[PATCH v12 15/16] arm64: kexec_file: add kernel signature verification support

[PATCH v12 00/16] arm64: kexec: add kexec_file_load() support · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 01/16] asm-generic: add kexec_file_load system call to unistd.h · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 01/16] asm-generic: add kexec_file_load system call to unistd.h · James Morse <james.morse@arm.com> · 2018-07-26
Re: [PATCH v12 01/16] asm-generic: add kexec_file_load system call to unistd.h · AKASHI Takahiro <hidden> · 2018-07-27
[PATCH v12 02/16] kexec_file: make kexec_image_post_load_cleanup_default() global · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 03/16] s390, kexec_file: drop arch_kexec_mem_walk() · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 03/16] s390, kexec_file: drop arch_kexec_mem_walk() · Philipp Rudo <hidden> · 2018-07-24
[PATCH v12 04/16] powerpc, kexec_file: factor out memblock-based arch_kexec_walk_mem() · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 04/16] powerpc, kexec_file: factor out memblock-based arch_kexec_walk_mem() · Dave Young <hidden> · 2018-07-25
Re: [PATCH v12 04/16] powerpc, kexec_file: factor out memblock-based arch_kexec_walk_mem() · AKASHI Takahiro <hidden> · 2018-07-27
[PATCH v12 05/16] kexec_file: kexec_walk_memblock() only walks a dedicated region at kdump · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 06/16] of/fdt: add helper functions for handling properties · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 07/16] arm64: add image head flag definitions · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 08/16] arm64: cpufeature: add MMFR0 helper functions · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 09/16] arm64: enable KEXEC_FILE config · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 10/16] arm64: kexec_file: load initrd and device-tree · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 10/16] arm64: kexec_file: load initrd and device-tree · James Morse <james.morse@arm.com> · 2018-07-26
Re: [PATCH v12 10/16] arm64: kexec_file: load initrd and device-tree · AKASHI Takahiro <hidden> · 2018-07-27
[PATCH v12 11/16] arm64: kexec_file: allow for loading Image-format kernel · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 12/16] arm64: kexec_file: add crash dump support · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 12/16] arm64: kexec_file: add crash dump support · James Morse <james.morse@arm.com> · 2018-07-26
Re: [PATCH v12 12/16] arm64: kexec_file: add crash dump support · AKASHI Takahiro <hidden> · 2018-07-27
[PATCH v12 13/16] arm64: kexec_file: invoke the kernel without purgatory · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 13/16] arm64: kexec_file: invoke the kernel without purgatory · James Morse <james.morse@arm.com> · 2018-07-26
Re: [PATCH v12 13/16] arm64: kexec_file: invoke the kernel without purgatory · AKASHI Takahiro <hidden> · 2018-07-27
[PATCH v12 14/16] include: pe.h: remove message[] from mz header definition · AKASHI Takahiro <hidden> · 2018-07-24
[PATCH v12 15/16] arm64: kexec_file: add kernel signature verification support · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 15/16] arm64: kexec_file: add kernel signature verification support · James Morse <james.morse@arm.com> · 2018-07-26
[PATCH v12 16/16] arm64: kexec_file: add kaslr support · AKASHI Takahiro <hidden> · 2018-07-24
Re: [PATCH v12 16/16] arm64: kexec_file: add kaslr support · James Morse <james.morse@arm.com> · 2018-07-26
Re: [PATCH v12 16/16] arm64: kexec_file: add kaslr support · AKASHI Takahiro <hidden> · 2018-07-27

From: james.morse@arm.com (James Morse)
Date: 2018-07-26 13:39:32
Also in: kexec, lkml

Hi Akashi,

On 24/07/18 07:57, AKASHI Takahiro wrote:

With this patch, kernel verification can be done without IMA security
subsystem enabled. Turn on CONFIG_KEXEC_VERIFY_SIG instead.

On x86, a signature is embedded into a PE file (Microsoft's format) header
of binary. Since arm64's "Image" can also be seen as a PE file as far as
CONFIG_EFI is enabled, we adopt this format for kernel signing.

You can create a signed kernel image with:
    $ sbsign --key ${KEY} --cert ${CERT} Image

Reviewed-by: James Morse <james.morse@arm.com>

quoted hunk ↗ jump to hunk

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index d64f5e9f9d22..578d358632d0 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c

@@ -102,7 +106,18 @@ static void *image_load(struct kimage *image,
 	return ERR_PTR(ret);
 }
 
+#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
+static int image_verify_sig(const char *kernel, unsigned long kernel_len)
+{
+	return verify_pefile_signature(kernel, kernel_len, NULL,
+				       VERIFYING_KEXEC_PE_SIGNATURE);
+}
+#endif

This is identical to x86's PE image verification helper. We can clean this up
later by providing some kexec_image_verify_pe() in the core kexec_file code. Its
not worth doing now.

 const struct kexec_file_ops kexec_image_ops = {
 	.probe = image_probe,
 	.load = image_load,
+#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
+	.verify_sig = image_verify_sig,
+#endif
 };


Thanks,

James

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help