From 54bf7fa3efd08eea03e4bac04e188ee3db6173a7 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 13 Dec 2021 17:11:45 +0100 Subject: [PATCH 1/6] ima: Fix undefined arch_ima_get_secureboot() and co Currently arch_ima_get_secureboot() and arch_get_ima_policy() are defined only when CONFIG_IMA is set, and this makes any code calling those functions without CONFIG_IMA fail. Move the declaration and the dummy definition of those functions outside ifdef-CONFIG_IMA block for fixing the undefined symbols. Signed-off-by: Takashi Iwai [zohar@linux.ibm.com: removed in-tree/out-of-tree comment in patch description] Reviewed-by: Petr Vorel Signed-off-by: Mimi Zohar --- include/linux/ima.h | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index b6ab66a546ae..426b1744215e 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -50,21 +50,6 @@ static inline void ima_appraise_parse_cmdline(void) {} extern void ima_add_kexec_buffer(struct kimage *image); #endif -#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT -extern bool arch_ima_get_secureboot(void); -extern const char * const *arch_get_ima_policy(void); -#else -static inline bool arch_ima_get_secureboot(void) -{ - return false; -} - -static inline const char * const *arch_get_ima_policy(void) -{ - return NULL; -} -#endif - #else static inline enum hash_algo ima_get_current_hash_algo(void) { @@ -155,6 +140,21 @@ static inline int ima_measure_critical_data(const char *event_label, #endif /* CONFIG_IMA */ +#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT +extern bool arch_ima_get_secureboot(void); +extern const char * const *arch_get_ima_policy(void); +#else +static inline bool arch_ima_get_secureboot(void) +{ + return false; +} + +static inline const char * const *arch_get_ima_policy(void) +{ + return NULL; +} +#endif + #ifndef CONFIG_IMA_KEXEC struct kimage; From 92ad19559ea9a8ec6f158480934ae26ebfe2c14f Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Sat, 18 Dec 2021 10:09:05 +0800 Subject: [PATCH 2/6] integrity: Do not load MOK and MOKx when secure boot be disabled The security of Machine Owner Key (MOK) relies on secure boot. When secure boot is disabled, EFI firmware will not verify binary code. Then arbitrary efi binary code can modify MOK when rebooting. This patch prevents MOK/MOKx be loaded when secure boot be disabled. Signed-off-by: "Lee, Chun-Yi" Reviewed-by: Petr Vorel Signed-off-by: Mimi Zohar --- security/integrity/platform_certs/load_uefi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index f290f78c3f30..08b6d12f99b4 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -6,6 +6,7 @@ #include #include #include +#include #include #include #include "../integrity.h" @@ -176,6 +177,10 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK/MOKx can not be trusted when secure boot is disabled */ + if (!arch_ima_get_secureboot()) + return 0; + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); if (!mokx) { if (status == EFI_NOT_FOUND) From cef5cd25a453805237f0c4e789218d987d674290 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 24 Nov 2021 12:38:00 +0530 Subject: [PATCH 3/6] selftest/kexec: fix "ignored null byte in input" warning Instead of assigning the string to a variable, which might contain a null character, redirect the output and grep for the string directly. Reviewed-by: Petr Vorel Signed-off-by: Mimi Zohar --- tools/testing/selftests/kexec/test_kexec_file_load.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index 2ff600388c30..99f6fc23ee31 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -97,10 +97,11 @@ check_for_imasig() check_for_modsig() { local module_sig_string="~Module signature appended~" - local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)" local ret=0 - if [ "$sig" == "$module_sig_string" ]; then + tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE | \ + grep -q "$module_sig_string" + if [ $? -eq 0 ]; then ret=1 log_info "kexec kernel image modsig signed" else From 9be6dc8059bb235ffb0666690a26c0df15cc6d9e Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 3 Dec 2021 10:20:42 -0500 Subject: [PATCH 4/6] selftests/kexec: update searching for the Kconfig First check /lib/modules/`uname -r`/config, before using the IKCONFIG. In addition, the configs.ko might be compressed. Fix the configs.ko name. Reviewed-by: Petr Vorel Signed-off-by: Mimi Zohar --- tools/testing/selftests/kexec/kexec_common_lib.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 43017cfe88f7..5a1b8ae04c64 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -138,15 +138,20 @@ kconfig_enabled() return 0 } -# Attempt to get the kernel config first via proc, and then by -# extracting it from the kernel image or the configs.ko using -# scripts/extract-ikconfig. +# Attempt to get the kernel config first by checking the modules directory +# then via proc, and finally by extracting it from the kernel image or the +# configs.ko using scripts/extract-ikconfig. # Return 1 for found. get_kconfig() { local proc_config="/proc/config.gz" local module_dir="/lib/modules/`uname -r`" - local configs_module="$module_dir/kernel/kernel/configs.ko" + local configs_module="$module_dir/kernel/kernel/configs.ko*" + + if [ -f $module_dir/config ]; then + IKCONFIG=$module_dir/config + return 1 + fi if [ ! -f $proc_config ]; then modprobe configs > /dev/null 2>&1 From 520451e90cbe9da018a045825626afb354b3465c Mon Sep 17 00:00:00 2001 From: Bruno Meneguele Date: Tue, 28 Dec 2021 23:03:03 -0300 Subject: [PATCH 5/6] ima: silence measurement list hexdump during kexec Directly calling print_hex_dump() dumps the IMA measurement list on soft resets (kexec) straight to the syslog (kmsg/dmesg) without considering the DEBUG flag or the dynamic debug state, causing the output to be always printed, including during boot time. Since this output is only valid for IMA debugging, but not necessary on normal kexec operation, print_hex_dump_debug() adheres to the pr_debug() behavior: the dump is only printed to syslog when DEBUG is defined or when explicitly requested by the user through dynamic debugging. Signed-off-by: Bruno Meneguele Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_kexec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index f799cc278a9a..13753136f03f 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -61,9 +61,9 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, } memcpy(file.buf, &khdr, sizeof(khdr)); - print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE, - 16, 1, file.buf, - file.count < 100 ? file.count : 100, true); + print_hex_dump_debug("ima dump: ", DUMP_PREFIX_NONE, 16, 1, + file.buf, file.count < 100 ? file.count : 100, + true); *buffer_size = file.count; *buffer = file.buf; From 65e38e32a959dbbb0bf5cf1ae699789f81759be6 Mon Sep 17 00:00:00 2001 From: Nageswara R Sastry Date: Wed, 24 Nov 2021 12:38:01 +0530 Subject: [PATCH 6/6] selftests/kexec: Enable secureboot tests for PowerPC Existing test cases determine secureboot state using efi variable, which is available only on x86 architecture. Add support for determining secureboot state using device tree property on PowerNV architecture. Signed-off-by: Nageswara R Sastry Reviewed-by: Nayna Jain Tested-by: Nayna Jain Signed-off-by: Mimi Zohar --- tools/testing/selftests/kexec/Makefile | 2 +- .../selftests/kexec/kexec_common_lib.sh | 38 ++++++++++++++++--- .../selftests/kexec/test_kexec_file_load.sh | 8 +++- 3 files changed, 39 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile index aa91d2063249..806a150648c3 100644 --- a/tools/testing/selftests/kexec/Makefile +++ b/tools/testing/selftests/kexec/Makefile @@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not) ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) -ifeq ($(ARCH),x86) +ifeq ($(ARCH),$(filter $(ARCH),x86 ppc64le)) TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh TEST_FILES := kexec_common_lib.sh diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 5a1b8ae04c64..0e114b34d5d7 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -91,6 +91,27 @@ get_efi_var_secureboot_mode() return 0; } +# On powerpc platform, check device-tree property +# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing +# to detect secureboot state. +get_ppc64_secureboot_mode() +{ + local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing" + # Check for secure boot file existence + if [ -f $secure_boot_file ]; then + log_info "Secureboot is enabled (Device tree)" + return 1; + fi + log_info "Secureboot is not enabled (Device tree)" + return 0; +} + +# Return the architecture of the system +get_arch() +{ + echo $(arch) +} + # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # The secure boot mode can be accessed either as the last integer # of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from @@ -100,14 +121,19 @@ get_efi_var_secureboot_mode() get_secureboot_mode() { local secureboot_mode=0 + local system_arch=$(get_arch) - get_efivarfs_secureboot_mode - secureboot_mode=$? - - # fallback to using the efi_var files - if [ $secureboot_mode -eq 0 ]; then - get_efi_var_secureboot_mode + if [ "$system_arch" == "ppc64le" ]; then + get_ppc64_secureboot_mode secureboot_mode=$? + else + get_efivarfs_secureboot_mode + secureboot_mode=$? + # fallback to using the efi_var files + if [ $secureboot_mode -eq 0 ]; then + get_efi_var_secureboot_mode + secureboot_mode=$? + fi fi if [ $secureboot_mode -eq 0 ]; then diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index 99f6fc23ee31..c9ccb3c93d72 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -226,8 +226,12 @@ get_secureboot_mode secureboot=$? # Are there pe and ima signatures -check_for_pesig -pe_signed=$? +if [ "$(get_arch)" == 'ppc64le' ]; then + pe_signed=0 +else + check_for_pesig + pe_signed=$? +fi check_for_imasig ima_signed=$?