[PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE

[PATCH 00/30] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 01/30] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 02/30] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 03/30] ima: require secure_boot rules in lockdown mode · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 04/30] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 04/30] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-02-22
Re: [PATCH 04/30] Enforce module signatures if the kernel is locked down · Jiri Bohac <hidden> · 2018-02-22
[PATCH 05/30] Restrict /dev/{mem, kmem, port} when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 06/30] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 07/30] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-01-11
[PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Jiri Bohac <hidden> · 2018-01-11
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · David Howells <dhowells@redhat.com> · 2018-01-16
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Jiri Bohac <hidden> · 2018-01-16
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · David Howells <dhowells@redhat.com> · 2018-01-17
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Jiri Bohac <hidden> · 2018-01-19
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · David Howells <dhowells@redhat.com> · 2018-02-21
[PATCH 08b/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-01-17
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-02-22
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-02-22
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-02-22
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-02-22
[PATCH 09/30] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 10/30] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 11/30] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 12/30] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 13/30] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 14/30] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 15/30] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 16/30] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 17/30] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 18/30] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 18/30] acpi: Disable APEI error injection if the kernel is locked down · Joey Lee <JLee@suse.com> · 2019-11-07
Re: [PATCH 18/30] acpi: Disable APEI error injection if the kernel is locked down · joeyli <jlee@suse.com> · 2022-05-28
[PATCH 19/30] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 20/30] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 21/30] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 22/30] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 23/30] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 24/30] debugfs: Disallow use of debugfs files when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 25/30] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 26/30] Lock down ftrace · Jiri Kosina <jikos@kernel.org> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · Jiri Kosina <jikos@kernel.org> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · Jiri Kosina <jikos@kernel.org> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-10
[PATCH 27/30] Lock down kprobes · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 28/30] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 29/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 30/30] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 00/30] security, efi: Add kernel lockdown · Andrew Morton <akpm@linux-foundation.org> · 2018-03-03

From: Jiri Bohac <hidden>
Date: 2018-01-19 12:54:39
Also in: linux-efi, lkml

On Wed, Jan 17, 2018 at 04:34:24PM +0000, David Howells wrote:

Jiri Bohac [off-list ref] wrote:

quoted

If sig_err is -EKEYREJECTED, -EKEYEXPIRED or -EKEYREVOKED then it must fail,
even if the signature check isn't forced.

It wasn't my intention to fail in these cases. What additional
security does this bring? If simply stripping an invalid
signature from the image before loading will make it pass, why
should the image with an invalid signature be rejected?

If there is a signature, then if we're checking signatures, in my opinion we
should check it - and fail if the signature can't be parsed, is revoked, we
have a key and the signature doesn't match - or even if we run out of memory.

Key verification may and will fail for lots of reasons which is
just going to make a user's life harder. E.g. you want to kexec
an old kernel with an expired key. Or your date is just wrong and
you get -EKEYEXPIRED. And you don't care about the signing at
all; it's just compiled in because your distro also needs to work
with secureboot. As a user, you will have to debug what's wrong
for no good reason. And an actual attacker will just strip the
signature off the image and load it.

This makes no sense.

The cases for which enforcement is required are when (a) there is no
signature, (b) we don't support the algorithms used, or (c) we don't have a
key.

If we're going to completely discard the result, why do your patches even
bother to check the signature at all?

I thought that the debug message might be useful. E.g. when
you're testing a kernel and you see "kernel signature
verification failed" in dmesg then you know this would fail on a
system with secure boot. 

But if ignoring the return code seems like too bad a thing, I would
rather skip the signature checking if it's not going to be
enforced with lockdown or CONFIG_KEXEC_SIG_FORCE.

Also, only now I found that some of the error codes the crypto
code returns yield really confusing messages (e.g.
kexec_file_load of an unsigned kernel returns -ELIBBAD which
makes kexec exit with "kexec_file_load failed: Accessing a
corrupted shared library").
Maybe the error code could be unified to -EKEYREJECTED for all
sorts of key verification failures?

Thanks,

-- 
Jiri Bohac [off-list ref]
SUSE Labs, Prague, Czechia

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help