| Message ID | cover.1641822505.git.msuchanek@suse.de |
|---|---|
| Headers | show |
| Series | KEXEC_SIG with appended signature | expand |
On Mon, Jan 10, 2022 at 02:49:53PM +0100, Michal Suchanek wrote: > Module verification already implements appeded signature check. > > Reuse it for kexec_file. > > The kexec_file implementation uses EKEYREJECTED error in some cases when > there is no key and the common implementation uses ENOPKG or EBADMSG > instead. > > Signed-off-by: Michal Suchanek <msuchanek@suse.de> > Acked-by: Heiko Carstens <hca@linux.ibm.com> > --- > v3: Philipp Rudo <prudo@redhat.com>: Update the commit with note about > change of return value > --- > arch/s390/kernel/machine_kexec_file.c | 22 +++++----------------- > 1 file changed, 5 insertions(+), 17 deletions(-) > > diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c > index 8f43575a4dd3..c944d71316c7 100644 > --- a/arch/s390/kernel/machine_kexec_file.c > +++ b/arch/s390/kernel/machine_kexec_file.c > @@ -31,6 +31,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) > const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; > struct module_signature *ms; > unsigned long sig_len; > + int ret; > > /* Skip signature verification when not secure IPLed. */ > if (!ipl_secure_flag) > @@ -45,25 +46,12 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) > kernel_len -= marker_len; > > ms = (void *)kernel + kernel_len - sizeof(*ms); > - kernel_len -= sizeof(*ms); > + ret = mod_check_sig(ms, kernel_len, "kexec"); > + if (ret) > + return ret; > > sig_len = be32_to_cpu(ms->sig_len); > - if (sig_len >= kernel_len) > - return -EKEYREJECTED; There is a small minor fix here, where by using mod_check_sig() now decreased the kernel_len by the sizeof(*ms). It is minor though. > - kernel_len -= sig_len; > - > - if (ms->id_type != PKEY_ID_PKCS7) > - return -EKEYREJECTED; More importantly is the return value used here changes but given the Ack by Heiko I suspect this if fine and does not break old userspace, the only change here is the possible error value returned by the kexec_file_load() system call. Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Luis
Hello, This is a refresh of the KEXEC_SIG series. This adds KEXEC_SIG support on powerpc and deduplicates the code dealing with appended signatures in the kernel. powerpc supports IMA_KEXEC but that's an exception rather than the norm. On the other hand, KEXEC_SIG is portable across platforms. For distributions to have uniform security features across platforms one option should be used on all platforms. Thanks Michal Previous revision: https://lore.kernel.org/linuxppc-dev/cover.1637862358.git.msuchanek@suse.de/ Patched kernel tree: https://github.com/hramrach/kernel/tree/kexec_sig Michal Suchanek (6): s390/kexec_file: Don't opencode appended signature check. powerpc/kexec_file: Add KEXEC_SIG support. kexec_file: Don't opencode appended signature verification. module: strip the signature marker in the verification function. module: Use key_being_used_for for log messages in verify_appended_signature module: Move duplicate mod_check_sig users code to mod_parse_sig arch/powerpc/Kconfig | 16 +++++++ arch/powerpc/kexec/elf_64.c | 12 +++++ arch/s390/Kconfig | 2 +- arch/s390/kernel/machine_kexec_file.c | 41 +---------------- crypto/asymmetric_keys/asymmetric_type.c | 1 + include/linux/module_signature.h | 1 + include/linux/verification.h | 5 +++ kernel/module-internal.h | 2 - kernel/module.c | 12 +++-- kernel/module_signature.c | 56 +++++++++++++++++++++++- kernel/module_signing.c | 34 +++++++------- security/integrity/ima/ima_modsig.c | 22 ++-------- 12 files changed, 116 insertions(+), 88 deletions(-)