[Fedora kexec-tools 0/7] Support kernel signature verification
by Vivek Goyal
This patch series modifies kexec-tools to support kernel signature verification
when running kernel has secureboot or secure modules enabled.
Thanks
Vivek
Vivek Goyal (7):
kexec: x86: struct x86_linux_param_header should be packed
kexec: Remount /proc and /sys in private mount namespace
kexec: Verifiy kernel signature if secureboot/secure modules is
enabled
kexec: Provide a configure option --enable-static
kexec: Provide option to enable signature checking logic
kexec: Set secureboot info in bootparams
kexec: Pass acpi_rsdp info in bootparams
configure.ac | 18 +++
include/x86/x86-linux.h | 9 +-
kexec/arch/i386/x86-linux-setup.c | 27 ++++
kexec/integrity-digsig.h | 26 ++++
kexec/kexec.c | 305 ++++++++++++++++++++++++++++++++++++++
kexec/kexec.h | 2 +
6 files changed, 384 insertions(+), 3 deletions(-)
create mode 100644 kexec/integrity-digsig.h
--
1.8.3.1
10 years, 7 months
[RFC] [ima-evm-utils 0/5] evmctl: Sign using daemon and secureboot related enhancement
by Vivek Goyal
Hi,
This is an RFC patch series to get early feedback on stuff I am working
on.
This series does few things.
- Adds an extra structure to ima signature (security.ima) which will signal
the elf loader that this executable needs to be locked. This will be
useful for secureboot where signed /sbin/kexec needs to run memory
locked.
I have posted RFC kernel patches on Fedora kernel mailing list.
https://lists.fedoraproject.org/pipermail/kernel/2013-September/004432.html
kexec-tools patches are posted here.
https://lists.fedoraproject.org/pipermail/kernel/2013-September/004469.html
- Add a functionality to import signatures signed externally. (Patch 2)
- Add functionality to allow signing using external crypto card. (Patch 3)
- Add a functionality to create a daemon which cilents can connect to
and request file signing (Patch 4 and Patch 5).
All the signing enhancements I need so that various build servers can
make use of it to sign /sbin/kexec and bzImage using appropriate keys.
This is still a work in progress and code is very raw. I wanted to get
the code out to get early feedback.
Thanks
Vivek
Vivek Goyal (5):
evmctl: Allow adding a memlock information in security.ima
evmctl: Allow importing external signature
evmctl: Allow signing using external crypto engine
evmctl-allow-launching-daemon
evmctl-client: A simple client to request signing from evmctl daemon
configure.ac | 1 +
src/Makefile.am | 9 +-
src/client.c | 697 +++++++++++++++++++++++++++++++++
src/daemon.h | 83 ++++
src/evmctl.c | 1166 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
5 files changed, 1934 insertions(+), 22 deletions(-)
create mode 100644 src/client.c
create mode 100644 src/daemon.h
--
1.8.3.1
10 years, 7 months
Re: [Fedora 15/19] kexec: Export sysfs attributes for secureboot and secure modules to user space
by Vivek Goyal
On Wed, Sep 04, 2013 at 09:51:27PM +0000, Matthew Garrett wrote:
> On Wed, 2013-09-04 at 17:24 -0400, Vivek Goyal wrote:
> > User space kexec-tools need to know whether to verify signature of kernel
> > image being loaded. This patch exports two knobs to user space. One is
> > for knowing if secureboot is enabled, this knob will be set to 1 if secure
> > boot is enabled. Other knob is secure_module_enabled. This knob will be set
> > to 1 if secure modules is one.
>
> How are you verifying that you're really looking at sysfs?
[ CCing kexec fedora list ]
I did what Eric Biederman suggested. I first unshare the mount namespace
of /sbin/kexec from parent. Then I disable any event propogation between
mounts. Then I lazy unmount existing /proc and /sys and remount them. I
think this should make sure that we are seeing at /proc and /sys as
exported by kenrel?
I will soon post my kexec-tools patches too on this list to show exactly
what I am doing. In short this is what I am doing.
- ret = unshare(CLONE_NEWNS);
- ret = mount("", "/", "", MS_REC | MS_PRIVATE, "");
- ret = umount2("/proc", MNT_DETACH);
- ret = mount("none", "/proc", "proc", 0, "");
- ret = umount2("/sys", MNT_DETACH);
- ret = mount("none", "/sys", "sysfs", 0, "");
Thanks
Vivek
10 years, 7 months
Re: [Fedora 12/19] ptrace: Do not allow ptrace() from unsigned process to signed one
by Vivek Goyal
On Wed, Sep 04, 2013 at 09:42:34PM +0000, Matthew Garrett wrote:
[ CC kexec fedora list ]
> On Wed, 2013-09-04 at 17:24 -0400, Vivek Goyal wrote:
>
> Doesn't this:
>
> > + if (!ptraced_by_unsafe_tracer())
> > + bprm->cred->proc_signed = true;
>
> race with this if the attacker is able to run between the check and
> proc_signed being set to true?
I think this should not be a problem. task->signal->cred_guard_mutex
should provide mutual exclusion here.
ptrace_attach()
mutex_lock_interruptible(&task->signal->cred_guard_mutex)
do_exeve_common()
prepare_bprm_creds()
mutex_lock_interruptible(¤t->signal->cred_guard_mutex);
search_binary_handler()
load_elf_binary()
ptraced_by_unsafe_tracer();
install_exec_creds()
mutex_unlock(¤t->signal->cred_guard_mutex);
So cred_guard_mutex is held while bprm is being prepared and till it is
installed. I think in that duration, no process can do a fresh
ptrace_attach().
Thanks
Vivek
10 years, 7 months
Re: [Fedora 11/19] keyctl: Introduce a new operation KEYCTL_VERIFY_SIGNATURE
by Vivek Goyal
On Wed, Sep 04, 2013 at 10:06:24PM +0000, Matthew Garrett wrote:
> On Wed, 2013-09-04 at 17:24 -0400, Vivek Goyal wrote:
> > arg6
>
> You add a new argument (is that safe?) but don't actually seem to use it
> anywhere?
[CC kexec fedora list]
I will get rid of that. In my initial implementation I needed extra
arguments and later I realized that I neeeded to pass in more data and
I can't pass in more than 6 arguments.
Later I changed the implementation and started passing the pointer to
a structure. So I don't need this 6th argument.
I will remove dead code from this patch.
Thanks
Vivek
10 years, 7 months