Re: [PATCH] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled
From: Coiby Xu
Date: Fri Dec 30 2022 - 02:02:01 EST
On Mon, Nov 28, 2022 at 12:16:08PM -0500, Mimi Zohar wrote:
On Tue, 2022-11-22 at 10:36 +0800, Coiby Xu wrote:
Hi Mimi,
On Mon, Nov 21, 2022 at 01:23:57PM -0500, Mimi Zohar wrote:
>Hi Coiby,
>
>On Mon, 2022-11-21 at 15:29 +0800, Coiby Xu wrote:
>> A kernel builder may not enable KEXEC_SIG and some architectures like
>> ppc64 simply don't have KEXEC_SIG. In these cases, unless both
>> IMA_ARCH_POLICY and secure boot also enabled, lockdown doesn't prevent
>> unsigned kernel image from being kexec'ed via the kexec_file_load
>> syscall whereas it could prevent one via the kexec_load syscall. Mandate
>> signature verification for those cases.
>>
>> Fixes: 155bdd30af17 ("kexec_file: Restrict at runtime if the kernel is locked down")
>> Cc: Matthew Garrett <mjg59@xxxxxxxxxxxxx>
>> Cc: Jiri Bohac <jbohac@xxxxxxx>
>> Cc: David Howells <dhowells@xxxxxxxxxx>
>> Cc: kexec@xxxxxxxxxxxxxxxxxxx
>> Cc: linux-integrity@xxxxxxxxxxxxxxx
>> Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
>
>Other than correcting the function name to mandate_signature_verificati
>on(),
Applied to v2, thanks for correcting me! Btw, I realize I overwrote the
return code of kexec_image_verify_sig with
mandate_signature_verification's. v2 has fixed this issue as well.
>
>Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
And thanks for the review!
You're welcome.
Without either IMA_ARCH or KEXEC_SIG enabled, the kexec selftest
test_kexec_file_load.sh properly failed with "kexec_file_load failed
[PASS]", but from the informational messages output, it isn't clear why
it failed. This should be corrected.
Thanks for the suggestion! I've added some tests in v3 and now the
message is "# kexec_file_load failed (missing IMA sig) [PASS]".
--
thanks,
Mimi
--
Best regards,
Coiby