• Vivek Goyal's avatar
    kexec: verify the signature of signed PE bzImage · 8e7d8381
    Vivek Goyal authored
    This is the final piece of the puzzle of verifying kernel image signature
    during kexec_file_load() syscall.
    
    This patch calls into PE file routines to verify signature of bzImage.  If
    signature are valid, kexec_file_load() succeeds otherwise it fails.
    
    Two new config options have been introduced.  First one is
    CONFIG_KEXEC_VERIFY_SIG.  This option enforces that kernel has to be
    validly signed otherwise kernel load will fail.  If this option is not
    set, no signature verification will be done.  Only exception will be when
    secureboot is enabled.  In that case signature verification should be
    automatically enforced when secureboot is enabled.  But that will happen
    when secureboot patches are merged.
    
    Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.  This option
    enables signature verification support on bzImage.  If this option is not
    set and previous one is set, kernel image loading will fail because kernel
    does not have support to verify signature of bzImage.
    
    I tested these patches with both "pesign" and "sbsign" signed bzImages.
    
    I used signing_key.priv key and signing_key.x509 cert for signing as
    generated during kernel build process (if module signing is enabled).
    
    Used following method to sign bzImage.
    
    pesign
    ======
    - Convert DER format cert to PEM format cert
    openssl x509 -in signing_key.x509 -inform DER -out signing_key.x509.PEM -outform
    PEM
    
    - Generate a .p12 file from existing cert and private key file
    openssl pkcs12 -export -out kernel-key.p12 -inkey signing_key.priv -in
    signing_key.x509.PEM
    
    - Import .p12 file into pesign db
    pk12util -i /tmp/kernel-key.p12 -d /etc/pki/pesign
    
    - Sign bzImage
    pesign -i /boot/vmlinuz-3.16.0-rc3+ -o /boot/vmlinuz-3.16.0-rc3+.signed.pesign
    -c "Glacier signing key - Magrathea" -s
    
    sbsign
    ======
    sbsign --key signing_key.priv --cert signing_key.x509.PEM --output
    /boot/vmlinuz-3.16.0-rc3+.signed.sbsign /boot/vmlinuz-3.16.0-rc3+
    
    Patch details:
    
    Well all the hard work is done in previous patches.  Now bzImage loader
    has just call into that code and verify whether bzImage signature are
    valid or not.
    
    Also create two config options.  First one is CONFIG_KEXEC_VERIFY_SIG.
    This option enforces that kernel has to be validly signed otherwise kernel
    load will fail.  If this option is not set, no signature verification will
    be done.  Only exception will be when secureboot is enabled.  In that case
    signature verification should be automatically enforced when secureboot is
    enabled.  But that will happen when secureboot patches are merged.
    
    Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.  This option
    enables signature verification support on bzImage.  If this option is not
    set and previous one is set, kernel image loading will fail because kernel
    does not have support to verify signature of bzImage.
    Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Michael Kerrisk <mtk.manpages@gmail.com>
    Cc: Yinghai Lu <yinghai@kernel.org>
    Cc: Eric Biederman <ebiederm@xmission.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Matthew Garrett <mjg59@srcf.ucam.org>
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Cc: Dave Young <dyoung@redhat.com>
    Cc: WANG Chao <chaowang@redhat.com>
    Cc: Baoquan He <bhe@redhat.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Matt Fleming <matt@console-pimps.org>
    Cc: David Howells <dhowells@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    8e7d8381
kexec.h 9.4 KB