Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 732b7b93 authored by AKASHI Takahiro's avatar AKASHI Takahiro Committed by Will Deacon
Browse files

arm64: kexec_file: add kernel signature verification support 



With this patch, kernel verification can be done without IMA security
subsystem enabled. Turn on CONFIG_KEXEC_VERIFY_SIG instead.

On x86, a signature is embedded into a PE file (Microsoft's format) header
of binary. Since arm64's "Image" can also be seen as a PE file as far as
CONFIG_EFI is enabled, we adopt this format for kernel signing.

You can create a signed kernel image with:
    $ sbsign --key ${KEY} --cert ${CERT} Image

Signed-off-by: default avatarAKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Reviewed-by: default avatarJames Morse <james.morse@arm.com>
[will: removed useless pr_debug()]
Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
parent 702ed5bb

arch/arm64/Kconfig

+24 −0
Original line number Diff line number Diff line
@@ -867,6 +867,30 @@ config KEXEC_FILE 
	  for kernel and initramfs as opposed to list of segments as

	  accepted by previous system call.



config KEXEC_VERIFY_SIG

	bool "Verify kernel signature during kexec_file_load() syscall"

	depends on KEXEC_FILE

	help

	  Select this option to verify a signature with loaded kernel

	  image. If configured, any attempt of loading a image without

	  valid signature will fail.



	  In addition to that option, you need to enable signature

	  verification for the corresponding kernel image type being

	  loaded in order for this to work.



config KEXEC_IMAGE_VERIFY_SIG

	bool "Enable Image signature verification support"

	default y

	depends on KEXEC_VERIFY_SIG

	depends on EFI && SIGNED_PE_FILE_VERIFICATION

	help

	  Enable Image signature verification support.



comment "Support for PE file signature verification disabled"

	depends on KEXEC_VERIFY_SIG

	depends on !EFI || !SIGNED_PE_FILE_VERIFICATION



config CRASH_DUMP

	bool "Build kdump crash kernel"

	help

arch/arm64/kernel/kexec_image.c

+18 −5
Original line number Diff line number Diff line
@@ -12,7 +12,9 @@ 
#include <linux/errno.h>

#include <linux/kernel.h>

#include <linux/kexec.h>

#include <linux/pe.h>

#include <linux/string.h>

#include <linux/verification.h>

#include <asm/byteorder.h>

#include <asm/cpufeature.h>

#include <asm/image.h>
@@ -20,13 +22,13 @@ 


static int image_probe(const char *kernel_buf, unsigned long kernel_len)

{

	const struct arm64_image_header *h;

	const struct arm64_image_header *h =

		(const struct arm64_image_header *)(kernel_buf);



	h = (const struct arm64_image_header *)(kernel_buf);

	if (!h || (kernel_len < sizeof(*h)))

		return -EINVAL;



	if (!h || (kernel_len < sizeof(*h)) ||

			memcmp(&h->magic, ARM64_IMAGE_MAGIC,

				sizeof(h->magic)))

	if (memcmp(&h->magic, ARM64_IMAGE_MAGIC, sizeof(h->magic)))

		return -EINVAL;



	return 0;
@@ -107,7 +109,18 @@ static void *image_load(struct kimage *image, 
	return ERR_PTR(ret);

}



#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG

static int image_verify_sig(const char *kernel, unsigned long kernel_len)

{

	return verify_pefile_signature(kernel, kernel_len, NULL,

				       VERIFYING_KEXEC_PE_SIGNATURE);

}

#endif



const struct kexec_file_ops kexec_image_ops = {

	.probe = image_probe,

	.load = image_load,

#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG

	.verify_sig = image_verify_sig,

#endif

};