[PATCH 1/2] MODSIGN: check hash of kernel module in blacklist

Fri Dec 13 12:07:24 UTC 2013

On Fri, Dec 13, 2013 at 12:34:11PM +0800, joeyli wrote:
> 於 四，2013-12-12 於 08:33 -0500，Josh Boyer 提到：
> > On Thu, Dec 12, 2013 at 11:46:22AM +0800, joeyli wrote:
> > > Hi Josh, 
> > > 
> > > Thanks for your review and suggestions!
> > > 
> > > 於 三，2013-12-11 於 11:07 -0500，Josh Boyer 提到：
> > > > On Wed, Dec 11, 2013 at 03:26:16PM +0800, Lee, Chun-Yi wrote:
> > > > > This patch introduces a blacklist list of kernel module's hash. It check
> > > > > the blacklist before checking kernel module signature.
> > > > > It didn't limit what hash algorithm used but the module of hash algorithm
> > > > > need build-in or put in initrd for verify kernel module in initrd.
> > > > > 
> > > ...
> > > > > +	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
> > > > > +
> > > > > +	/* truncate the module to discard the signature when it signed */
> > > > > +	if (modlen > markerlen &&
> > > > > +	    memcmp(mod + modlen - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
> > > > > +		modlen -= markerlen;
> > > > > +		if (modlen <= sizeof(ms))
> > > > > +			return -EBADMSG;
> > > > > +		memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
> > > > > +		modlen -= sizeof(ms);
> > > > > +		sig_len = be32_to_cpu(ms.sig_len);
> > > > > +		if (sig_len >= modlen)
> > > > > +			return -EBADMSG;
> > > > > +		modlen -= sig_len;
> > > > > +		if ((size_t)ms.signer_len + ms.key_id_len >= modlen)
> > > > > +			return -EBADMSG;
> > > > > +		modlen -= (size_t)ms.signer_len + ms.key_id_len;
> > > > > +	}
> > > > 
> > > > Hm.  Why do we discard the signature before we calculate the hash?  It
> > > > seems we might need to check for a hash of both the signed and unsigned
> > > > module, correct?
> > > > 
> > > 
> > > Yes, the reason of blacklisted a kernel module is there have security
> > > weakness in the code of module. So, no matter who signed the kernel
> > > module or even the module didn't sign, we don't want it loaded by
> > > kernel.
> > > 
> > > For another situation, if we want revoke a KEY, then just direct import
> > > the public key to MOKx but not add hash of signed kernel module one by
> > > one.
> > 
> > That is all true, but we don't necessarily control what hash is actually
> > stored in dbx/MokXRT.  If a user (or in the case of dbx, the CA)
> > happened to hash the module with the signature attached and enrolled
> > that hash into UEFI/Mok, then doing a comparison with the signature
> > stripped against that will fail, won't it?  That is why I was suggesting
> > we needed to compare against both.
> > 
> > I agree that the ideal situation would be for the enrolled hash to be
> > free of signatures, but there's nothing that guarantees that will be the
> > case.
> 
> OK, I will also computing the hash with signature and compare.

OK.  I realize it's unfortunate to have to do that, but I don't see
another way at the moment.

> > (I also think the vast majority of blacklisting will be with certs, not
> > with individual modules so this is somewhat minor.  I think that even
> > small build-time variances will make module blacklisting difficult to
> > actually make viable.)
> > 
> > josh
> > 
> 
> For the situation we don't want revoke key of certificate, it's the way
> we need carry out.

Yes, agreed.  I suspect it will be most useful for 3rd party drivers
rather than individual modules a distribution ships.

Thanks again!

josh