[RFC PATCH 0/9] kexec: Verify signature of PE signed bzImage

From: Vivek Goyal
Date: Thu Jul 03 2014 - 17:08:55 EST

Next message: Vivek Goyal: "[PATCH 8/9] PEFILE: Validate PKCS#7 trust chain"
Previous message: Vivek Goyal: "[PATCH 4/9] pefile: Strip the wrapper off of the cert data block"
Next in thread: Vivek Goyal: "[PATCH 1/9] pkcs7: Forward declare struct key in pkcs7.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This patch series enables signature verification of signed PE bzimage. This
patches series needs two more patch series before it.

First one is kexec_file_load() syscall support posted here.

https://lkml.org/lkml/2014/6/26/497

This patch seris is also available in -mm tree now.

Second one is PKCS7 signature parsing and verification support. These
patches are available in David Howells's modsign tree in pkcs7 branch.

https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-modsign.git/log/?h=pkcs7

This patch series is based on David Howells's work of PE file parsing
and PKCS7 signature verificaiton. Now PKCS7 signature part is available
in his tree. So I have taken PE file parsing patches, changed them a
bit and posting these here.

Now kexec bzImage loader calls into pefile parser and passes the PE
signed bzImage for signature verification.

Two new config options have been intorduced. First one is
CONFIG_KEXEC_VERIFY_SIG. This option enforces that kernel has to be
validly signed otherwise kernel load will fail. If this option is not
set, no signature verification will be done. Only exception will be
when secureboot is enabled. In that case signature verification should
be automatically enforced when secureboot is enabled. But that will
happen when secureboot patches are merged.

Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG. This option
enables signature verification support on bzImage. If this option is
not set and previous one is set, kernel image loading will fail because
kernel does not have support to verify signature of bzImage.

I tested these patches with both "pesign" and "sbsign" signed bzImages.

I used signing_key.priv key and signing_key.x509 cert for signing as
generated during kernel build process (if module signing is enabled).

Used following method to sign bzImage.

pesign
======
- Convert DER format cert to PEM format cert
openssl x509 -in signing_key.x509 -inform DER -out signing_key.x509.PEM -outform PEM

- Generate a .p12 file from existing cert and private key file
openssl pkcs12 -export -out kernel-key.p12 -inkey signing_key.priv -in signing_key.x509.PEM

- Import .p12 file into pesign db
pk12util -i /tmp/kernel-key.p12 -d /etc/pki/pesign

- Sign bzImage
pesign -i /boot/vmlinuz-3.16.0-rc3+ -o /boot/vmlinuz-3.16.0-rc3+.signed.pesign -c "Glacier signing key - Magrathea" -s

sbsign
======
sbsign --key signing_key.priv --cert signing_key.x509.PEM --output /boot/vmlinuz-3.16.0-rc3+.signed.sbsign /boot/vmlinuz-3.16.0-rc3+

Please review. Any feedback is welcome.

Thanks
Vivek

Vivek Goyal (9):
pkcs7: Forward declare struct key in pkcs7.h
Provide PE binary definitions
pefile: Parse a PE binary and verify signature
pefile: Strip the wrapper off of the cert data block
pefile: Parse the presumed PKCS#7 content of the certificate blob
pefile: Parse the "Microsoft individual code signing" data blob
pefile: Digest the PE binary and compare to the PKCS#7 data
PEFILE: Validate PKCS#7 trust chain
kexec: Verify the signature of signed PE bzImage

arch/x86/Kconfig | 31 +++
arch/x86/kernel/Makefile | 7 +
arch/x86/kernel/kexec-bzimage64.c | 11 +
arch/x86/kernel/machine_kexec_64.c | 11 +
arch/x86/kernel/mscode.asn1 | 28 +++
arch/x86/kernel/mscode_parser.c | 126 +++++++++++
arch/x86/kernel/pefile_parser.c | 437 ++++++++++++++++++++++++++++++++++++
arch/x86/kernel/pefile_parser.h | 36 +++
include/crypto/pkcs7.h | 1 +
include/linux/kexec.h | 3 +
include/linux/oid_registry.h | 7 +-
include/linux/pe.h | 448 +++++++++++++++++++++++++++++++++++++
kernel/kexec.c | 15 ++
13 files changed, 1160 insertions(+), 1 deletion(-)
create mode 100644 arch/x86/kernel/mscode.asn1
create mode 100644 arch/x86/kernel/mscode_parser.c
create mode 100644 arch/x86/kernel/pefile_parser.c
create mode 100644 arch/x86/kernel/pefile_parser.h
create mode 100644 include/linux/pe.h

--
1.9.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vivek Goyal: "[PATCH 8/9] PEFILE: Validate PKCS#7 trust chain"
Previous message: Vivek Goyal: "[PATCH 4/9] pefile: Strip the wrapper off of the cert data block"
Next in thread: Vivek Goyal: "[PATCH 1/9] pkcs7: Forward declare struct key in pkcs7.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]