[Kernel-packages] [Bug 1851412] Re: Verify kexec image signatures on arm64

Tue, 05 Nov 2019 12:17:07 -0800 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1851412

Title:
  Verify kexec image signatures on arm64

Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Disco:
  Invalid
Status in linux source package in Eoan:
  Invalid
Status in linux source package in Focal:
  Invalid

Bug description:
  While reviewing our kernel configs in Focal, I noticed that we produce
  signed arm64 kernels since Disco but don't seem to be verifying any
  signatures during kexec. Specifically, CONFIG_KEXEC_IMAGE_VERIFY_SIG
  is not enabled.

  == Disco ==
  $ git grep CONFIG_KEXEC_IMAGE_VERIFY_SIG 
debian.master/debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG    
               policy<{'arm64': 'n'}>
  debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG                
   flag<REVIEW>
  debian.master/config/config.common.ubuntu:# CONFIG_KEXEC_IMAGE_VERIFY_SIG is 
not set

  == Eoan ==
  $ git grep CONFIG_KEXEC_IMAGE_VERIFY_SIG debian.master/
  debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG                
   policy<{'arm64': 'n'}>
  debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG                
   flag<REVIEW>
  debian.master/config/config.common.ubuntu:# CONFIG_KEXEC_IMAGE_VERIFY_SIG is 
not set

  
  Looking at the Ubuntu-5.3.0-19.20 tag in Eoan, it looks like the 
CONFIG_KEXEC_IMAGE_VERIFY_SIG option should be enabled to perform signature 
verification of kexec images:

  $ cat -n arch/arm64/kernel/kexec_image.c | tail -n 15
     116        #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
     117        static int image_verify_sig(const char *kernel, unsigned long 
kernel_len)
     118        {
     119                return verify_pefile_signature(kernel, kernel_len, NULL,
     120                                               
VERIFYING_KEXEC_PE_SIGNATURE);
     121        }
     122        #endif
     123        
     124        const struct kexec_file_ops kexec_image_ops = {
     125                .probe = image_probe,
     126                .load = image_load,
     127        #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
     128                .verify_sig = image_verify_sig,
     129        #endif
     130        };

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851412/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to