From patchwork Fri Aug 25 06:18:36 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chengen Du <chengen.du@canonical.com>
X-Patchwork-Id: 1825792
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=YIwRZxDH;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RX8sm0tj9z1yfF
	for <incoming@patchwork.ozlabs.org>; Fri, 25 Aug 2023 16:18:52 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qZQ9e-0004Sk-Rs; Fri, 25 Aug 2023 06:18:46 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <chengen.du@canonical.com>) id 1qZQ9d-0004SK-1y
 for kernel-team@lists.ubuntu.com; Fri, 25 Aug 2023 06:18:45 +0000
Received: from mail-oi1-f197.google.com (mail-oi1-f197.google.com
 [209.85.167.197])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id A09923F21F
 for <kernel-team@lists.ubuntu.com>; Fri, 25 Aug 2023 06:18:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1692944324;
 bh=3PcBbIZdHnQ9PYxd/7ZFspuO1YSXDEPSc+u7Egw+ZyE=;
 h=From:To:Subject:Date:Message-Id:MIME-Version;
 b=YIwRZxDHpn0K1jOYdqpomdAFHV1dw8v8UDhSlnaFHxNxR7M9BTJzaiGD91iH+wfOE
 x8I5roOxA8vKq4GV60AlnrtwALOcK5Z2Y3Vy3uhG35DKlFLFIKOBgntOYQHEPr7ccB
 F86TK5DLdFOTYKFQqMBzVDJQukTzwfTMByP0Oh+NSy2X+rQYtVmYFU9/gbI3qvtjxp
 LiFCa8gluMWqK4ULCiHYC0jLm0hqUP6mHAVNblBK2kqXTz94TAkgBiqcYDBmgV8iKM
 99CzXWlxNrRJsqCr/4OpURR2EG29u6IyZ/UYmKlq3Ab4TlSJYJkWULfX+MKryC8ovR
 A771dUPGwUC7A==
Received: by mail-oi1-f197.google.com with SMTP id
 5614622812f47-3a5ad6088f8so682712b6e.0
 for <kernel-team@lists.ubuntu.com>; Thu, 24 Aug 2023 23:18:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1692944323; x=1693549123;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=3PcBbIZdHnQ9PYxd/7ZFspuO1YSXDEPSc+u7Egw+ZyE=;
 b=Ay1P+e3rFZEjRmNooUH7BCdguOAcIqgWlo7RL9BLZcOCB9306RWLoPS7+IQausJP5w
 z/+adj/HJK3XbB8VKrap9uV96iv9CmP+sw0/kZAkJyiGu4LHRpxT2pRQScNFTRS+7i7s
 +o7UmKMZ2y7vb9YbXofR0ZJmFHOQoPivkIHcjhRW3FZmz8us42Dh6jh5N+nafYDJLx4A
 qaDJk34iIgnPa8+MANymjUel5x0Ns//Z5pj5N3kAPw/cQMAOZEVMYT8y1aXu+a8HObBB
 DqDgyOQEbrdcT/EoS/rnwuSKfSgdXpEel7p7TTAiepWP9Rvr7ZsTKWQK8/GJeQY9Kclt
 EAjA==
X-Gm-Message-State: AOJu0Yxwiem5nBhbgasPn4GmI+5xo7mGztoAap8I6TcFrVvMEdKUk1AQ
 JNuyAs92Ev860w+f7tVXe/KRAN5qDooKPMuvfXPhgqQ7oHK0CQrkKWzaFImzQ8vpNHa1FQySb+n
 zj+QP67166OJ/QOfTgFTBPJ7q2W3bD1P7BAFLF0ReerzAc4WiT3v4xeA=
X-Received: by 2002:a05:6808:1811:b0:3a7:49e5:e0da with SMTP id
 bh17-20020a056808181100b003a749e5e0damr2303693oib.26.1692944323241;
 Thu, 24 Aug 2023 23:18:43 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHAbXgJNoyYyWqE1OPeKR7bNL/tKekNFQPslMf0wR63RVp+3M1T+zvB7iEbeGcMT+t4iu5uKw==
X-Received: by 2002:a05:6808:1811:b0:3a7:49e5:e0da with SMTP id
 bh17-20020a056808181100b003a749e5e0damr2303680oib.26.1692944322979;
 Thu, 24 Aug 2023 23:18:42 -0700 (PDT)
Received: from chengendu.. (111-248-109-24.dynamic-ip.hinet.net.
 [111.248.109.24]) by smtp.gmail.com with ESMTPSA id
 u4-20020aa78484000000b00660d80087a8sm728664pfn.187.2023.08.24.23.18.41
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 24 Aug 2023 23:18:42 -0700 (PDT)
From: Chengen Du <chengen.du@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH 0/3] kdump doesn't work with UEFI secure boot and
 kernel lockdown enabled on ARM64
Date: Fri, 25 Aug 2023 14:18:36 +0800
Message-Id: <20230825061839.52444-1-chengen.du@canonical.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/2033007

SRU Justification:

[Impact]
The kdump service operates by utilizing the kexec_file_load system call, which loads a new kernel image intended for subsequent execution.
However, this process encounters a hindrance if the CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature verification.

In addition, a noteworthy point is that if the kernel image is signed with a MOK,
it will face rejection due to ARM64's reliance solely on the .builtin_trusted_keys for verification purposes.
To enhance flexibility, it's suggested that we align the behavior on x86 platforms.
This alignment could potentially involve expanding the scope to encompass more keyrings, such as .secondary_trusted_keys and platform keyrings,
thereby broadening the options available for verification mechanisms.

[Fix]
Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary,
along with the incorporation of two specific commits, in order to enhance the capabilities of the kexec_file_load system call on ARM64.
The commits that need to be applied are as follows:
c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic
0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel image signature

[Test Plan]
1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
2. Install 'kdump-tools'
sudo apt install linux-crashdump
3. Reboot and verify kdump status with 'kdump-config show'
root@ubuntu:~# kdump-config show
DUMP_MODE: kdump
USE_KDUMP: 1
KDUMP_COREDIR: /var/crash
crashkernel addr: 0xde000000
   /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic
kdump initrd:
   /var/lib/kdump/initrd.img: symbolic link to /var/lib/kdump/initrd.img-5.15.0-78-generic
current state: Not ready to kdump

kexec command:
  /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
4. Check the log using 'systemctl status kdump-tools'
Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture service...
Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools:
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/vmlinuz
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink /var/lib/kdump/initrd.img
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s --command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0 reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1" --initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel
Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel
Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service.

[Where problems could occur]
The problem is specific to kexec image signature verification on ARM64.
This change allows additional keyrings and impacts only the ARM64 kexec_file_load system call.

Chengen Du (1):
  UBUNTU: [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG

Coiby Xu (2):
  kexec, KEYS: make the code in bzImage64_verify_sig generic
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

 arch/arm64/kernel/kexec_image.c   | 11 +----------
 arch/x86/kernel/kexec-bzimage64.c | 20 +-------------------
 debian.master/config/annotations  |  2 +-
 include/linux/kexec.h             |  7 +++++++
 kernel/kexec_file.c               | 17 +++++++++++++++++
 5 files changed, 27 insertions(+), 30 deletions(-)
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>