From: Josh Boyer <jwboyer@fedoraproject.org> To: "Theodore Ts'o" <tytso@mit.edu>, Eric Biederman <ebiederm@xmission.com>, David Howells <dhowells@redhat.com>, kexec <kexec@lists.infradead.org>, "Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org> Subject: Re: kexec_load(2) bypasses signature verification Date: Mon, 15 Jun 2015 08:14:19 -0400 [thread overview] Message-ID: <CA+5PVA6t_dEQt1M7HkeHy9znFkPd-a7525vtFq-g4a6VKL+gLQ@mail.gmail.com> (raw) In-Reply-To: <20150615035051.GA2634@thunk.org> On Sun, Jun 14, 2015 at 11:50 PM, Theodore Ts'o <tytso@mit.edu> wrote: > From experimentation and from looking at the sources, it appears that > the signature checking is only done in the kexec_file_load(2) system > all, and not in the kexec_load(2) system call. And I understand why > -- the signature is not sent from userspace to the kernel in the older > kexec_load(2) system call. > > The problem is that if you use an old version of kexec, it will use > the old kexec_load(2) system call, and even though > CONFIG_KEXEC_VERIFY_SIG is enabled, kexec_load(2) will happily load an > unsigned kernel, and then "kexec -e" will happily boot into it. > > Correct me if I am wrong, but this appears to be a hole in Secure Boot > you could drive a Mack Truck through. Yes, which is why most of the distro vendors carry an out-of-tree patch that disables the old kexec in an SB setup. It would be nice if we could merge said patches. However, they depend on Matthew's secure_modules/trusted_kernel/<whatever name that works> patchset which has gotten little movement since we came up with a tentative agreement at LPC 2013. > (I noticed this because Debian is still using a kexec-tools from the > stone ages, version 2.0.7, and I was wondering **why** I was able to > kexec boot completely unsigned kernels.) > > It would appear to me that if CONFIG_KEXEC_VERIFY_SIG is enabled, the > old kexec_load(2) system call should be disabled (and a warning be > placed in the Kconfig help that the user should have at least verision > 2.X of kexec-tools if they enable this kernel option). > > Am I missing something? Those sound like fine suggestions to me. josh
WARNING: multiple messages have this Message-ID (diff)
From: Josh Boyer <jwboyer@fedoraproject.org> To: Theodore Ts'o <tytso@mit.edu>, Eric Biederman <ebiederm@xmission.com>, David Howells <dhowells@redhat.com>, kexec <kexec@lists.infradead.org>, "Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org> Subject: Re: kexec_load(2) bypasses signature verification Date: Mon, 15 Jun 2015 08:14:19 -0400 [thread overview] Message-ID: <CA+5PVA6t_dEQt1M7HkeHy9znFkPd-a7525vtFq-g4a6VKL+gLQ@mail.gmail.com> (raw) In-Reply-To: <20150615035051.GA2634@thunk.org> On Sun, Jun 14, 2015 at 11:50 PM, Theodore Ts'o <tytso@mit.edu> wrote: > From experimentation and from looking at the sources, it appears that > the signature checking is only done in the kexec_file_load(2) system > all, and not in the kexec_load(2) system call. And I understand why > -- the signature is not sent from userspace to the kernel in the older > kexec_load(2) system call. > > The problem is that if you use an old version of kexec, it will use > the old kexec_load(2) system call, and even though > CONFIG_KEXEC_VERIFY_SIG is enabled, kexec_load(2) will happily load an > unsigned kernel, and then "kexec -e" will happily boot into it. > > Correct me if I am wrong, but this appears to be a hole in Secure Boot > you could drive a Mack Truck through. Yes, which is why most of the distro vendors carry an out-of-tree patch that disables the old kexec in an SB setup. It would be nice if we could merge said patches. However, they depend on Matthew's secure_modules/trusted_kernel/<whatever name that works> patchset which has gotten little movement since we came up with a tentative agreement at LPC 2013. > (I noticed this because Debian is still using a kexec-tools from the > stone ages, version 2.0.7, and I was wondering **why** I was able to > kexec boot completely unsigned kernels.) > > It would appear to me that if CONFIG_KEXEC_VERIFY_SIG is enabled, the > old kexec_load(2) system call should be disabled (and a warning be > placed in the Kconfig help that the user should have at least verision > 2.X of kexec-tools if they enable this kernel option). > > Am I missing something? Those sound like fine suggestions to me. josh _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2015-06-15 12:14 UTC|newest] Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-06-15 3:50 kexec_load(2) bypasses signature verification Theodore Ts'o 2015-06-15 3:50 ` Theodore Ts'o 2015-06-15 9:11 ` Dave Young 2015-06-15 9:28 ` Petr Tesarik 2015-06-15 12:14 ` Josh Boyer [this message] 2015-06-15 12:14 ` Josh Boyer 2015-06-15 13:17 ` Theodore Ts'o 2015-06-15 13:17 ` Theodore Ts'o 2015-06-15 13:37 ` Josh Boyer 2015-06-15 13:37 ` Josh Boyer 2015-06-15 20:01 ` Theodore Ts'o 2015-06-15 20:01 ` Theodore Ts'o 2015-06-16 19:38 ` Eric W. Biederman 2015-06-16 19:38 ` Eric W. Biederman 2015-06-16 20:27 ` Vivek Goyal 2015-06-16 20:27 ` Vivek Goyal 2015-06-17 1:32 ` Eric W. Biederman 2015-06-17 1:32 ` Eric W. Biederman 2015-06-17 1:47 ` Vivek Goyal 2015-06-17 1:47 ` Vivek Goyal 2015-06-18 1:16 ` Dave Young 2015-06-18 1:16 ` Dave Young 2015-06-18 2:02 ` Dave Young 2015-06-18 2:02 ` Dave Young 2015-06-18 13:30 ` Vivek Goyal 2015-06-18 13:30 ` Vivek Goyal 2015-06-18 14:41 ` Eric W. Biederman 2015-06-18 14:41 ` Eric W. Biederman 2015-06-19 6:21 ` Dave Young 2015-06-19 6:21 ` Dave Young 2015-06-19 8:18 ` Dave Young 2015-06-19 8:18 ` Dave Young 2015-06-19 13:09 ` Vivek Goyal 2015-06-19 13:09 ` Vivek Goyal 2015-06-25 8:48 ` Dave Young 2015-06-25 8:48 ` Dave Young 2015-06-25 15:59 ` Vivek Goyal 2015-06-25 15:59 ` Vivek Goyal 2015-06-26 1:59 ` Dave Young 2015-06-26 1:59 ` Dave Young 2015-06-19 7:04 ` Dave Young 2015-06-19 7:04 ` Dave Young 2015-06-19 13:09 ` Vivek Goyal 2015-06-19 13:09 ` Vivek Goyal 2015-06-17 3:26 ` Theodore Ts'o 2015-06-17 3:26 ` Theodore Ts'o 2015-06-17 10:55 ` One Thousand Gnomes 2015-06-17 10:55 ` One Thousand Gnomes 2015-06-18 1:25 ` Dave Young 2015-06-18 1:25 ` Dave Young
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CA+5PVA6t_dEQt1M7HkeHy9znFkPd-a7525vtFq-g4a6VKL+gLQ@mail.gmail.com \ --to=jwboyer@fedoraproject.org \ --cc=dhowells@redhat.com \ --cc=ebiederm@xmission.com \ --cc=kexec@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=tytso@mit.edu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.