User: Password:
|
|
Subscribe / Log in / New account

Re: [RFC PATCH 00/13][V3] kexec: A new system call to allow in kernel loading

From:  Vivek Goyal <vgoyal-AT-redhat.com>
To:  Borislav Petkov <bp-AT-alien8.de>
Subject:  Re: [RFC PATCH 00/13][V3] kexec: A new system call to allow in kernel loading
Date:  Tue, 17 Jun 2014 09:24:26 -0400
Message-ID:  <20140617132426.GB28340@redhat.com>
Cc:  linux-kernel-AT-vger.kernel.org, kexec-AT-lists.infradead.org, ebiederm-AT-xmission.com, hpa-AT-zytor.com, mjg59-AT-srcf.ucam.org, greg-AT-kroah.com, jkosina-AT-suse.cz, dyoung-AT-redhat.com, chaowang-AT-redhat.com, bhe-AT-redhat.com, akpm-AT-linux-foundation.org
Archive-link:  Article

On Mon, Jun 16, 2014 at 11:13:28PM +0200, Borislav Petkov wrote:
> On Tue, Jun 03, 2014 at 09:06:49AM -0400, Vivek Goyal wrote:
> > This patch series does not do kernel signature verification yet. I
> > plan to post another patch series for that. Now bzImage is already
> > signed with PKCS7 signature I plan to parse and verify those
> > signatures.
> 
> Btw, do you have a brief outline on how you are going to do the
> extension to signature verification? Nothing formal, just enough of an
> outline that I can see where in the flow it will be plugged in.
> 
> I was wondering how the whole signature signing and verification will
> be done, i.e., where do I get the signature, how and who will verify it
> (I'm guessing the purgatory code), etc, etc.

Hi Boris,

I am still working on signing patches. I have uploaded them here for you
to have a look.

http://people.redhat.com/vgoyal/kdump-secureboot/in-kerne...

Last patch should give you a good idea how signature verification hooks
into kexec.

Signature verification patches are based on David Howell's work.

There is no purgatory involved here. Once we have copied kernel image
into kernel space, first thing we do is call into arch image loader
and ask it to verify signature of image. And bzImage loader in turn
calls into helper functions which can parse a PE signed file and
verify image signature.

I have yet to cleanup the code, implement a config option which enforces
signature verification.

Automatic enforncement of signature verification if secureboot is
enabled will happen once matthew's secureboot patches are merged 
into mainline.

Thanks
Vivek


(Log in to post comments)


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds