From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932083AbbFSGV6 (ORCPT ); Fri, 19 Jun 2015 02:21:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57890 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751902AbbFSGVu (ORCPT ); Fri, 19 Jun 2015 02:21:50 -0400 Date: Fri, 19 Jun 2015 14:21:40 +0800 From: Dave Young To: Vivek Goyal Cc: "Eric W. Biederman" , Josh Boyer , "Theodore Ts'o" , Petr Tesarik , kexec , "Linux-Kernel@Vger. Kernel. Org" , David Howells Subject: Re: kexec_load(2) bypasses signature verification Message-ID: <20150619062140.GH4636@dhcp-128-32.nay.redhat.com> References: <20150615131728.GK15793@thunk.org> <20150615200115.GG5003@thunk.org> <87zj3zigug.fsf@x220.int.ebiederm.org> <20150616202757.GB14943@redhat.com> <87y4jjglvu.fsf@x220.int.ebiederm.org> <20150617014737.GB30214@redhat.com> <20150618011629.GA8718@dhcp-128-32.nay.redhat.com> <20150618020209.GA8390@dhcp-128-32.nay.redhat.com> <20150618133044.GA1040@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150618133044.GA1040@redhat.com> User-Agent: Mutt/1.5.22.1-rc1 (2013-10-16) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/18/15 at 09:30am, Vivek Goyal wrote: > On Thu, Jun 18, 2015 at 10:02:09AM +0800, Dave Young wrote: > > [..] > > > Or simply add a new config option KEXEC_VERIFY_SIG_FORCE, so we can return > > > error in kexec_load and print some error message. > > > > Just like below, does this work for you, Ted? > > > > --- > > arch/x86/Kconfig | 7 +++++++ > > kernel/kexec.c | 9 ++++++++- > > 2 files changed, 15 insertions(+), 1 deletion(-) > > > > --- linux.orig/arch/x86/Kconfig > > +++ linux/arch/x86/Kconfig > > @@ -1755,6 +1755,13 @@ config KEXEC_VERIFY_SIG > > verification for the corresponding kernel image type being > > loaded in order for this to work. > > > > +config KEXEC_VERIFY_SIG_FORCE > > + bool "Enforce kexec signature verifying" > > + depends on KEXEC_VERIFY_SIG > > + ---help--- > > + This option disable kexec_load() syscall, only kexec_file_load > > + can be used. > > + > > > Hi Dave, > > I think we might not need a new config option. A new config option makes > it little confusing. KEXEC_VERIFY_SIG already implies KEXEC_VERIFY_SIG_FORCE > (for new syscall). Now extending it to also mean that it should disable old > syscall is confusing. Hmm, it is only reasonable when kexec_file_load can support bypassing sig verifying even when CONFIG_KEXEC_VERIFY_SIG=y. So agree it is confusing to add a _FORCE new option now. > > We already have a sysctl knob to disable kexec kernel loading. But that > knob disables it on both the syscalls. > > May be we can just introduce another command line option say > "kexec_verify_sig_force" and this will work across both the syscalls and > will deny loading a unsigned kernel in following two cases. > > - Using old syscall > - Using new syscall if kernel was compiled with KEXEC_VERIFY_SIG=n. As you said KEXEC_VERIFY_SIG implies KEXEC_VERIFY_SIG_FORCE now so if one disable it in .config, we have no reason to disable kernel loading without signature verifying? > > This should be simple and get us going in short term. > > If we want to disable unsigned kernel loading at compile time, then we > really need to work on decoupling CONFIG_KEXEC and CONFIG_FILE_KEXEC. > Introducing another config option is not the way forward, IMHO. Yes, let's do it in this way since everyone is fine with it. Thanks Dave From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx1.redhat.com ([209.132.183.28]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1Z5pgq-0005mb-MO for kexec@lists.infradead.org; Fri, 19 Jun 2015 06:22:13 +0000 Date: Fri, 19 Jun 2015 14:21:40 +0800 From: Dave Young Subject: Re: kexec_load(2) bypasses signature verification Message-ID: <20150619062140.GH4636@dhcp-128-32.nay.redhat.com> References: <20150615131728.GK15793@thunk.org> <20150615200115.GG5003@thunk.org> <87zj3zigug.fsf@x220.int.ebiederm.org> <20150616202757.GB14943@redhat.com> <87y4jjglvu.fsf@x220.int.ebiederm.org> <20150617014737.GB30214@redhat.com> <20150618011629.GA8718@dhcp-128-32.nay.redhat.com> <20150618020209.GA8390@dhcp-128-32.nay.redhat.com> <20150618133044.GA1040@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20150618133044.GA1040@redhat.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Vivek Goyal Cc: Josh Boyer , Theodore Ts'o , kexec , Petr Tesarik , "Linux-Kernel@Vger. Kernel. Org" , David Howells , "Eric W. Biederman" On 06/18/15 at 09:30am, Vivek Goyal wrote: > On Thu, Jun 18, 2015 at 10:02:09AM +0800, Dave Young wrote: > > [..] > > > Or simply add a new config option KEXEC_VERIFY_SIG_FORCE, so we can return > > > error in kexec_load and print some error message. > > > > Just like below, does this work for you, Ted? > > > > --- > > arch/x86/Kconfig | 7 +++++++ > > kernel/kexec.c | 9 ++++++++- > > 2 files changed, 15 insertions(+), 1 deletion(-) > > > > --- linux.orig/arch/x86/Kconfig > > +++ linux/arch/x86/Kconfig > > @@ -1755,6 +1755,13 @@ config KEXEC_VERIFY_SIG > > verification for the corresponding kernel image type being > > loaded in order for this to work. > > > > +config KEXEC_VERIFY_SIG_FORCE > > + bool "Enforce kexec signature verifying" > > + depends on KEXEC_VERIFY_SIG > > + ---help--- > > + This option disable kexec_load() syscall, only kexec_file_load > > + can be used. > > + > > > Hi Dave, > > I think we might not need a new config option. A new config option makes > it little confusing. KEXEC_VERIFY_SIG already implies KEXEC_VERIFY_SIG_FORCE > (for new syscall). Now extending it to also mean that it should disable old > syscall is confusing. Hmm, it is only reasonable when kexec_file_load can support bypassing sig verifying even when CONFIG_KEXEC_VERIFY_SIG=y. So agree it is confusing to add a _FORCE new option now. > > We already have a sysctl knob to disable kexec kernel loading. But that > knob disables it on both the syscalls. > > May be we can just introduce another command line option say > "kexec_verify_sig_force" and this will work across both the syscalls and > will deny loading a unsigned kernel in following two cases. > > - Using old syscall > - Using new syscall if kernel was compiled with KEXEC_VERIFY_SIG=n. As you said KEXEC_VERIFY_SIG implies KEXEC_VERIFY_SIG_FORCE now so if one disable it in .config, we have no reason to disable kernel loading without signature verifying? > > This should be simple and get us going in short term. > > If we want to disable unsigned kernel loading at compile time, then we > really need to work on decoupling CONFIG_KEXEC and CONFIG_FILE_KEXEC. > Introducing another config option is not the way forward, IMHO. Yes, let's do it in this way since everyone is fine with it. Thanks Dave _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec