mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-06 02:50:43 +00:00
8e7d838103
This is the final piece of the puzzle of verifying kernel image signature during kexec_file_load() syscall. This patch calls into PE file routines to verify signature of bzImage. If signature are valid, kexec_file_load() succeeds otherwise it fails. Two new config options have been introduced. First one is CONFIG_KEXEC_VERIFY_SIG. This option enforces that kernel has to be validly signed otherwise kernel load will fail. If this option is not set, no signature verification will be done. Only exception will be when secureboot is enabled. In that case signature verification should be automatically enforced when secureboot is enabled. But that will happen when secureboot patches are merged. Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG. This option enables signature verification support on bzImage. If this option is not set and previous one is set, kernel image loading will fail because kernel does not have support to verify signature of bzImage. I tested these patches with both "pesign" and "sbsign" signed bzImages. I used signing_key.priv key and signing_key.x509 cert for signing as generated during kernel build process (if module signing is enabled). Used following method to sign bzImage. pesign ====== - Convert DER format cert to PEM format cert openssl x509 -in signing_key.x509 -inform DER -out signing_key.x509.PEM -outform PEM - Generate a .p12 file from existing cert and private key file openssl pkcs12 -export -out kernel-key.p12 -inkey signing_key.priv -in signing_key.x509.PEM - Import .p12 file into pesign db pk12util -i /tmp/kernel-key.p12 -d /etc/pki/pesign - Sign bzImage pesign -i /boot/vmlinuz-3.16.0-rc3+ -o /boot/vmlinuz-3.16.0-rc3+.signed.pesign -c "Glacier signing key - Magrathea" -s sbsign ====== sbsign --key signing_key.priv --cert signing_key.x509.PEM --output /boot/vmlinuz-3.16.0-rc3+.signed.sbsign /boot/vmlinuz-3.16.0-rc3+ Patch details: Well all the hard work is done in previous patches. Now bzImage loader has just call into that code and verify whether bzImage signature are valid or not. Also create two config options. First one is CONFIG_KEXEC_VERIFY_SIG. This option enforces that kernel has to be validly signed otherwise kernel load will fail. If this option is not set, no signature verification will be done. Only exception will be when secureboot is enabled. In that case signature verification should be automatically enforced when secureboot is enabled. But that will happen when secureboot patches are merged. Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG. This option enables signature verification support on bzImage. If this option is not set and previous one is set, kernel image loading will fail because kernel does not have support to verify signature of bzImage. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Cc: Borislav Petkov <bp@suse.de> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Yinghai Lu <yinghai@kernel.org> Cc: Eric Biederman <ebiederm@xmission.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Matthew Garrett <mjg59@srcf.ucam.org> Cc: Greg Kroah-Hartman <greg@kroah.com> Cc: Dave Young <dyoung@redhat.com> Cc: WANG Chao <chaowang@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Matt Fleming <matt@console-pimps.org> Cc: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
315 lines
9.4 KiB
C
315 lines
9.4 KiB
C
#ifndef LINUX_KEXEC_H
|
|
#define LINUX_KEXEC_H
|
|
|
|
#include <uapi/linux/kexec.h>
|
|
|
|
#ifdef CONFIG_KEXEC
|
|
#include <linux/list.h>
|
|
#include <linux/linkage.h>
|
|
#include <linux/compat.h>
|
|
#include <linux/ioport.h>
|
|
#include <linux/elfcore.h>
|
|
#include <linux/elf.h>
|
|
#include <linux/module.h>
|
|
#include <asm/kexec.h>
|
|
|
|
/* Verify architecture specific macros are defined */
|
|
|
|
#ifndef KEXEC_SOURCE_MEMORY_LIMIT
|
|
#error KEXEC_SOURCE_MEMORY_LIMIT not defined
|
|
#endif
|
|
|
|
#ifndef KEXEC_DESTINATION_MEMORY_LIMIT
|
|
#error KEXEC_DESTINATION_MEMORY_LIMIT not defined
|
|
#endif
|
|
|
|
#ifndef KEXEC_CONTROL_MEMORY_LIMIT
|
|
#error KEXEC_CONTROL_MEMORY_LIMIT not defined
|
|
#endif
|
|
|
|
#ifndef KEXEC_CONTROL_PAGE_SIZE
|
|
#error KEXEC_CONTROL_PAGE_SIZE not defined
|
|
#endif
|
|
|
|
#ifndef KEXEC_ARCH
|
|
#error KEXEC_ARCH not defined
|
|
#endif
|
|
|
|
#ifndef KEXEC_CRASH_CONTROL_MEMORY_LIMIT
|
|
#define KEXEC_CRASH_CONTROL_MEMORY_LIMIT KEXEC_CONTROL_MEMORY_LIMIT
|
|
#endif
|
|
|
|
#ifndef KEXEC_CRASH_MEM_ALIGN
|
|
#define KEXEC_CRASH_MEM_ALIGN PAGE_SIZE
|
|
#endif
|
|
|
|
#define KEXEC_NOTE_HEAD_BYTES ALIGN(sizeof(struct elf_note), 4)
|
|
#define KEXEC_CORE_NOTE_NAME "CORE"
|
|
#define KEXEC_CORE_NOTE_NAME_BYTES ALIGN(sizeof(KEXEC_CORE_NOTE_NAME), 4)
|
|
#define KEXEC_CORE_NOTE_DESC_BYTES ALIGN(sizeof(struct elf_prstatus), 4)
|
|
/*
|
|
* The per-cpu notes area is a list of notes terminated by a "NULL"
|
|
* note header. For kdump, the code in vmcore.c runs in the context
|
|
* of the second kernel to combine them into one note.
|
|
*/
|
|
#ifndef KEXEC_NOTE_BYTES
|
|
#define KEXEC_NOTE_BYTES ( (KEXEC_NOTE_HEAD_BYTES * 2) + \
|
|
KEXEC_CORE_NOTE_NAME_BYTES + \
|
|
KEXEC_CORE_NOTE_DESC_BYTES )
|
|
#endif
|
|
|
|
/*
|
|
* This structure is used to hold the arguments that are used when loading
|
|
* kernel binaries.
|
|
*/
|
|
|
|
typedef unsigned long kimage_entry_t;
|
|
#define IND_DESTINATION 0x1
|
|
#define IND_INDIRECTION 0x2
|
|
#define IND_DONE 0x4
|
|
#define IND_SOURCE 0x8
|
|
|
|
struct kexec_segment {
|
|
/*
|
|
* This pointer can point to user memory if kexec_load() system
|
|
* call is used or will point to kernel memory if
|
|
* kexec_file_load() system call is used.
|
|
*
|
|
* Use ->buf when expecting to deal with user memory and use ->kbuf
|
|
* when expecting to deal with kernel memory.
|
|
*/
|
|
union {
|
|
void __user *buf;
|
|
void *kbuf;
|
|
};
|
|
size_t bufsz;
|
|
unsigned long mem;
|
|
size_t memsz;
|
|
};
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
struct compat_kexec_segment {
|
|
compat_uptr_t buf;
|
|
compat_size_t bufsz;
|
|
compat_ulong_t mem; /* User space sees this as a (void *) ... */
|
|
compat_size_t memsz;
|
|
};
|
|
#endif
|
|
|
|
struct kexec_sha_region {
|
|
unsigned long start;
|
|
unsigned long len;
|
|
};
|
|
|
|
struct purgatory_info {
|
|
/* Pointer to elf header of read only purgatory */
|
|
Elf_Ehdr *ehdr;
|
|
|
|
/* Pointer to purgatory sechdrs which are modifiable */
|
|
Elf_Shdr *sechdrs;
|
|
/*
|
|
* Temporary buffer location where purgatory is loaded and relocated
|
|
* This memory can be freed post image load
|
|
*/
|
|
void *purgatory_buf;
|
|
|
|
/* Address where purgatory is finally loaded and is executed from */
|
|
unsigned long purgatory_load_addr;
|
|
};
|
|
|
|
struct kimage {
|
|
kimage_entry_t head;
|
|
kimage_entry_t *entry;
|
|
kimage_entry_t *last_entry;
|
|
|
|
unsigned long destination;
|
|
|
|
unsigned long start;
|
|
struct page *control_code_page;
|
|
struct page *swap_page;
|
|
|
|
unsigned long nr_segments;
|
|
struct kexec_segment segment[KEXEC_SEGMENT_MAX];
|
|
|
|
struct list_head control_pages;
|
|
struct list_head dest_pages;
|
|
struct list_head unusable_pages;
|
|
|
|
/* Address of next control page to allocate for crash kernels. */
|
|
unsigned long control_page;
|
|
|
|
/* Flags to indicate special processing */
|
|
unsigned int type : 1;
|
|
#define KEXEC_TYPE_DEFAULT 0
|
|
#define KEXEC_TYPE_CRASH 1
|
|
unsigned int preserve_context : 1;
|
|
/* If set, we are using file mode kexec syscall */
|
|
unsigned int file_mode:1;
|
|
|
|
#ifdef ARCH_HAS_KIMAGE_ARCH
|
|
struct kimage_arch arch;
|
|
#endif
|
|
|
|
/* Additional fields for file based kexec syscall */
|
|
void *kernel_buf;
|
|
unsigned long kernel_buf_len;
|
|
|
|
void *initrd_buf;
|
|
unsigned long initrd_buf_len;
|
|
|
|
char *cmdline_buf;
|
|
unsigned long cmdline_buf_len;
|
|
|
|
/* File operations provided by image loader */
|
|
struct kexec_file_ops *fops;
|
|
|
|
/* Image loader handling the kernel can store a pointer here */
|
|
void *image_loader_data;
|
|
|
|
/* Information for loading purgatory */
|
|
struct purgatory_info purgatory_info;
|
|
};
|
|
|
|
/*
|
|
* Keeps track of buffer parameters as provided by caller for requesting
|
|
* memory placement of buffer.
|
|
*/
|
|
struct kexec_buf {
|
|
struct kimage *image;
|
|
char *buffer;
|
|
unsigned long bufsz;
|
|
unsigned long memsz;
|
|
unsigned long buf_align;
|
|
unsigned long buf_min;
|
|
unsigned long buf_max;
|
|
bool top_down; /* allocate from top of memory hole */
|
|
};
|
|
|
|
typedef int (kexec_probe_t)(const char *kernel_buf, unsigned long kernel_size);
|
|
typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
|
|
unsigned long kernel_len, char *initrd,
|
|
unsigned long initrd_len, char *cmdline,
|
|
unsigned long cmdline_len);
|
|
typedef int (kexec_cleanup_t)(void *loader_data);
|
|
typedef int (kexec_verify_sig_t)(const char *kernel_buf,
|
|
unsigned long kernel_len);
|
|
|
|
struct kexec_file_ops {
|
|
kexec_probe_t *probe;
|
|
kexec_load_t *load;
|
|
kexec_cleanup_t *cleanup;
|
|
kexec_verify_sig_t *verify_sig;
|
|
};
|
|
|
|
/* kexec interface functions */
|
|
extern void machine_kexec(struct kimage *image);
|
|
extern int machine_kexec_prepare(struct kimage *image);
|
|
extern void machine_kexec_cleanup(struct kimage *image);
|
|
extern asmlinkage long sys_kexec_load(unsigned long entry,
|
|
unsigned long nr_segments,
|
|
struct kexec_segment __user *segments,
|
|
unsigned long flags);
|
|
extern int kernel_kexec(void);
|
|
extern int kexec_add_buffer(struct kimage *image, char *buffer,
|
|
unsigned long bufsz, unsigned long memsz,
|
|
unsigned long buf_align, unsigned long buf_min,
|
|
unsigned long buf_max, bool top_down,
|
|
unsigned long *load_addr);
|
|
extern struct page *kimage_alloc_control_pages(struct kimage *image,
|
|
unsigned int order);
|
|
extern int kexec_load_purgatory(struct kimage *image, unsigned long min,
|
|
unsigned long max, int top_down,
|
|
unsigned long *load_addr);
|
|
extern int kexec_purgatory_get_set_symbol(struct kimage *image,
|
|
const char *name, void *buf,
|
|
unsigned int size, bool get_value);
|
|
extern void *kexec_purgatory_get_symbol_addr(struct kimage *image,
|
|
const char *name);
|
|
extern void crash_kexec(struct pt_regs *);
|
|
int kexec_should_crash(struct task_struct *);
|
|
void crash_save_cpu(struct pt_regs *regs, int cpu);
|
|
void crash_save_vmcoreinfo(void);
|
|
void crash_map_reserved_pages(void);
|
|
void crash_unmap_reserved_pages(void);
|
|
void arch_crash_save_vmcoreinfo(void);
|
|
__printf(1, 2)
|
|
void vmcoreinfo_append_str(const char *fmt, ...);
|
|
unsigned long paddr_vmcoreinfo_note(void);
|
|
|
|
#define VMCOREINFO_OSRELEASE(value) \
|
|
vmcoreinfo_append_str("OSRELEASE=%s\n", value)
|
|
#define VMCOREINFO_PAGESIZE(value) \
|
|
vmcoreinfo_append_str("PAGESIZE=%ld\n", value)
|
|
#define VMCOREINFO_SYMBOL(name) \
|
|
vmcoreinfo_append_str("SYMBOL(%s)=%lx\n", #name, (unsigned long)&name)
|
|
#define VMCOREINFO_SIZE(name) \
|
|
vmcoreinfo_append_str("SIZE(%s)=%lu\n", #name, \
|
|
(unsigned long)sizeof(name))
|
|
#define VMCOREINFO_STRUCT_SIZE(name) \
|
|
vmcoreinfo_append_str("SIZE(%s)=%lu\n", #name, \
|
|
(unsigned long)sizeof(struct name))
|
|
#define VMCOREINFO_OFFSET(name, field) \
|
|
vmcoreinfo_append_str("OFFSET(%s.%s)=%lu\n", #name, #field, \
|
|
(unsigned long)offsetof(struct name, field))
|
|
#define VMCOREINFO_LENGTH(name, value) \
|
|
vmcoreinfo_append_str("LENGTH(%s)=%lu\n", #name, (unsigned long)value)
|
|
#define VMCOREINFO_NUMBER(name) \
|
|
vmcoreinfo_append_str("NUMBER(%s)=%ld\n", #name, (long)name)
|
|
#define VMCOREINFO_CONFIG(name) \
|
|
vmcoreinfo_append_str("CONFIG_%s=y\n", #name)
|
|
|
|
extern struct kimage *kexec_image;
|
|
extern struct kimage *kexec_crash_image;
|
|
extern int kexec_load_disabled;
|
|
|
|
#ifndef kexec_flush_icache_page
|
|
#define kexec_flush_icache_page(page)
|
|
#endif
|
|
|
|
/* List of defined/legal kexec flags */
|
|
#ifndef CONFIG_KEXEC_JUMP
|
|
#define KEXEC_FLAGS KEXEC_ON_CRASH
|
|
#else
|
|
#define KEXEC_FLAGS (KEXEC_ON_CRASH | KEXEC_PRESERVE_CONTEXT)
|
|
#endif
|
|
|
|
/* List of defined/legal kexec file flags */
|
|
#define KEXEC_FILE_FLAGS (KEXEC_FILE_UNLOAD | KEXEC_FILE_ON_CRASH | \
|
|
KEXEC_FILE_NO_INITRAMFS)
|
|
|
|
#define VMCOREINFO_BYTES (4096)
|
|
#define VMCOREINFO_NOTE_NAME "VMCOREINFO"
|
|
#define VMCOREINFO_NOTE_NAME_BYTES ALIGN(sizeof(VMCOREINFO_NOTE_NAME), 4)
|
|
#define VMCOREINFO_NOTE_SIZE (KEXEC_NOTE_HEAD_BYTES*2 + VMCOREINFO_BYTES \
|
|
+ VMCOREINFO_NOTE_NAME_BYTES)
|
|
|
|
/* Location of a reserved region to hold the crash kernel.
|
|
*/
|
|
extern struct resource crashk_res;
|
|
extern struct resource crashk_low_res;
|
|
typedef u32 note_buf_t[KEXEC_NOTE_BYTES/4];
|
|
extern note_buf_t __percpu *crash_notes;
|
|
extern u32 vmcoreinfo_note[VMCOREINFO_NOTE_SIZE/4];
|
|
extern size_t vmcoreinfo_size;
|
|
extern size_t vmcoreinfo_max_size;
|
|
|
|
/* flag to track if kexec reboot is in progress */
|
|
extern bool kexec_in_progress;
|
|
|
|
int __init parse_crashkernel(char *cmdline, unsigned long long system_ram,
|
|
unsigned long long *crash_size, unsigned long long *crash_base);
|
|
int parse_crashkernel_high(char *cmdline, unsigned long long system_ram,
|
|
unsigned long long *crash_size, unsigned long long *crash_base);
|
|
int parse_crashkernel_low(char *cmdline, unsigned long long system_ram,
|
|
unsigned long long *crash_size, unsigned long long *crash_base);
|
|
int crash_shrink_memory(unsigned long new_size);
|
|
size_t crash_get_memory_size(void);
|
|
void crash_free_reserved_phys_range(unsigned long begin, unsigned long end);
|
|
|
|
#else /* !CONFIG_KEXEC */
|
|
struct pt_regs;
|
|
struct task_struct;
|
|
static inline void crash_kexec(struct pt_regs *regs) { }
|
|
static inline int kexec_should_crash(struct task_struct *p) { return 0; }
|
|
#endif /* CONFIG_KEXEC */
|
|
#endif /* LINUX_KEXEC_H */
|