Re: [PATCH v8 00/13] arm64: kexec: add kexec_file_load() support

From: Dave Young
Date: Wed Feb 28 2018 - 07:25:37 EST


Hi AKASHI,
On 02/27/18 at 01:56pm, AKASHI Takahiro wrote:
> Now my patch#2 to #5 were extracted from this patch set and put
> into another separate one. Please see
> http://lists.infradead.org/pipermail/linux-arm-kernel/2018-February/562195.htmlk

Thanks! Will read them

>
> Thanks,
> -Takahiro AKASHI
>
> On Thu, Feb 22, 2018 at 08:17:19PM +0900, AKASHI Takahiro wrote:
> > This is the eighth round of implementing kexec_file_load() support
> > on arm64.[1]
> > Most of the code is based on kexec-tools (along with some kernel code
> > from x86, which also came from kexec-tools).
> >
> >
> > This patch series enables us to
> > * load the kernel by specifying its file descriptor, instead of user-
> > filled buffer, at kexec_file_load() system call, and
> > * optionally verify its signature at load time for trusted boot.
> >
> > Contrary to kexec_load() system call, as we discussed a long time ago,
> > users may not be allowed to provide a device tree to the 2nd kernel
> > explicitly, hence enforcing a dt blob of the first kernel to be re-used
> > internally.
> >
> > To use kexec_file_load() system call, instead of kexec_load(), at kexec
> > command, '-s' option must be specified. See [2] for a necessary patch for
> > kexec-tools.
> >
> > To anaylize a generated crash dump file, use the latest master branch of
> > crash utility[3] for v4.16-rc kernel. I always try to submit patches to
> > fix any inconsistencies introduced in the latest kernel.
> >
> > Regarding a kernel image verification, a signature must be presented
> > along with the binary itself. A signature is basically a hash value
> > calculated against the whole binary data and encrypted by a key which
> > will be authenticated by one of the system's trusted certificates.
> > Any attempt to read and load a to-be-kexec-ed kernel image through
> > a system call will be checked and blocked if the binary's hash value
> > doesn't match its associated signature.
> >
> > There are two methods available now:
> > 1. implementing arch-specific verification hook of kexec_file_load()
> > 2. utilizing IMA(Integrity Measurement Architecture)[4] appraisal framework
> >
> > Before my v7, I believed that my patch only supports (1) but am now
> > confident that (2) comes free if IMA is enabled and properly configured.
> >
> >
> > (1) Arch-specific verification hook
> > If CONFIG_KEXEC_VERIFY_SIG is enabled, kexec_file_load() invokes an arch-
> > defined (and hence file-format-specific) hook function to check for the
> > validity of kernel binary.
> >
> > On x86, a signature is embedded into a PE file (Microsoft's format) header
> > of binary. Since arm64's "Image" can also be seen as a PE file as far as
> > CONFIG_EFI is enabled, we adopt this format for kernel signing.
> >
> > As in the case of UEFI applications, we can create a signed kernel image:
> > $ sbsign --key ${KEY} --cert ${CERT} Image
> >
> > You may want to use certs/signing_key.pem, which is intended to be used
> > for module sigining (CONFIG_MODULE_SIG), as ${KEY} and ${CERT} for test
> > purpose.
> >
> >
> > (2) IMA appraisal-based
> > IMA was first introduced in linux in order to meet TCG (Trusted Computing
> > Group) requirement that all the sensitive files be *measured* before
> > reading/executing them to detect any untrusted changes/modification.
> > Then appraisal feature, which allows us to ensure the integrity of
> > files and even prevent them from reading/executing, was added later.
> >
> > Meanwhile, kexec_file_load() has been merged since v3.17 and evolved to
> > enable IMA-appraisal type verification by the commit b804defe4297 ("kexec:
> > replace call to copy_file_from_fd() with kernel version").
> >
> > In this scheme, a signature will be stored in a extended file attribute,
> > "security.ima" while a decryption key is hold in a dedicated keyring,
> > ".ima" or "_ima". All the necessary process of verification is confined
> > in a secure API, kernel_read_file_from_fd(), called by kexec_file_load().
> >
> > Please note that powerpc is one of the two architectures now
> > supporting KEXEC_FILE, and that it wishes to exntend IMA,
> > where a signature may be appended to "vmlinux" file[5], like module
> > signing, instead of using an extended file attribute.
> >
> > While IMA meant to be used with TPM (Trusted Platform Module) on secure
> > platform, IMA is still usable without TPM. Here is an example procedure
> > about how we can give it a try to run the feature using a self-signed
> > root ca for demo/test purposes:
> >
> > 1) Generate needed keys and certificates, following "Generate trusted
> > keys" section in README of ima-evm-utils[6].
> >
> > 2) Build the kernel with the following kernel configurations, specifying
> > "ima-local-ca.pem" for CONFIG_SYSTEM_TRUSTED_KEYS:
> > CONFIG_EXT4_FS_SECURITY
> > CONFIG_INTEGRITY_SIGNATURE
> > CONFIG_INTEGRITY_ASYMMETRIC_KEYS
> > CONFIG_INTEGRITY_TRUSTED_KEYRING
> > CONFIG_IMA
> > CONFIG_IMA_WRITE_POLICY
> > CONFIG_IMA_READ_POLICY
> > CONFIG_IMA_APPRAISE
> > CONFIG_IMA_APPRAISE_BOOTPARAM
> > CONFIG_SYSTEM_TRUSTED_KEYS
> > Please note that CONFIG_KEXEC_VERIFY_SIG is not, actually should
> > not be, enabled.
> >
> > 3) Sign(label) a kernel image binary to be kexec-ed on target filesystem:
> > $ evmctl ima_sign --key /path/to/private_key.pem /your/Image
> >
> > 4) Add a command line parameter and boot the kernel:
> > ima_appraise=enforce
> >
> > On live system,
> > 5) Set a security policy:
> > $ mount -t securityfs none /sys/kernel/security
> > $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" \
> > > /sys/kernel/security/ima/policy
> >
> > 6) Add a key for ima:
> > $ keyctl padd asymmetric my_ima_key %:.ima < /path/to/x509_ima.der
> > (or evmctl import /path/to/x509_ima.der <ima_keyring_id>)
> >
> > 7) Then try kexec as normal.
> >
> >
> > Concerns(or future works):
> > * Even if the kernel is configured with CONFIG_RANDOMIZE_BASE, the 2nd
> > kernel won't be placed at a randomized address. We will have to
> > add some boot code similar to efi-stub to implement the randomization.
> > for approach (1),
> > * While big-endian kernel can support kernel signing, I'm not sure that
> > Image can be recognized as in PE format because x86 standard only
> > defines little-endian-based format.
> > * vmlinux support
> >
> > [1] http://git.linaro.org/people/takahiro.akashi/linux-aarch64.git
> > branch:arm64/kexec_file
> > [2] http://git.linaro.org/people/takahiro.akashi/kexec-tools.git
> > branch:arm64/kexec_file
> > [3] http://github.com/crash-utility/crash.git
> > [4] https://sourceforge.net/p/linux-ima/wiki/Home/
> > [5] http://lkml.iu.edu//hypermail/linux/kernel/1707.0/03669.html
> > [6] https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/
> >
> >
> > Changes in v8 (Feb 22, 2018)
> > * introduce ARCH_HAS_KEXEC_PURGATORY so that arm64 will be able to skip
> > purgatory
> > * remove "ifdef CONFIG_X86_64" stuffs from a re-factored function,
> > prepare_elf64_headers(), making its interface more generic
> > (The original patch was split into two for easier reviews.)
> > * modify cpu_soft_restart() so as to let the 2nd kernel jump into its entry
> > code directly without requiring purgatory in case of kexec_file_load
> > * remove CONFIG_KEXEC_FILE_IMAGE_FMT and introduce
> > CONFIG_KEXEC_IMAGE_VERIFY_SIG, much similar to x86 but quite redundant
> > for now.
> > * In addition, update/modify dependencies of KEXEC_IMAGE_VERIFY_SIG
> >
> > Changes in v7 (Dec 4, 2017)
> > * rebased to v4.15-rc2
> > * re-organize the patch set to separate KEXEC_FILE_VERIFY_SIG-related
> > code from the others
> > * revamp factored-out code in kernel/kexec_file.c due to the changes
> > in original x86 code
> > * redefine walk_sys_ram_res_rev() prototype due to change of callback
> > type in the counterpart, walk_sys_ram_res()
> > * make KEXEC_FILE_IMAGE_FMT defaut on if KEXEC_FILE selected
> >
> > Changes in v6 (Oct 24, 2017)
> > * fix a for-loop bug in _kexec_kernel_image_probe() per Julien
> >
> > Changes in v5 (Oct 10, 2017)
> > * fix kbuild errors around patch #3
> > per Julien's comments,
> > * fix a bug in walk_system_ram_res_rev() with some cleanup
> > * modify fdt_setprop_range() to use vmalloc()
> > * modify fill_property() to use memset()
> >
> > Changes in v4 (Oct 2, 2017)
> > * reinstate x86's arch_kexec_kernel_image_load()
> > * rename weak arch_kexec_kernel_xxx() to _kexec_kernel_xxx() for
> > better re-use
> > * constify kexec_file_loaders[]
> >
> > Changes in v3 (Sep 15, 2017)
> > * fix kbuild test error
> > * factor out arch_kexec_kernel_*() & arch_kimage_file_post_load_cleanup()
> > * remove CONFIG_CRASH_CORE guard from kexec_file.c
> > * add vmapped kernel region to vmcore for gdb backtracing
> > (see prepare_elf64_headers())
> > * merge asm/kexec_file.h into asm/kexec.h
> > * and some cleanups
> >
> > Changes in v2 (Sep 8, 2017)
> > * move core-header-related functions from crash_core.c to kexec_file.c
> > * drop hash-check code from purgatory
> > * modify purgatory asm to remove arch_kexec_apply_relocations_add()
> > * drop older kernel support
> > * drop vmlinux support (at least, for this series)
> >
> >
> > Patch #1 to #10 are essential part for KEXEC_FILE support
> > (additionally allowing for IMA-based verification):
> > Patch #1 to #6 are all preparatory patches on generic side.
> > Patch #7 to #11 are to enable kexec_file_load on arm64.
> >
> > Patch #12 to #13 are for KEXEC_VERIFY_SIG (arch-specific verification)
> > support
> >
> > AKASHI Takahiro (13):
> > resource: add walk_system_ram_res_rev()
> > kexec_file: make an use of purgatory optional
> > kexec_file,x86,powerpc: factor out kexec_file_ops functions
> > x86: kexec_file: factor out elf core header related functions
> > kexec_file, x86: move re-factored code to generic side
> > asm-generic: add kexec_file_load system call to unistd.h
> > arm64: kexec_file: invoke the kernel without purgatory
> > arm64: kexec_file: load initrd and device-tree
> > arm64: kexec_file: add crash dump support
> > arm64: kexec_file: add Image format support
> > arm64: kexec_file: enable KEXEC_FILE config
> > include: pe.h: remove message[] from mz header definition
> > arm64: kexec_file: enable KEXEC_VERIFY_SIG for Image
> >
> > arch/arm64/Kconfig | 34 +++
> > arch/arm64/include/asm/kexec.h | 90 +++++++
> > arch/arm64/kernel/Makefile | 3 +-
> > arch/arm64/kernel/cpu-reset.S | 6 +-
> > arch/arm64/kernel/kexec_image.c | 105 ++++++++
> > arch/arm64/kernel/machine_kexec.c | 11 +-
> > arch/arm64/kernel/machine_kexec_file.c | 401 ++++++++++++++++++++++++++++
> > arch/arm64/kernel/relocate_kernel.S | 3 +-
> > arch/powerpc/Kconfig | 3 +
> > arch/powerpc/include/asm/kexec.h | 2 +-
> > arch/powerpc/kernel/kexec_elf_64.c | 2 +-
> > arch/powerpc/kernel/machine_kexec_file_64.c | 39 +--
> > arch/x86/Kconfig | 3 +
> > arch/x86/include/asm/kexec-bzimage64.h | 2 +-
> > arch/x86/kernel/crash.c | 332 +++++------------------
> > arch/x86/kernel/kexec-bzimage64.c | 2 +-
> > arch/x86/kernel/machine_kexec_64.c | 45 +---
> > include/linux/ioport.h | 3 +
> > include/linux/kexec.h | 34 ++-
> > include/linux/pe.h | 2 +-
> > include/uapi/asm-generic/unistd.h | 4 +-
> > kernel/kexec_file.c | 238 ++++++++++++++++-
> > kernel/resource.c | 57 ++++
> > 23 files changed, 1046 insertions(+), 375 deletions(-)
> > create mode 100644 arch/arm64/kernel/kexec_image.c
> > create mode 100644 arch/arm64/kernel/machine_kexec_file.c
> >
> > --
> > 2.16.2
> >