F20 System Wide Change: Enable kdump on secureboot machines

Jaroslav Reznik jreznik at redhat.com
Thu Jul 11 11:40:27 UTC 2013 

= Proposed System Wide Change: Enable kdump on secureboot machines =
https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot

Change owner(s): Vivek Goyal <vgoyal at redhat.com>

Currently kexec/kdump is disabled on machines with secureboot enabled. This 
feature aims to enable kexec/kdump on such machines.

== Detailed description ==
/sbin/kexec prepares a binary blob, called purgatory. This code runs at 
priviliged level between kernel transition. With secureboot enabled, no 
unsigned code should run at privilige level 0, hence kexec/kdump is currently 
disabled if secureboot is enabled.

One proposed way to solve the problem is that sign /sbin/kexec utility. And 
upon successful signature verification, allow it to load kernel, initramfs, and 
binary blob. /sbin/kexec will verify signatures of kernel being loaded before 
it asks running kernel to load it.

There are quite a few pieces to the puzzle. I am listing the some of the 
things which need to be done. 

=== Build and ship ima-evm-utils package === 
/sbin/kexec will be signed by evmctl. This utility will put an xattr 
security.ima on /sbin/kexec file and kernel will leverage IMA infrastructure in 
kernel to verify signature of /sbin/kexec upon execution. 

* There is a bz open 807476 for inclusion of this package since long time. Not 
sure what it is stuck on though. 

* There are some patches which are not upstream yet (like lock down executable 
in memory) which we need to carry in this patckage till patches get upstream. 

=== Changes to kexec-tools ===
Build /sbin/kexec statically. There is no infrastructure to sign and verify 
signature of shared libraries. Even if we can sign and verify shared 
libraries, currently kernel allows writing to shared libraries while these are 
mapped. So one can overwrite the library after signature verification. So build 
/sbin/kexec statically. kexec does not use nss related code, so there should 
not be any issues w.r.t glibc calling into other shared libraries. 

* Generate detached /sbin/kexec signautre at build time and install these 
signature on target in seucurity.ima xattr when kexec-tools is installed. 

* Modify kexec-tools so that it can call keyctl() and verify signature of a 
new kernel being loaded. 

=== Kernel Changes ===
Kernel needs to carry additional patches to do verify elf binary signature.
* There are patches to extend keyctl() so that user space can use it to verify 
signature of a user buffer (vmlinuz in this case).
* These patches are not upstream, so these need to be carried in fedora till 
patches get upstream.
* Kernel need to be signed using evmctl and detached signature need to be 
generated. These signatures need to be installed on vmlinuz upon kernel rpm 
installation in security.ima xattr. 

=== Signing Key Management ===
Yet to be figured out. There are couple of ideas on table.

* Embed few keys in kernel and one of these keys will be used to sign 
/sbin/kexec. In case of a key is revoked, use a new key from set of embedded 
keys.
* Ship a PE/COFF wrapped key in kexec-tools package. This PE/COFF binary 
should be signed by appropriate authority so it can be loaded in system 
keyring. 

== Scope ==
Proposal owners:
* Provide patches for kernel package.
* Provide patches for kexec-tools package.
* Provide patches for ima-evm-utils package.
* ima-evm-utils package will be new. It is not clear who will maintain that 
package. 

Other developers:
* Signing Process, Signing key management, Signing key loading on target after 
boot and Signature installation on target are unknown areas right now. It is 
not very clear how these things will be done. Once details have been figured 
out, it might require work from other developers. Not sure though at this 
point of time.
* Can't think any other major work required by other developers yet. We will 
have to figure out how signing will take place and how signatures will be 
installed on target system. And depending on how we do it, it might require 
some work from other developers. Like making use of rpm hooks to install 
signature etc. Given the fact that we are signing only one file /sbin/kexec, we 
might get away doing changes in kexec-tools spec file. 

Release engineering:
* We need to sort out how signing will take place. I will require release-
engineering help on this.
* For issues related to key management I will need help of security/release 
engineering. 

Policies and guidelines:
* I think to begin with we might not have to update any packaging guidelines 
for this. Anything magic w.r.t signing can probably be limited to kexec-tools 
spec file.

More information about the devel-announce mailing list