Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6669200rwb; Tue, 22 Nov 2022 17:15:26 -0800 (PST) X-Google-Smtp-Source: AA0mqf4HhsR5RbwsgXho4rwWzILvQNqWJ1eJbjiJPyC02dl6WhNiikgNCu8HsdX1+JHKpeQV/pOW X-Received: by 2002:aa7:cd91:0:b0:469:2f36:fd with SMTP id x17-20020aa7cd91000000b004692f3600fdmr9363327edv.385.1669166126501; Tue, 22 Nov 2022 17:15:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669166126; cv=none; d=google.com; s=arc-20160816; b=elyCwTQFEl7pxXNaK8EFHW7tZrVYxXcohMMrPOB3Lv95sH8yR7vZmFBQdJklQ86oXA wGQe2A/QQXeHvZegWSZXdvgiedfPnuVsU3qmykI40MAewNwzJ4JrwVUNdpOjj7h7Yxwt f6OxMPBO8Mx6V4yVCW1NEpycIPJ86NxCBkWt75//gDrm+IuBx2G3wLOGl08/YBOIXNsT /Gxb3XWptbVb+fhpWPZC95+QUwMhn9AluQsKsZ7vBuomkqqRbNDb8yYnJX06NLcGmGJF XolfPr+Sh2KLiawRVZ0bvYUm0C8+q7JKMmnfKJXEoABiBGfQ4dq0f8TWC0nn1YInspuO 9GVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=aF7/2foVpEFS7EtJrtidG83b2asU3hWjYsy4BUecKfU=; b=GREiKPUUg5ZDYWvlhebUt3yo95d+U1Q2IQiHhApy2mmkG1PoYVk8LqoIxy7hWGvsPl 1S0dGwLmuyLXYgSmqvDicwLc/N3tKIPwIm4pz4obKNYeU525qV+5zZJSzZ2+rx8ySTDe bn5AMtz0YCpVDKQsIOBf4wfTMkFId71hgWZ1zScMDCPGNX4Sa/uRRshg92Zu1HwiaA22 BamHYZt0J4SgZp0SPhMYhtZFiG0xOBNJ+qBMfKM1rCTRFXwiL2LoMxWL0bQjgIVn21d5 GBvbfueM0/rMgn4u0bYLFhox+d72toif36E5kCF5GXZvZBPWbeXjysuAwPwWDcgnnJpJ vEuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FIHw5TaG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dd16-20020a1709069b9000b0078e2d2d1a67si13510211ejc.344.2022.11.22.17.15.02; Tue, 22 Nov 2022 17:15:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FIHw5TaG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234023AbiKWA4V (ORCPT + 89 others); Tue, 22 Nov 2022 19:56:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232517AbiKWA4T (ORCPT ); Tue, 22 Nov 2022 19:56:19 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E277C696C for ; Tue, 22 Nov 2022 16:55:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669164918; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=aF7/2foVpEFS7EtJrtidG83b2asU3hWjYsy4BUecKfU=; b=FIHw5TaGr6oQp7joJdwp3Y4GrgorfdwUZ9yUSwXYAyKRYcdEn7ZRw2g90DLz0kNqFIGMGx 5QSUekeFNnGtIb+61EGp4CD/Fx2AKaNXzrHyJQEeRwyjhgPcumEmB7ZX2swfinvFPZKPwI 6HbGs6GjDImOE8I50SwO8ZZQ0iK3TvM= Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-179-TGwvRW7ANoWgOno-Ebbesg-1; Tue, 22 Nov 2022 19:55:16 -0500 X-MC-Unique: TGwvRW7ANoWgOno-Ebbesg-1 Received: by mail-pl1-f198.google.com with SMTP id k9-20020a170902c40900b0018734e872a9so12784013plk.21 for ; Tue, 22 Nov 2022 16:55:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=aF7/2foVpEFS7EtJrtidG83b2asU3hWjYsy4BUecKfU=; b=PSaWHBcOZkcuoIuDXQCQenI+Q/fTaVm2dAbqZri5WWwGpkPqWD08QhwrmI6d4Z8lj/ KoHLkVnnT1TXaRWCVBAZno8k27GPFaqyKbWKp6+1shFKGls61/bseh07yry3dildlYtR 0q3BkSj3uBEA14GfQyAqV+4cABa/4Z+fu7FZa30wFPHGXeYgn8CdOaKaZnLzKXRJh3ko wkI5BpZriw4hsBMKAqUvlNMB7psLS6tNwm3HCREPjENW20EwPq1Uta4tHe7QWmmvJgVo uCdApkWsD3qBWcUzMf6VUovLAgLKgWZDwXSjJXeE+CjLpbJdQDPsteUpR/cWt3RcFqU3 ExOQ== X-Gm-Message-State: ANoB5pmGaGSvpvwCp+nqWztNlZASVOovmRR3IRhX4pNFZIEXU67EoIE3 CxfNWPtbiiepTDTTit8+0y9Jdljq3MF5RBwofKiIuI/oOHxFpEXV+qkdNKqwHDXR3pY0Qu7QXgD +5Xnmkmyy8CR0mwr5FM2VjJnb X-Received: by 2002:a63:565e:0:b0:46e:bcc1:a28f with SMTP id g30-20020a63565e000000b0046ebcc1a28fmr5986148pgm.408.1669164915691; Tue, 22 Nov 2022 16:55:15 -0800 (PST) X-Received: by 2002:a63:565e:0:b0:46e:bcc1:a28f with SMTP id g30-20020a63565e000000b0046ebcc1a28fmr5986133pgm.408.1669164915365; Tue, 22 Nov 2022 16:55:15 -0800 (PST) Received: from localhost ([43.228.180.230]) by smtp.gmail.com with ESMTPSA id g4-20020a17090a67c400b00212735c8898sm155313pjm.30.2022.11.22.16.55.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Nov 2022 16:55:14 -0800 (PST) Date: Wed, 23 Nov 2022 08:52:51 +0800 From: Coiby Xu To: Vasily Gorbik Cc: kexec@lists.infradead.org, Matthew Garrett , Jiri Bohac , David Howells , Philipp Rudo , linux-s390@vger.kernel.org, Heiko Carstens , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , James Morris , Matthew Garrett , open list , Peter Oberparleiter Subject: Re: [PATCH] lockdown: s390: kexec_file: don't skip signature verification when not secure IPLed Message-ID: <20221123005251.h4t2t2lv6tqb5nrp@Rk> References: <20221121072715.836323-1-coxu@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 22, 2022 at 04:15:04PM +0100, Vasily Gorbik wrote: >On Mon, Nov 21, 2022 at 03:27:15PM +0800, Coiby Xu wrote: >> --- a/arch/s390/kernel/machine_kexec_file.c >> +++ b/arch/s390/kernel/machine_kexec_file.c >> @@ -33,10 +33,6 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) >> unsigned long sig_len; >> int ret; >> >> - /* Skip signature verification when not secure IPLed. */ >> - if (!ipl_secure_flag) >> - return 0; > >Looking at s390_verify_sig() especially before commit 0828c4a39be5 >("kexec, KEYS, s390: Make use of built-in and secondary keyring for >signature verification") I think this condition actually expresses >2 things: >1. the firmware is secure IPL capable and secure IPL keys are > provided and present in platform keyring. >2. secure IPL is enabled. > >Wouldn't this change have implications for machines with older firmware >which doesn't support secure IPL? In this case platform keyring won't >have any secure IPL keys (since firmware doesn't provide them) >and any properly signed kernels will be rejected for kexec in this >function. Unless secure IPL keys are also present in built-in or secondary >keyring (which is possible after commit 0828c4a39be5) - is that what >distributions normally do? Thanks for pointing me to the above commit and reminding me older firmware doesn't support secure IPL! But I don't think this change will break machines with older firmwares which doesn't support secure IPL. Distributions like Fedora/RHEL have downstream-only patch that enable lockdown automatically when secure boot is enabled. Since there is no secure IPL, lockdown won't be enabled which means kimage_validate_signature (kernel/kexec_file.c) doesn't enforce signature verification (sorry I should change the commit subject which is misleading). For the case where users manually enables lockdown, I assume they know what lockdown means and expect signature verification to be enforced instead to be silently bypassed. -- Best regards, Coiby