arm64: kexec_file: add kernel signature verification support

With this patch, kernel verification can be done without IMA security
subsystem enabled. Turn on CONFIG_KEXEC_VERIFY_SIG instead.

On x86, a signature is embedded into a PE file (Microsoft's format) header
of binary. Since arm64's "Image" can also be seen as a PE file as far as
CONFIG_EFI is enabled, we adopt this format for kernel signing.

You can create a signed kernel image with:
    $ sbsign --key ${KEY} --cert ${CERT} Image

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Reviewed-by: James Morse <james.morse@arm.com>
[will: removed useless pr_debug()]
Signed-off-by: Will Deacon <will.deacon@arm.com>
This commit is contained in:
AKASHI Takahiro 2018-11-15 14:52:54 +09:00 committed by Will Deacon
parent 702ed5bb75
commit 732b7b93d8
2 changed files with 42 additions and 5 deletions

View File

@ -867,6 +867,30 @@ config KEXEC_FILE
for kernel and initramfs as opposed to list of segments as for kernel and initramfs as opposed to list of segments as
accepted by previous system call. accepted by previous system call.
config KEXEC_VERIFY_SIG
bool "Verify kernel signature during kexec_file_load() syscall"
depends on KEXEC_FILE
help
Select this option to verify a signature with loaded kernel
image. If configured, any attempt of loading a image without
valid signature will fail.
In addition to that option, you need to enable signature
verification for the corresponding kernel image type being
loaded in order for this to work.
config KEXEC_IMAGE_VERIFY_SIG
bool "Enable Image signature verification support"
default y
depends on KEXEC_VERIFY_SIG
depends on EFI && SIGNED_PE_FILE_VERIFICATION
help
Enable Image signature verification support.
comment "Support for PE file signature verification disabled"
depends on KEXEC_VERIFY_SIG
depends on !EFI || !SIGNED_PE_FILE_VERIFICATION
config CRASH_DUMP config CRASH_DUMP
bool "Build kdump crash kernel" bool "Build kdump crash kernel"
help help

View File

@ -12,7 +12,9 @@
#include <linux/errno.h> #include <linux/errno.h>
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/kexec.h> #include <linux/kexec.h>
#include <linux/pe.h>
#include <linux/string.h> #include <linux/string.h>
#include <linux/verification.h>
#include <asm/byteorder.h> #include <asm/byteorder.h>
#include <asm/cpufeature.h> #include <asm/cpufeature.h>
#include <asm/image.h> #include <asm/image.h>
@ -20,13 +22,13 @@
static int image_probe(const char *kernel_buf, unsigned long kernel_len) static int image_probe(const char *kernel_buf, unsigned long kernel_len)
{ {
const struct arm64_image_header *h; const struct arm64_image_header *h =
(const struct arm64_image_header *)(kernel_buf);
h = (const struct arm64_image_header *)(kernel_buf); if (!h || (kernel_len < sizeof(*h)))
return -EINVAL;
if (!h || (kernel_len < sizeof(*h)) || if (memcmp(&h->magic, ARM64_IMAGE_MAGIC, sizeof(h->magic)))
memcmp(&h->magic, ARM64_IMAGE_MAGIC,
sizeof(h->magic)))
return -EINVAL; return -EINVAL;
return 0; return 0;
@ -107,7 +109,18 @@ static void *image_load(struct kimage *image,
return ERR_PTR(ret); return ERR_PTR(ret);
} }
#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
static int image_verify_sig(const char *kernel, unsigned long kernel_len)
{
return verify_pefile_signature(kernel, kernel_len, NULL,
VERIFYING_KEXEC_PE_SIGNATURE);
}
#endif
const struct kexec_file_ops kexec_image_ops = { const struct kexec_file_ops kexec_image_ops = {
.probe = image_probe, .probe = image_probe,
.load = image_load, .load = image_load,
#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
.verify_sig = image_verify_sig,
#endif
}; };