integrity-v5.17
-----BEGIN PGP SIGNATURE-----
iIoEABYIADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCYdxh3xQcem9oYXJAbGlu
dXguaWJtLmNvbQAKCRDLwZzRsCrn5bXsAP9xioC+sDpA+KgicrTxLQp2HBHVdkdj
hnsSw7KE6d1YFwD/Zu1BPi/iX1HHcEvTm34x9jKWeU54VCyqsXJG+zArDA0=
=/eFf
-----END PGP SIGNATURE-----
Merge tag 'integrity-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar:
"The few changes are all kexec related:
- The MOK keys are loaded onto the .platform keyring in order to
verify the kexec kernel image signature.
However, the MOK keys should only be trusted when secure boot is
enabled. Before loading the MOK keys onto the .platform keyring,
make sure the system is booted in secure boot mode.
- When carrying the IMA measurement list across kexec, limit dumping
the measurement list to when dynamic debug or CONFIG_DEBUG is
enabled.
- kselftest: add kexec_file_load selftest support for PowerNV and
other cleanup"
* tag 'integrity-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
selftests/kexec: Enable secureboot tests for PowerPC
ima: silence measurement list hexdump during kexec
selftests/kexec: update searching for the Kconfig
selftest/kexec: fix "ignored null byte in input" warning
integrity: Do not load MOK and MOKx when secure boot be disabled
ima: Fix undefined arch_ima_get_secureboot() and co
This commit is contained in:
Linus Torvalds
commit
84bfcc0b69
|
|
@ -50,21 +50,6 @@ static inline void ima_appraise_parse_cmdline(void) {}
|
|||
extern void ima_add_kexec_buffer(struct kimage *image);
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
|
||||
extern bool arch_ima_get_secureboot(void);
|
||||
extern const char * const *arch_get_ima_policy(void);
|
||||
#else
|
||||
static inline bool arch_ima_get_secureboot(void)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
static inline const char * const *arch_get_ima_policy(void)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
#else
|
||||
static inline enum hash_algo ima_get_current_hash_algo(void)
|
||||
{
|
||||
|
|
@ -155,6 +140,21 @@ static inline int ima_measure_critical_data(const char *event_label,
|
|||
|
||||
#endif /* CONFIG_IMA */
|
||||
|
||||
#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
|
||||
extern bool arch_ima_get_secureboot(void);
|
||||
extern const char * const *arch_get_ima_policy(void);
|
||||
#else
|
||||
static inline bool arch_ima_get_secureboot(void)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
static inline const char * const *arch_get_ima_policy(void)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef CONFIG_IMA_KEXEC
|
||||
struct kimage;
|
||||
|
||||
|
|
|
|||
|
|
@ -61,9 +61,9 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
|
|||
}
|
||||
memcpy(file.buf, &khdr, sizeof(khdr));
|
||||
|
||||
print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE,
|
||||
16, 1, file.buf,
|
||||
file.count < 100 ? file.count : 100, true);
|
||||
print_hex_dump_debug("ima dump: ", DUMP_PREFIX_NONE, 16, 1,
|
||||
file.buf, file.count < 100 ? file.count : 100,
|
||||
true);
|
||||
|
||||
*buffer_size = file.count;
|
||||
*buffer = file.buf;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
#include <linux/err.h>
|
||||
#include <linux/efi.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/ima.h>
|
||||
#include <keys/asymmetric-type.h>
|
||||
#include <keys/system_keyring.h>
|
||||
#include "../integrity.h"
|
||||
|
|
@ -176,6 +177,10 @@ static int __init load_uefi_certs(void)
|
|||
kfree(dbx);
|
||||
}
|
||||
|
||||
/* the MOK/MOKx can not be trusted when secure boot is disabled */
|
||||
if (!arch_ima_get_secureboot())
|
||||
return 0;
|
||||
|
||||
mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
|
||||
if (!mokx) {
|
||||
if (status == EFI_NOT_FOUND)
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
uname_M := $(shell uname -m 2>/dev/null || echo not)
|
||||
ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
|
||||
|
||||
ifeq ($(ARCH),x86)
|
||||
ifeq ($(ARCH),$(filter $(ARCH),x86 ppc64le))
|
||||
TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh
|
||||
TEST_FILES := kexec_common_lib.sh
|
||||
|
||||
|
|
|
|||
|
|
@ -91,6 +91,27 @@ get_efi_var_secureboot_mode()
|
|||
return 0;
|
||||
}
|
||||
|
||||
# On powerpc platform, check device-tree property
|
||||
# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
|
||||
# to detect secureboot state.
|
||||
get_ppc64_secureboot_mode()
|
||||
{
|
||||
local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
|
||||
# Check for secure boot file existence
|
||||
if [ -f $secure_boot_file ]; then
|
||||
log_info "Secureboot is enabled (Device tree)"
|
||||
return 1;
|
||||
fi
|
||||
log_info "Secureboot is not enabled (Device tree)"
|
||||
return 0;
|
||||
}
|
||||
|
||||
# Return the architecture of the system
|
||||
get_arch()
|
||||
{
|
||||
echo $(arch)
|
||||
}
|
||||
|
||||
# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
|
||||
# The secure boot mode can be accessed either as the last integer
|
||||
# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
|
||||
|
|
@ -100,14 +121,19 @@ get_efi_var_secureboot_mode()
|
|||
get_secureboot_mode()
|
||||
{
|
||||
local secureboot_mode=0
|
||||
local system_arch=$(get_arch)
|
||||
|
||||
get_efivarfs_secureboot_mode
|
||||
secureboot_mode=$?
|
||||
|
||||
# fallback to using the efi_var files
|
||||
if [ $secureboot_mode -eq 0 ]; then
|
||||
get_efi_var_secureboot_mode
|
||||
if [ "$system_arch" == "ppc64le" ]; then
|
||||
get_ppc64_secureboot_mode
|
||||
secureboot_mode=$?
|
||||
else
|
||||
get_efivarfs_secureboot_mode
|
||||
secureboot_mode=$?
|
||||
# fallback to using the efi_var files
|
||||
if [ $secureboot_mode -eq 0 ]; then
|
||||
get_efi_var_secureboot_mode
|
||||
secureboot_mode=$?
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $secureboot_mode -eq 0 ]; then
|
||||
|
|
@ -138,15 +164,20 @@ kconfig_enabled()
|
|||
return 0
|
||||
}
|
||||
|
||||
# Attempt to get the kernel config first via proc, and then by
|
||||
# extracting it from the kernel image or the configs.ko using
|
||||
# scripts/extract-ikconfig.
|
||||
# Attempt to get the kernel config first by checking the modules directory
|
||||
# then via proc, and finally by extracting it from the kernel image or the
|
||||
# configs.ko using scripts/extract-ikconfig.
|
||||
# Return 1 for found.
|
||||
get_kconfig()
|
||||
{
|
||||
local proc_config="/proc/config.gz"
|
||||
local module_dir="/lib/modules/`uname -r`"
|
||||
local configs_module="$module_dir/kernel/kernel/configs.ko"
|
||||
local configs_module="$module_dir/kernel/kernel/configs.ko*"
|
||||
|
||||
if [ -f $module_dir/config ]; then
|
||||
IKCONFIG=$module_dir/config
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ ! -f $proc_config ]; then
|
||||
modprobe configs > /dev/null 2>&1
|
||||
|
|
|
|||
|
|
@ -97,10 +97,11 @@ check_for_imasig()
|
|||
check_for_modsig()
|
||||
{
|
||||
local module_sig_string="~Module signature appended~"
|
||||
local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)"
|
||||
local ret=0
|
||||
|
||||
if [ "$sig" == "$module_sig_string" ]; then
|
||||
tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE | \
|
||||
grep -q "$module_sig_string"
|
||||
if [ $? -eq 0 ]; then
|
||||
ret=1
|
||||
log_info "kexec kernel image modsig signed"
|
||||
else
|
||||
|
|
@ -225,8 +226,12 @@ get_secureboot_mode
|
|||
secureboot=$?
|
||||
|
||||
# Are there pe and ima signatures
|
||||
check_for_pesig
|
||||
pe_signed=$?
|
||||
if [ "$(get_arch)" == 'ppc64le' ]; then
|
||||
pe_signed=0
|
||||
else
|
||||
check_for_pesig
|
||||
pe_signed=$?
|
||||
fi
|
||||
|
||||
check_for_imasig
|
||||
ima_signed=$?
|
||||
|
|
|
|||
Loading…
Reference in New Issue