Hi Coiby,
On Fri, 2022-12-30 at 14:58 +0800, Coiby Xu wrote:
When lockdown is enabled, kexec_load syscall should always fail.
For kexec_file_load, when lockdown is enabled, it should
- fail of missing PE signature when KEXEC_SIG is enabled
- fail of missing IMA signature when KEXEC_SIG is disabled
Appended kernel image signatures are supported, but differently on powerpc and s390. For s390, KEXEC_SIG is enabled. For completeness the above statements should reflect appended signatures.
Before this patch, test_kexec_load.sh fails (false positive) and test_kexec_file_load.sh fails without a reason when lockdown enabled and KEXEC_SIG disabled,
# kexec_load failed [FAIL] not ok 1 selftests: kexec: test_kexec_load.sh # exit=1 # kexec_file_load failed [PASS] ok 2 selftests: kexec: test_kexec_file_load.shAfter this patch, test_kexec_load.sh succeeds and test_kexec_file_load.sh fails with the correct reason when lockdown enabled and KEXEC_SIG disabled,
# kexec_load failed [PASS] ok 1 selftests: kexec: test_kexec_load.sh # kexec_file_load failed (missing IMA sig) [PASS] ok 2 selftests: kexec: test_kexec_file_load.shCc: kexec@lists.infradead.org Cc: linux-integrity@vger.kernel.org Suggested-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Coiby Xu coxu@redhat.com
.../selftests/kexec/kexec_common_lib.sh | 16 +++++++++++ .../selftests/kexec/test_kexec_file_load.sh | 27 +++++++++++++++++++ .../selftests/kexec/test_kexec_load.sh | 12 ++++++--- 3 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 641ef05863b2..06c298b46788 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -110,6 +110,22 @@ get_secureboot_mode() return $secureboot_mode; } +is_lockdown_enabled() +{
- local ret=0
- if [ -f /sys/kernel/security/lockdown ] \
&& ! grep -qs "\[none\]" /sys/kernel/security/lockdown; thenret=1- fi
- if [ $ret -eq 0 ]; then
log_info "lockdown not enabled"- fi
- return $ret
+}
require_root_privileges() { if [ $(id -ru) -ne 0 ]; then diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index c9ccb3c93d72..790f96938083 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -139,6 +139,16 @@ kexec_file_load_test() log_fail "$succeed_msg (missing IMA sig)" fi
if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \&& [ $pe_signed -eq 0 ]; thenlog_fail "$succeed_msg (missing PE sig)"fi
CONFIG_KEXEC_SIG being enabled does not require signature verification to be enforced. When the CONFIG_IMA_ARCH_POLICY is enabled, IMA requires kexec signature verification. Also on s390, CONFIG_KEXEC_SIG verifies an appended signature, not a PE signature. Instead of the "missing PE sig" message, perhaps indicate lockdown requires kexec signature verification.
if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \&& [ $ima_modsig -eq 0 ]; thenlog_fail "$succeed_msg (missing IMA sig)"fi
Similarly, only if IMA is enabled and requires the kexec signature verficiation should this message be emitted. Perhaps a single generic lockdown message would be sufficient for both.
if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ && [ $ima_read_policy -eq 0 ]; then@@ -181,6 +191,16 @@ kexec_file_load_test() log_pass "$failed_msg (possibly missing IMA sig)" fi
- if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
&& [ $pe_signed -eq 0 ]; thenlog_pass "$failed_msg (missing PE sig)"- fi
- if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \
&& [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; thenlog_pass "$failed_msg (missing IMA sig)"- fi
Similar comments as above.