From: "Theodore Ts'o" <tytso@mit.edu>
To: Eric Biederman <ebiederm@xmission.com>, dhowells@redhat.com
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: kexec_load(2) bypasses signature verification
Date: Sun, 14 Jun 2015 23:50:51 -0400 [thread overview]
Message-ID: <20150615035051.GA2634@thunk.org> (raw)
>From experimentation and from looking at the sources, it appears that
the signature checking is only done in the kexec_file_load(2) system
all, and not in the kexec_load(2) system call. And I understand why
-- the signature is not sent from userspace to the kernel in the older
kexec_load(2) system call.
The problem is that if you use an old version of kexec, it will use
the old kexec_load(2) system call, and even though
CONFIG_KEXEC_VERIFY_SIG is enabled, kexec_load(2) will happily load an
unsigned kernel, and then "kexec -e" will happily boot into it.
Correct me if I am wrong, but this appears to be a hole in Secure Boot
you could drive a Mack Truck through.
(I noticed this because Debian is still using a kexec-tools from the
stone ages, version 2.0.7, and I was wondering **why** I was able to
kexec boot completely unsigned kernels.)
It would appear to me that if CONFIG_KEXEC_VERIFY_SIG is enabled, the
old kexec_load(2) system call should be disabled (and a warning be
placed in the Kconfig help that the user should have at least verision
2.X of kexec-tools if they enable this kernel option).
Am I missing something?
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: Theodore Ts'o <tytso@mit.edu>
To: Eric Biederman <ebiederm@xmission.com>, dhowells@redhat.com
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: kexec_load(2) bypasses signature verification
Date: Sun, 14 Jun 2015 23:50:51 -0400 [thread overview]
Message-ID: <20150615035051.GA2634@thunk.org> (raw)
From experimentation and from looking at the sources, it appears that
the signature checking is only done in the kexec_file_load(2) system
all, and not in the kexec_load(2) system call. And I understand why
-- the signature is not sent from userspace to the kernel in the older
kexec_load(2) system call.
The problem is that if you use an old version of kexec, it will use
the old kexec_load(2) system call, and even though
CONFIG_KEXEC_VERIFY_SIG is enabled, kexec_load(2) will happily load an
unsigned kernel, and then "kexec -e" will happily boot into it.
Correct me if I am wrong, but this appears to be a hole in Secure Boot
you could drive a Mack Truck through.
(I noticed this because Debian is still using a kexec-tools from the
stone ages, version 2.0.7, and I was wondering **why** I was able to
kexec boot completely unsigned kernels.)
It would appear to me that if CONFIG_KEXEC_VERIFY_SIG is enabled, the
old kexec_load(2) system call should be disabled (and a warning be
placed in the Kconfig help that the user should have at least verision
2.X of kexec-tools if they enable this kernel option).
Am I missing something?
- Ted
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next reply other threads:[~2015-06-15 3:51 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-15 3:50 Theodore Ts'o [this message]
2015-06-15 3:50 ` kexec_load(2) bypasses signature verification Theodore Ts'o
2015-06-15 9:11 ` Dave Young
2015-06-15 9:28 ` Petr Tesarik
2015-06-15 12:14 ` Josh Boyer
2015-06-15 12:14 ` Josh Boyer
2015-06-15 13:17 ` Theodore Ts'o
2015-06-15 13:17 ` Theodore Ts'o
2015-06-15 13:37 ` Josh Boyer
2015-06-15 13:37 ` Josh Boyer
2015-06-15 20:01 ` Theodore Ts'o
2015-06-15 20:01 ` Theodore Ts'o
2015-06-16 19:38 ` Eric W. Biederman
2015-06-16 19:38 ` Eric W. Biederman
2015-06-16 20:27 ` Vivek Goyal
2015-06-16 20:27 ` Vivek Goyal
2015-06-17 1:32 ` Eric W. Biederman
2015-06-17 1:32 ` Eric W. Biederman
2015-06-17 1:47 ` Vivek Goyal
2015-06-17 1:47 ` Vivek Goyal
2015-06-18 1:16 ` Dave Young
2015-06-18 1:16 ` Dave Young
2015-06-18 2:02 ` Dave Young
2015-06-18 2:02 ` Dave Young
2015-06-18 13:30 ` Vivek Goyal
2015-06-18 13:30 ` Vivek Goyal
2015-06-18 14:41 ` Eric W. Biederman
2015-06-18 14:41 ` Eric W. Biederman
2015-06-19 6:21 ` Dave Young
2015-06-19 6:21 ` Dave Young
2015-06-19 8:18 ` Dave Young
2015-06-19 8:18 ` Dave Young
2015-06-19 13:09 ` Vivek Goyal
2015-06-19 13:09 ` Vivek Goyal
2015-06-25 8:48 ` Dave Young
2015-06-25 8:48 ` Dave Young
2015-06-25 15:59 ` Vivek Goyal
2015-06-25 15:59 ` Vivek Goyal
2015-06-26 1:59 ` Dave Young
2015-06-26 1:59 ` Dave Young
2015-06-19 7:04 ` Dave Young
2015-06-19 7:04 ` Dave Young
2015-06-19 13:09 ` Vivek Goyal
2015-06-19 13:09 ` Vivek Goyal
2015-06-17 3:26 ` Theodore Ts'o
2015-06-17 3:26 ` Theodore Ts'o
2015-06-17 10:55 ` One Thousand Gnomes
2015-06-17 10:55 ` One Thousand Gnomes
2015-06-18 1:25 ` Dave Young
2015-06-18 1:25 ` Dave Young
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150615035051.GA2634@thunk.org \
--to=tytso@mit.edu \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.