5cOxL4+1Agtsb8EL7equFQnhgXVtv4HOpf7bk2 T+2pvCHp3IfHoL8K9rgxeBo0Et+/c/0iwmpa7I44yxKCwyC/H0/iTBwhSyvycb/qUM1U 7BIAEM2SXKTLfcY2ldX23F8yczphXMj+VZniOwjI6cpn9AswBcHyFxKwNtI/AkgJaVbE 5AZg== X-Gm-Message-State: AOAM5321uAWlDHBPS8aoof37qPJG5A7ok4Ao5W1xB2LROZplpDyFment UHOyI5KO+8LK0QMlVDXluUIqUAXKqaFmhfBRBxUGGpU196RvlgB2/vxTZSfvYsXZjPSecHFDnml YEcO6yLtZocXjHBf1qvMZpT0= X-Received: by 2002:a7b:ca55:: with SMTP id m21mr25031015wml.114.1643578346415; Sun, 30 Jan 2022 13:32:26 -0800 (PST) X-Received: by 2002:a7b:ca55:: with SMTP id m21mr25031003wml.114.1643578346169; Sun, 30 Jan 2022 13:32:26 -0800 (PST) Received: from localhost (cpc111743-lutn13-2-0-cust979.9-3.cable.virginm.net. [82.17.115.212]) by smtp.gmail.com with ESMTPSA id bg26sm7691200wmb.48.2022.01.30.13.32.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Jan 2022 13:32:25 -0800 (PST) From: Aaron Tomlin To: mcgrof@kernel.org Cc: cl@linux.com, pmladek@suse.com, mbenes@suse.cz, akpm@linux-foundation.org, jeyu@kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org, live-patching@vger.kernel.org, atomlin@atomlin.com, ghalat@redhat.com, allen.lkml@gmail.com, void@manifault.com, joe@perches.com Subject: [RFC PATCH v4 07/13] module: Move extra signature support out of core code Date: Sun, 30 Jan 2022 21:32:08 +0000 Message-Id: <20220130213214.1042497-8-atomlin@redhat.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220130213214.1042497-1-atomlin@redhat.com> References: <20220130213214.1042497-1-atomlin@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org No functional change. This patch migrates additional module signature check code from core module code into kernel/module/signing.c. Signed-off-by: Aaron Tomlin --- include/linux/module.h | 5 ++- kernel/module/internal.h | 9 +++++ kernel/module/main.c | 87 ---------------------------------------- kernel/module/signing.c | 75 ++++++++++++++++++++++++++++++++++ 4 files changed, 87 insertions(+), 89 deletions(-) diff --git a/include/linux/module.h b/include/linux/module.h index 520c0f4bb968..15ba2ebbca3e 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -720,8 +720,8 @@ static inline bool set_livepatch_module(struct module *mod) return false; } -bool is_module_sig_enforced(void); -void set_module_sig_enforced(void); +extern bool is_module_sig_enforced(void); +extern void set_module_sig_enforced(void); #else /* !CONFIG_MODULES... */ @@ -911,6 +911,7 @@ static inline bool module_sig_ok(struct module *module) { return true; } +#define sig_enforce false #endif /* CONFIG_MODULE_SIG */ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, diff --git a/kernel/module/internal.h b/kernel/module/internal.h index de28d6bb7b5b..2ec2a1d9dd9f 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -114,3 +114,12 @@ static struct module *mod_find(unsigned long addr) return NULL; } #endif /* CONFIG_MODULES_TREE_LOOKUP */ + +#ifdef CONFIG_MODULE_SIG +extern int module_sig_check(struct load_info *info, int flags); +#else /* !CONFIG_MODULE_SIG */ +static int module_sig_check(struct load_info *info, int flags) +{ + return 0; +} +#endif /* !CONFIG_MODULE_SIG */ diff --git a/kernel/module/main.c b/kernel/module/main.c index 1a0e659a27bc..90c7266087d7 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -22,7 +22,6 @@ #include #include #include -#include #include #include #include @@ -123,28 +122,6 @@ static void module_assert_mutex_or_preempt(void) #endif } -#ifdef CONFIG_MODULE_SIG -static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); -module_param(sig_enforce, bool_enable_only, 0644); - -void set_module_sig_enforced(void) -{ - sig_enforce = true; -} -#else -#define sig_enforce false -#endif - -/* - * Export sig_enforce kernel cmdline parameter to allow other subsystems rely - * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. - */ -bool is_module_sig_enforced(void) -{ - return sig_enforce; -} -EXPORT_SYMBOL(is_module_sig_enforced); - /* Block module loading/unloading? */ int modules_disabled = 0; core_param(nomodule, modules_disabled, bint, 0); @@ -2525,70 +2502,6 @@ static inline void kmemleak_load_module(const struct module *mod, } #endif -#ifdef CONFIG_MODULE_SIG -static int module_sig_check(struct load_info *info, int flags) -{ - int err = -ENODATA; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; - const char *reason; - const void *mod = info->hdr; - bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS | - MODULE_INIT_IGNORE_VERMAGIC); - /* - * Do not allow mangled modules as a module with version information - * removed is no longer the module that was signed. - */ - if (!mangled_module && - info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { - /* We truncate the module to discard the signature */ - info->len -= markerlen; - err = mod_verify_sig(mod, info); - if (!err) { - info->sig_ok = true; - return 0; - } - } - - /* - * We don't permit modules to be loaded into the trusted kernels - * without a valid signature on them, but if we're not enforcing, - * certain errors are non-fatal. - */ - switch (err) { - case -ENODATA: - reason = "unsigned module"; - break; - case -ENOPKG: - reason = "module with unsupported crypto"; - break; - case -ENOKEY: - reason = "module with unavailable key"; - break; - - default: - /* - * All other errors are fatal, including lack of memory, - * unparseable signatures, and signature check failures -- - * even if signatures aren't required. - */ - return err; - } - - if (is_module_sig_enforced()) { - pr_notice("Loading of %s is rejected\n", reason); - return -EKEYREJECTED; - } - - return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); -} -#else /* !CONFIG_MODULE_SIG */ -static int module_sig_check(struct load_info *info, int flags) -{ - return 0; -} -#endif /* !CONFIG_MODULE_SIG */ - static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr) { #if defined(CONFIG_64BIT) diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 8aeb6d2ee94b..ff41541e982a 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -11,9 +11,28 @@ #include #include #include +#include #include #include "internal.h" +static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); +module_param(sig_enforce, bool_enable_only, 0644); + +/* + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. + */ +bool is_module_sig_enforced(void) +{ + return sig_enforce; +} +EXPORT_SYMBOL(is_module_sig_enforced); + +void set_module_sig_enforced(void) +{ + sig_enforce = true; +} + /* * Verify the signature on a module. */ @@ -43,3 +62,59 @@ int mod_verify_sig(const void *mod, struct load_info *info) VERIFYING_MODULE_SIGNATURE, NULL, NULL); } + +int module_sig_check(struct load_info *info, int flags) +{ + int err = -ENODATA; + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; + const void *mod = info->hdr; + + /* + * Require flags == 0, as a module with version information + * removed is no longer the module that was signed + */ + if (flags == 0 && + info->len > markerlen && + memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { + /* We truncate the module to discard the signature */ + info->len -= markerlen; + err = mod_verify_sig(mod, info); + if (!err) { + info->sig_ok = true; + return 0; + } + } + + /* + * We don't permit modules to be loaded into the trusted kernels + * without a valid signature on them, but if we're not enforcing, + * certain errors are non-fatal. + */ + switch (err) { + case -ENODATA: + reason = "unsigned module"; + break; + case -ENOPKG: + reason = "module with unsupported crypto"; + break; + case -ENOKEY: + reason = "module with unavailable key"; + break; + + default: + /* + * All other errors are fatal, including lack of memory, + * unparseable signatures, and signature check failures -- + * even if signatures aren't required. + */ + return err; + } + + if (is_module_sig_enforced()) { + pr_notice("Loading of %s is rejected\n", reason); + return -EKEYREJECTED; + } + + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); +} -- 2.34.1