Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load fails because kernel can not use any keys other than kernel builtin keyring. verify_pefile_signature() requires caller to pass 1UL as the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going with a Fedora fix same as what the module code does.
Latest upstream effort: https://www.spinics.net/lists/kernel/msg2825184.html
Signed-off-by: Dave Young dyoung@redhat.com --- kernel.spec | 3 ++ kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch
diff --git a/kernel.spec b/kernel.spec index d5e16d7f..7a20da1e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch # rhbz 1431375 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
+# rhbz 1470995 +Patch503: kexec-bzimage-verify-pe-signature-fix.patch + # END OF PATCH DEFINITIONS
%endif diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch new file mode 100644 index 00000000..866b74b9 --- /dev/null +++ b/kexec-bzimage-verify-pe-signature-fix.patch @@ -0,0 +1,32 @@ +From: Dave Young dyoung@redhat.com + +Fix kexec_file_load pefile signature verification + +Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also +need pass 1UL to verify_pefile_signature so that secondary keys can be used. + +Fedora bug +https://bugzilla.redhat.com/show_bug.cgi?id=1470995 + +Latest upstream effort is below: +https://www.spinics.net/lists/kernel/msg2825184.html + +Ideally this need an upstream fix, but since nobody response we can workaround +it like the module code did. + +Signed-off-by: Dave Young dyoung@redhat.com +--- + arch/x86/kernel/kexec-bzimage64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade + static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) + { + return verify_pefile_signature(kernel, kernel_len, +- NULL, ++ (void *)1UL, + VERIFYING_KEXEC_PE_SIGNATURE); + } + #endif
Hi,
On 06/12/2018 06:03 AM, Dave Young wrote:
Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load fails because kernel can not use any keys other than kernel builtin keyring. verify_pefile_signature() requires caller to pass 1UL as the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going with a Fedora fix same as what the module code does.
Latest upstream effort: https://www.spinics.net/lists/kernel/msg2825184.html
I've added it to Rawhide, F28, and F27.
Thanks, Jeremy
On 06/13/18 at 01:59pm, Jeremy Cline wrote:
Hi,
On 06/12/2018 06:03 AM, Dave Young wrote:
Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load fails because kernel can not use any keys other than kernel builtin keyring. verify_pefile_signature() requires caller to pass 1UL as the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going with a Fedora fix same as what the module code does.
Latest upstream effort: https://www.spinics.net/lists/kernel/msg2825184.html
I've added it to Rawhide, F28, and F27.
Jeremy, thank you!
Thanks, Jeremy
On Tue, Jun 12, 2018 at 5:03 AM, Dave Young dyoung@redhat.com wrote:
Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load fails because kernel can not use any keys other than kernel builtin keyring. verify_pefile_signature() requires caller to pass 1UL as the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going with a Fedora fix same as what the module code does.
Latest upstream effort: https://www.spinics.net/lists/kernel/msg2825184.html
Signed-off-by: Dave Young dyoung@redhat.com
I would really like to hear David Howell's opinion on this before we consider carrying it. I have CCed him.
Thanks, Justin
kernel.spec | 3 ++ kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch
diff --git a/kernel.spec b/kernel.spec index d5e16d7f..7a20da1e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch # rhbz 1431375 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
+# rhbz 1470995 +Patch503: kexec-bzimage-verify-pe-signature-fix.patch
# END OF PATCH DEFINITIONS
%endif diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch new file mode 100644 index 00000000..866b74b9 --- /dev/null +++ b/kexec-bzimage-verify-pe-signature-fix.patch @@ -0,0 +1,32 @@ +From: Dave Young dyoung@redhat.com
+Fix kexec_file_load pefile signature verification
+Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also +need pass 1UL to verify_pefile_signature so that secondary keys can be used.
+Fedora bug +https://bugzilla.redhat.com/show_bug.cgi?id=1470995
+Latest upstream effort is below: +https://www.spinics.net/lists/kernel/msg2825184.html
+Ideally this need an upstream fix, but since nobody response we can workaround +it like the module code did.
+Signed-off-by: Dave Young dyoung@redhat.com +---
- arch/x86/kernel/kexec-bzimage64.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade
- static int bzImage64_verify_sig(const char *kernel, unsigned long
kernel_len)
- {
return verify_pefile_signature(kernel, kernel_len,
+- NULL, ++ (void *)1UL,
VERIFYING_KEXEC_PE_SIGNATURE);
- }
- #endif
-- 2.17.0 _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@ lists.fedoraproject.org/message/RYRV32S4Z6F7WGR3BEIXVWOGX6XV3JSQ/
On 06/13/18 at 09:38am, Justin Forbes wrote:
On Tue, Jun 12, 2018 at 5:03 AM, Dave Young dyoung@redhat.com wrote:
Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load fails because kernel can not use any keys other than kernel builtin keyring. verify_pefile_signature() requires caller to pass 1UL as the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going with a Fedora fix same as what the module code does.
Latest upstream effort: https://www.spinics.net/lists/kernel/msg2825184.html
Signed-off-by: Dave Young dyoung@redhat.com
I would really like to hear David Howell's opinion on this before we consider carrying it. I have CCed him.
Justin, thanks for adding cc, I'm also waiting for his review in upstream. But forgot to add him for the Fedora patch.
Since our module code already takes this workaround, for kexec it is pretty safe. I tested this patch with a scratch build, pesigned the kernel with a temp key, import it in mokutil. The build works well for me.
If the 1UL passing is wrong then we should drop the module patch as well as this one and take some reasonable fix.
Thanks, Justin
kernel.spec | 3 ++ kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch
diff --git a/kernel.spec b/kernel.spec index d5e16d7f..7a20da1e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch # rhbz 1431375 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
+# rhbz 1470995 +Patch503: kexec-bzimage-verify-pe-signature-fix.patch
# END OF PATCH DEFINITIONS
%endif diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch new file mode 100644 index 00000000..866b74b9 --- /dev/null +++ b/kexec-bzimage-verify-pe-signature-fix.patch @@ -0,0 +1,32 @@ +From: Dave Young dyoung@redhat.com
+Fix kexec_file_load pefile signature verification
+Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also +need pass 1UL to verify_pefile_signature so that secondary keys can be used.
+Fedora bug +https://bugzilla.redhat.com/show_bug.cgi?id=1470995
+Latest upstream effort is below: +https://www.spinics.net/lists/kernel/msg2825184.html
+Ideally this need an upstream fix, but since nobody response we can workaround +it like the module code did.
+Signed-off-by: Dave Young dyoung@redhat.com +---
- arch/x86/kernel/kexec-bzimage64.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade
- static int bzImage64_verify_sig(const char *kernel, unsigned long
kernel_len)
- {
return verify_pefile_signature(kernel, kernel_len,
+- NULL, ++ (void *)1UL,
VERIFYING_KEXEC_PE_SIGNATURE);
- }
- #endif
-- 2.17.0 _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@ lists.fedoraproject.org/message/RYRV32S4Z6F7WGR3BEIXVWOGX6XV3JSQ/
On 06/14/18 at 02:18pm, Dave Young wrote:
On 06/13/18 at 09:38am, Justin Forbes wrote:
On Tue, Jun 12, 2018 at 5:03 AM, Dave Young dyoung@redhat.com wrote:
Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load fails because kernel can not use any keys other than kernel builtin keyring. verify_pefile_signature() requires caller to pass 1UL as the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going with a Fedora fix same as what the module code does.
Latest upstream effort: https://www.spinics.net/lists/kernel/msg2825184.html
Signed-off-by: Dave Young dyoung@redhat.com
I would really like to hear David Howell's opinion on this before we consider carrying it. I have CCed him.
Justin, thanks for adding cc, I'm also waiting for his review in upstream. But forgot to add him for the Fedora patch.
Since our module code already takes this workaround, for kexec it is pretty safe. I tested this patch with a scratch build, pesigned the kernel with a temp key, import it in mokutil. The build works well for me.
If the 1UL passing is wrong then we should drop the module patch as well as this one and take some reasonable fix.
But seems nobody cares about this in upstream, so I'm not sure when it can be fixed. We can take this workaround in Fedora for the time being.
Thanks, Justin
kernel.spec | 3 ++ kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch
diff --git a/kernel.spec b/kernel.spec index d5e16d7f..7a20da1e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch # rhbz 1431375 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
+# rhbz 1470995 +Patch503: kexec-bzimage-verify-pe-signature-fix.patch
# END OF PATCH DEFINITIONS
%endif diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch new file mode 100644 index 00000000..866b74b9 --- /dev/null +++ b/kexec-bzimage-verify-pe-signature-fix.patch @@ -0,0 +1,32 @@ +From: Dave Young dyoung@redhat.com
+Fix kexec_file_load pefile signature verification
+Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also +need pass 1UL to verify_pefile_signature so that secondary keys can be used.
+Fedora bug +https://bugzilla.redhat.com/show_bug.cgi?id=1470995
+Latest upstream effort is below: +https://www.spinics.net/lists/kernel/msg2825184.html
+Ideally this need an upstream fix, but since nobody response we can workaround +it like the module code did.
+Signed-off-by: Dave Young dyoung@redhat.com +---
- arch/x86/kernel/kexec-bzimage64.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade
- static int bzImage64_verify_sig(const char *kernel, unsigned long
kernel_len)
- {
return verify_pefile_signature(kernel, kernel_len,
+- NULL, ++ (void *)1UL,
VERIFYING_KEXEC_PE_SIGNATURE);
- }
- #endif
-- 2.17.0 _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@ lists.fedoraproject.org/message/RYRV32S4Z6F7WGR3BEIXVWOGX6XV3JSQ/
kernel@lists.fedoraproject.org