From: Greg Kroah-Hartman Date: Fri, 19 Aug 2022 14:46:25 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v5.10.137~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=57053e3655d9ffbefe9a339e5be2eff521be025d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch --- diff --git a/queue-5.18/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch b/queue-5.18/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch new file mode 100644 index 00000000000..11042431c12 --- /dev/null +++ b/queue-5.18/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch @@ -0,0 +1,68 @@ +From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Thu, 14 Jul 2022 21:40:26 +0800 +Subject: arm64: kexec_file: use more system keyrings to verify kernel image signature + +From: Coiby Xu + +commit 0d519cadf75184a24313568e7f489a7fc9b1be3b upstream. + +Currently, when loading a kernel image via the kexec_file_load() system +call, arm64 can only use the .builtin_trusted_keys keyring to verify +a signature whereas x86 can use three more keyrings i.e. +.secondary_trusted_keys, .machine and .platform keyrings. For example, +one resulting problem is kexec'ing a kernel image would be rejected +with the error "Lockdown: kexec: kexec of unsigned images is restricted; +see man kernel_lockdown.7". + +This patch set enables arm64 to make use of the same keyrings as x86 to +verify the signature kexec'ed kernel image. + +Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") +Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions +Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig +Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic +Acked-by: Baoquan He +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Co-developed-by: Michal Suchanek +Signed-off-by: Michal Suchanek +Acked-by: Will Deacon +Signed-off-by: Coiby Xu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/kexec_image.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/arch/arm64/kernel/kexec_image.c ++++ b/arch/arm64/kernel/kexec_image.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -130,18 +129,10 @@ static void *image_load(struct kimage *i + return NULL; + } + +-#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG +-static int image_verify_sig(const char *kernel, unsigned long kernel_len) +-{ +- return verify_pefile_signature(kernel, kernel_len, NULL, +- VERIFYING_KEXEC_PE_SIGNATURE); +-} +-#endif +- + const struct kexec_file_ops kexec_image_ops = { + .probe = image_probe, + .load = image_load, + #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG +- .verify_sig = image_verify_sig, ++ .verify_sig = kexec_kernel_verify_pe_sig, + #endif + }; diff --git a/queue-5.18/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch b/queue-5.18/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch new file mode 100644 index 00000000000..3bbbaa8c349 --- /dev/null +++ b/queue-5.18/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch @@ -0,0 +1,120 @@ +From c903dae8941deb55043ee46ded29e84e97cd84bb Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Thu, 14 Jul 2022 21:40:25 +0800 +Subject: kexec, KEYS: make the code in bzImage64_verify_sig generic + +From: Coiby Xu + +commit c903dae8941deb55043ee46ded29e84e97cd84bb upstream. + +commit 278311e417be ("kexec, KEYS: Make use of platform keyring for +signature verify") adds platform keyring support on x86 kexec but not +arm64. + +The code in bzImage64_verify_sig uses the keys on the +.builtin_trusted_keys, .machine, if configured and enabled, +.secondary_trusted_keys, also if configured, and .platform keyrings +to verify the signed kernel image as PE file. + +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Reviewed-by: Michal Suchanek +Signed-off-by: Coiby Xu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kexec-bzimage64.c | 20 +------------------- + include/linux/kexec.h | 7 +++++++ + kernel/kexec_file.c | 17 +++++++++++++++++ + 3 files changed, 25 insertions(+), 19 deletions(-) + +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -17,7 +17,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -528,28 +527,11 @@ static int bzImage64_cleanup(void *loade + return 0; + } + +-#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG +-static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) +-{ +- int ret; +- +- ret = verify_pefile_signature(kernel, kernel_len, +- VERIFY_USE_SECONDARY_KEYRING, +- VERIFYING_KEXEC_PE_SIGNATURE); +- if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { +- ret = verify_pefile_signature(kernel, kernel_len, +- VERIFY_USE_PLATFORM_KEYRING, +- VERIFYING_KEXEC_PE_SIGNATURE); +- } +- return ret; +-} +-#endif +- + const struct kexec_file_ops kexec_bzImage64_ops = { + .probe = bzImage64_probe, + .load = bzImage64_load, + .cleanup = bzImage64_cleanup, + #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG +- .verify_sig = bzImage64_verify_sig, ++ .verify_sig = kexec_kernel_verify_pe_sig, + #endif + }; +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -19,6 +19,7 @@ + #include + + #include ++#include + + /* Location of a reserved region to hold the crash kernel. + */ +@@ -212,6 +213,12 @@ static inline void *arch_kexec_kernel_im + } + #endif + ++#ifdef CONFIG_KEXEC_SIG ++#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION ++int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len); ++#endif ++#endif ++ + extern int kexec_add_buffer(struct kexec_buf *kbuf); + int kexec_locate_mem_hole(struct kexec_buf *kbuf); + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -123,6 +123,23 @@ void kimage_file_post_load_cleanup(struc + } + + #ifdef CONFIG_KEXEC_SIG ++#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION ++int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len) ++{ ++ int ret; ++ ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ } ++ return ret; ++} ++#endif ++ + static int kexec_image_verify_sig(struct kimage *image, void *buf, + unsigned long buf_len) + { diff --git a/queue-5.18/series b/queue-5.18/series index 395024afe15..0d3bbf747ae 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -2,3 +2,5 @@ tee-add-overflow-check-in-register_shm_helper.patch net_sched-cls_route-disallow-handle-of-0.patch btrfs-only-write-the-sectors-in-the-vertical-stripe-which-has-data-stripes.patch btrfs-raid56-don-t-trust-any-cached-sector-in-__raid56_parity_recover.patch +kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch +arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch