From nobody Tue Nov 26 19:53:44 2024 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E21DD21E3DB; Tue, 15 Oct 2024 22:22:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030977; cv=none; b=BARBFdB4jjSsy32lYy+qIS89SsasddG1QDsOWuppAAqIh3I0LbU1420AlBW6FTDH41MBKwBstBCneMSKIYXfVORuKWwQNmHrk/6Ux8/6V59K2JnbzofTQBmhcFres5al2wt8TCB3YsIq3F1rYV72Bmd/6VGZuPoCH71mXbqjWow= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030977; c=relaxed/simple; bh=a/9waGCx6zmCoPndDtrnBw09clAutUJbVmjhCyxxTzI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=vDG9QERH4P59SbzhB+5vjg5wPmK7MUGh97bFxJsVIx4iGu4n+ucoAnD0tccVJJKNNPhyhMZEP2nPq8BwHhuZvg0SxFiW7p46AHcf9oKUrpi+VgfYkHKbBDcafaFkNh95wPXSgpm0/GerA0sKCXvYwIqeoZfCmPUa2CfKeqsgLek= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CB6D71007; Tue, 15 Oct 2024 15:23:23 -0700 (PDT) Received: from u200865.usa.arm.com (U203867.austin.arm.com [10.118.30.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 226023F71E; Tue, 15 Oct 2024 15:22:54 -0700 (PDT) From: Jeremy Linton To: linux-kernel@vger.kernel.org Cc: akpm@linux-foundation.org, hch@lst.de, gregkh@linuxfoundation.org, graf@amazon.com, lukas@wunner.de, wufan@linux.microsoft.com, brauner@kernel.org, jsperbeck@google.com, ardb@kernel.org, linux-crypto@vger.kernel.org, linux-kbuild@vger.kernel.org, keyrings@vger.kernel.org, Jeremy Linton Subject: [RFC 1/5] initramfs: Add initramfs signature checking Date: Tue, 15 Oct 2024 17:22:31 -0500 Message-ID: <20241015222235.71040-2-jeremy.linton@arm.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: <20241015222235.71040-1-jeremy.linton@arm.com> References: <20241015222235.71040-1-jeremy.linton@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Various root-level processes, configurations, and the like can exist in the initramfs provided by the boot loader. The kernel does a reasonable job of signature checking and blocking unsigned code from running in the kernel, but this is only one aspect of system security. The remaining init and early startup code running in userspace are just as critical to system security. This option provides a basic initramfs signature check, which reuses the module signature checking infrastructure to validate the boot loader provided initramfs. Later, a system policy can allow or deny images that fail the signature check. Signed-off-by: Jeremy Linton --- usr/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/Kconfig b/usr/Kconfig index 9279a2893ab0..a9c0dc0112eb 100644 --- a/usr/Kconfig +++ b/usr/Kconfig @@ -32,6 +32,15 @@ config INITRAMFS_FORCE and is useful if you cannot or don't want to change the image your bootloader passes to the kernel. =20 +config INITRAMFS_SIG + bool "Validate signed initramfs images" + depends on SYSTEM_DATA_VERIFICATION + help + This option validates that image provided by the + bootloader is signed. The decision to accept or + reject the image is then left to the kernel lockdown + logic. + config INITRAMFS_ROOT_UID int "User ID to map to 0 (user root)" depends on INITRAMFS_SOURCE!=3D"" --=20 2.46.0 From nobody Tue Nov 26 19:53:44 2024 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A75AF1B0F0F; Tue, 15 Oct 2024 22:22:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030977; cv=none; b=r+kU+GscUPToqkdkvH1G/P6b06yVUf1EE6lMtTeJ6/s1jCcsMYR2610wmhboxIRg0ExWhgkHq7/2TsXPyAW+lyshTWtn/T2xULExUAFbc5IFMRQOFHTQsO6qBsRGrKIClnlBrdE7YFs/SSIGSy5J2Mdt6vPrBK2xpC58Hjt2FBs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030977; c=relaxed/simple; bh=Hyol+qnMXN5hFfxO1tenvEfNy6Zotd9r1odI5pxqgm8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dQORGs4lSjdT3QMLbCqAk3+EVYo7FJDpQKMvHZmwbPRdID+iiey+S9vMIuNe+DII7gp9IY0b+/PNlFW4/fc8dIn1vGM6v/2IOo6VOikT2TmSC7tM3tVJ+FwmRmw8zroSxxlCAA2PuG1no1ZwdAeWJYGtKRXchfnlKNO/w+wVXLg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8D5D81691; Tue, 15 Oct 2024 15:23:24 -0700 (PDT) Received: from u200865.usa.arm.com (U203867.austin.arm.com [10.118.30.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D872D3F71E; Tue, 15 Oct 2024 15:22:54 -0700 (PDT) From: Jeremy Linton To: linux-kernel@vger.kernel.org Cc: akpm@linux-foundation.org, hch@lst.de, gregkh@linuxfoundation.org, graf@amazon.com, lukas@wunner.de, wufan@linux.microsoft.com, brauner@kernel.org, jsperbeck@google.com, ardb@kernel.org, linux-crypto@vger.kernel.org, linux-kbuild@vger.kernel.org, keyrings@vger.kernel.org, Jeremy Linton Subject: [RFC 2/5] KEYS/certs: Start the builtin key and cert system earlier Date: Tue, 15 Oct 2024 17:22:32 -0500 Message-ID: <20241015222235.71040-3-jeremy.linton@arm.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: <20241015222235.71040-1-jeremy.linton@arm.com> References: <20241015222235.71040-1-jeremy.linton@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This exists at the moment to assure that the module signature checking logic can be utilized before the initramfs is mounted. Assuming we want to use the built in keys as well as MOK's to validate an init image, is just moving this stuff earlier in the boot process the right choice? Signed-off-by: Jeremy Linton --- certs/blacklist.c | 2 +- certs/system_keyring.c | 4 ++-- crypto/asymmetric_keys/asymmetric_type.c | 2 +- crypto/asymmetric_keys/x509_public_key.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 675dd7a8f07a..e644dd4cfc2b 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -356,7 +356,7 @@ static int __init blacklist_init(void) /* * Must be initialised before we try and load the keys into the keyring. */ -device_initcall(blacklist_init); +fs_initcall(blacklist_init); =20 #ifdef CONFIG_SYSTEM_REVOCATION_LIST /* diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 9de610bf1f4b..81a86418cb00 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -260,7 +260,7 @@ static __init int system_trusted_keyring_init(void) /* * Must be initialised before we try and load the keys into the keyring. */ -device_initcall(system_trusted_keyring_init); +subsys_initcall(system_trusted_keyring_init); =20 __init int load_module_cert(struct key *keyring) { @@ -293,7 +293,7 @@ static __init int load_system_certificate_list(void) =20 return x509_load_certificate_list(p, size, builtin_trusted_keys); } -late_initcall(load_system_certificate_list); +fs_initcall_sync(load_system_certificate_list); =20 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION =20 diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_k= eys/asymmetric_type.c index 43af5fa510c0..a0607e8cdafc 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -681,5 +681,5 @@ static void __exit asymmetric_key_cleanup(void) unregister_key_type(&key_type_asymmetric); } =20 -module_init(asymmetric_key_init); +subsys_initcall(asymmetric_key_init); module_exit(asymmetric_key_cleanup); diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_k= eys/x509_public_key.c index 8409d7d36cb4..391db5f1ede6 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -246,7 +246,7 @@ static void __exit x509_key_exit(void) unregister_asymmetric_key_parser(&x509_key_parser); } =20 -module_init(x509_key_init); +fs_initcall(x509_key_init); module_exit(x509_key_exit); =20 MODULE_DESCRIPTION("X.509 certificate parser"); --=20 2.46.0 From nobody Tue Nov 26 19:53:44 2024 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0BD781B6CED; Tue, 15 Oct 2024 22:22:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030977; cv=none; b=NCbFFRuugUkMZlbNfeJ/dTbfWADR3fEcOFrxhzxo565Ip8k9cN6Kqt9qlBtHelX3joHb4l7uUOB49FGaompuwF/T1AMeXTwcDyzWLdx9AUyiKzB4gr+JQXZ5v8EXIjZjV+LzpT83tC3evC0nlCudYZEN2Jkp+V6sa4j33tYN+Gs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030977; c=relaxed/simple; bh=BqOeHEtc1k32tWuUWaZhaEli3OQ7/QlXnTlOvCW7df4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SK7puA3ux2LjDTE281AReWJc7NvDFrvAK1ly88sHBhVl4AHxzfqxfIQ+8xctW7WtccL5C/XAy8S+WKOpxkYIEpwwySNqqpNbnkxfdoXADGX9K4Z1PCyMcLoqI8VPMRopJFWB8HSNllOV4hHRVqHoS0AMqJ309Qy2zHGXldL6Az4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2C9811692; Tue, 15 Oct 2024 15:23:25 -0700 (PDT) Received: from u200865.usa.arm.com (U203867.austin.arm.com [10.118.30.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 784793F71E; Tue, 15 Oct 2024 15:22:55 -0700 (PDT) From: Jeremy Linton To: linux-kernel@vger.kernel.org Cc: akpm@linux-foundation.org, hch@lst.de, gregkh@linuxfoundation.org, graf@amazon.com, lukas@wunner.de, wufan@linux.microsoft.com, brauner@kernel.org, jsperbeck@google.com, ardb@kernel.org, linux-crypto@vger.kernel.org, linux-kbuild@vger.kernel.org, keyrings@vger.kernel.org, Jeremy Linton Subject: [RFC 3/5] initramfs: Use existing module signing infrastructure Date: Tue, 15 Oct 2024 17:22:33 -0500 Message-ID: <20241015222235.71040-4-jeremy.linton@arm.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: <20241015222235.71040-1-jeremy.linton@arm.com> References: <20241015222235.71040-1-jeremy.linton@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Adding some security checks around the configuration data and early init processes running on the machine is a good idea. There is a move to do this via systemd UKIs using the UEFI and shim infrastructure to wrap a kernel and its associated initramfs into a single PE executable, which is then validated and measured together. The existing kernel boot methods can also provide a similar level of security by leveraging the kernel's signing and validation infrastructure to check a signature on the initramfs. Kernel-validated initramfs images maintain the existing UEFI boot flow while enabling functionality on non-UEFI machines. They keep the UEFI secure boot verification separate from current and future choices over how the kernel verifies data used after it boots. Additionally, this makes it possible for multiple signed initramfs images, for example, debug and recovery images, to share a single kernel image. Let's reuse the kernel's sign-file utility, which appends a trailing signature, signature description, and module signature string to sign the initramfs. Then, immediately before we unpack the image, detect if there is a signature, validate it, and strip it off. Then, with a later patch, we can decide what happens when the image is unsigned or cannot be verified. Signed-off-by: Jeremy Linton --- include/linux/initrd.h | 3 ++ init/initramfs.c | 67 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/include/linux/initrd.h b/include/linux/initrd.h index f1a1f4c92ded..e123d3cb39bb 100644 --- a/include/linux/initrd.h +++ b/include/linux/initrd.h @@ -5,6 +5,9 @@ =20 #define INITRD_MINOR 250 /* shouldn't collide with /dev/ram* too soon ... = */ =20 +/* the len here equals the modsig string len */ +#define INITRD_SIG_STRING "~initrd signature appended~\n" + /* starting block # of image */ extern int rd_image_start; =20 diff --git a/init/initramfs.c b/init/initramfs.c index bc911e466d5b..d2d2c68016c2 100644 --- a/init/initramfs.c +++ b/init/initramfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #include +#include #include #include #include @@ -14,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -688,8 +690,69 @@ static void __init populate_initrd_image(char *err) } #endif /* CONFIG_BLK_DEV_RAM */ =20 +static int __init initrd_signature_check(size_t *initrd_len) +{ + struct module_signature *ms; + size_t sig_len; + int ret =3D -ENODATA; + const size_t m_len =3D sizeof(INITRD_SIG_STRING) - 1; + + *initrd_len =3D (initrd_end - initrd_start); + + if (*initrd_len < (m_len + sizeof(*ms))) + goto fail; + + if (memcmp((char *)(initrd_end - m_len), INITRD_SIG_STRING, m_len)) { + pr_info("unsigned initramfs\n"); + goto fail; + } + + /* remove module sig string from len computations going forward */ + *initrd_len -=3D m_len; + + ms =3D (struct module_signature *)(initrd_end - sizeof(*ms) - m_len); + + ret =3D mod_check_sig(ms, *initrd_len, "initramfs"); + if (ret) + goto fail; + + sig_len =3D be32_to_cpu(ms->sig_len); + *initrd_len -=3D sizeof(*ms) + sig_len; + +#ifdef CONFIG_INITRAMFS_SIG + ret =3D verify_pkcs7_signature((char *)initrd_start, *initrd_len, + (char *)(initrd_start + *initrd_len), + sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_UNSPECIFIED_SIGNATURE, + NULL, NULL); + + switch (ret) { + case 0: + pr_info("initramfs: valid signature\n"); + break; + case -ENODATA: + pr_err("initramfs: invalid signature\n"); + break; + case -ENOPKG: + pr_err("initramfs: unsupported crypto\n"); + break; + case -ENOKEY: + pr_err("initramfs: unknown key\n"); + break; + default: + pr_err("initramfs: unknown error %d\n", ret); + } +#endif + +fail: + return ret; +} + static void __init do_populate_rootfs(void *unused, async_cookie_t cookie) { + size_t initrd_len; + /* Load the built in initramfs */ char *err =3D unpack_to_rootfs(__initramfs_start, __initramfs_size); if (err) @@ -703,7 +766,9 @@ static void __init do_populate_rootfs(void *unused, asy= nc_cookie_t cookie) else printk(KERN_INFO "Unpacking initramfs...\n"); =20 - err =3D unpack_to_rootfs((char *)initrd_start, initrd_end - initrd_start); + initrd_signature_check(&initrd_len); + + err =3D unpack_to_rootfs((char *)initrd_start, initrd_len); if (err) { #ifdef CONFIG_BLK_DEV_RAM populate_initrd_image(err); --=20 2.46.0 From nobody Tue Nov 26 19:53:44 2024 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B2E361B6CEE; Tue, 15 Oct 2024 22:22:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030978; cv=none; b=Rhq3g33nbK9xaQFp81al25TtbyVJrn+vLeNGHBu7gkYjkw5xrD0rt0+KbXiNjz2fUmImbQkkYXoIZqpzFB5Zl2x14cs1XfUthIm2NDjmiPKDJnBjwsxQ5rkl68Im10PiESS40oJtY8ROU0OMVW5bmgNR0q81rV/bNkXNr1p6XmE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030978; c=relaxed/simple; bh=2wRRH19Q5QlS03qKf5gpjKuF/TBv9ogMqqsTV1Sb3DE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PXmWaXpXW1BQOH/nyJJt1AP0aP93yHtov4TbyCRXspUt1ZbZ4ccEP7PW+ujUqnhRszO9VffA0WJNMB3brXIJV+6lbc6kncxHlAoFQk2yT+T7g2Y5r8ixf5yJhy1UMDFqSJnPL3QdWn1YaRQCt+MNnidKR4EyS0H4Tlj90fKLJzY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B9B72169C; Tue, 15 Oct 2024 15:23:25 -0700 (PDT) Received: from u200865.usa.arm.com (U203867.austin.arm.com [10.118.30.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0FD1A3F71E; Tue, 15 Oct 2024 15:22:56 -0700 (PDT) From: Jeremy Linton To: linux-kernel@vger.kernel.org Cc: akpm@linux-foundation.org, hch@lst.de, gregkh@linuxfoundation.org, graf@amazon.com, lukas@wunner.de, wufan@linux.microsoft.com, brauner@kernel.org, jsperbeck@google.com, ardb@kernel.org, linux-crypto@vger.kernel.org, linux-kbuild@vger.kernel.org, keyrings@vger.kernel.org, Jeremy Linton Subject: [RFC 4/5] sign-file: Add -i option to sign initramfs images Date: Tue, 15 Oct 2024 17:22:34 -0500 Message-ID: <20241015222235.71040-5-jeremy.linton@arm.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: <20241015222235.71040-1-jeremy.linton@arm.com> References: <20241015222235.71040-1-jeremy.linton@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The initramfs signature is the mod signature with a differing string to assure that cpio archives with a signed module at the end can never be confused for a valid signed initramfs. To support this, add a -i option to sign-file, which replaces the "Module signature appended" string with "initrd signature appended", which is the same length. Signed-off-by: Jeremy Linton --- scripts/sign-file.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 7070245edfc1..bbf97a57311a 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -75,6 +75,7 @@ struct module_signature { #define PKEY_ID_PKCS7 2 =20 static char magic_number[] =3D "~Module signature appended~\n"; +static char magic_initrd[] =3D "~initrd signature appended~\n"; =20 static __attribute__((noreturn)) void format(void) @@ -226,6 +227,7 @@ int main(int argc, char **argv) bool save_sig =3D false, replace_orig; bool sign_only =3D false; bool raw_sig =3D false; + bool initrd_sig =3D false; unsigned char buf[4096]; unsigned long module_size, sig_size; unsigned int use_signed_attrs; @@ -253,7 +255,7 @@ int main(int argc, char **argv) #endif =20 do { - opt =3D getopt(argc, argv, "sdpk"); + opt =3D getopt(argc, argv, "sdpki"); switch (opt) { case 's': raw_sig =3D true; break; case 'p': save_sig =3D true; break; @@ -261,6 +263,7 @@ int main(int argc, char **argv) #ifndef USE_PKCS7 case 'k': use_keyid =3D CMS_USE_KEYID; break; #endif + case 'i': initrd_sig =3D true; break; case -1: break; default: format(); } @@ -398,7 +401,11 @@ int main(int argc, char **argv) sig_size =3D BIO_number_written(bd) - module_size; sig_info.sig_len =3D htonl(sig_size); ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name); - ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest= _name); + if (initrd_sig) + ERR(BIO_write(bd, magic_initrd, sizeof(magic_initrd) - 1) < 0, "%s", des= t_name); + else + ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", des= t_name); + =20 ERR(BIO_free(bd) !=3D 1, "%s", dest_name); =20 --=20 2.46.0 From nobody Tue Nov 26 19:53:44 2024 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 93AEF1D63D1; Tue, 15 Oct 2024 22:22:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030979; cv=none; b=EuQ37T/V/kAWMXIaAAor2M3FbIvPiLNv/L6GHuFa4aoQ1w5uFlRcI9hah+8fFUl3i4ldFpRoxrl6Mg3HVzjKftWasiEkp8XQFNnhB8Fa7Ehd7WJf9AAe9ikkYLC61v8kjBmwfQIp52RPkuB5Q1freYA3teE0zGPATlhGY96Yxpo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729030979; c=relaxed/simple; bh=ROp3gViwuilByaFBglCxEIAqRG+QJMVwFVRVm1Z13d4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NaaDypZZEA2gh0rKhbTzaXmn+aXJOywwSe8Gshe+E4cjGMP+U6CejaZ89064l3IomOQTcdNO7ejDkPga4FhHz8zI/xBt7pKlYCVAuihO7Xhe7FaIxkOZTswN6BGkVZOcXrLliFlJCYU4dNuyNMSADh85G1LNtDoRRkdxIAD/tYI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 52CE416A3; Tue, 15 Oct 2024 15:23:26 -0700 (PDT) Received: from u200865.usa.arm.com (U203867.austin.arm.com [10.118.30.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9E62C3F71E; Tue, 15 Oct 2024 15:22:56 -0700 (PDT) From: Jeremy Linton To: linux-kernel@vger.kernel.org Cc: akpm@linux-foundation.org, hch@lst.de, gregkh@linuxfoundation.org, graf@amazon.com, lukas@wunner.de, wufan@linux.microsoft.com, brauner@kernel.org, jsperbeck@google.com, ardb@kernel.org, linux-crypto@vger.kernel.org, linux-kbuild@vger.kernel.org, keyrings@vger.kernel.org, Jeremy Linton Subject: [RFC 5/5] initramfs: Enforce initramfs signature Date: Tue, 15 Oct 2024 17:22:35 -0500 Message-ID: <20241015222235.71040-6-jeremy.linton@arm.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: <20241015222235.71040-1-jeremy.linton@arm.com> References: <20241015222235.71040-1-jeremy.linton@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that the infrastructure is in place to verify and sign initramfs images, let's refuse them if the signature is invalid. Additionally, a command-line option `initrdsig=3D[enforcing|checking]` is provided to switch between failing to boot or reporting signature failures. Signed-off-by: Jeremy Linton --- init/initramfs.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/init/initramfs.c b/init/initramfs.c index d2d2c68016c2..bb42ba6c0730 100644 --- a/init/initramfs.c +++ b/init/initramfs.c @@ -573,6 +573,20 @@ static int __init initramfs_async_setup(char *str) } __setup("initramfs_async=3D", initramfs_async_setup); =20 +static bool __initdata enforce_initrd_sig =3D IS_ENABLED(CONFIG_INITRAMFS= _SIG); +#ifdef CONFIG_INITRAMFS_SIG +static int __init initrd_sig_setup(char *str) +{ + if (!strcmp(str, "enforcing")) + enforce_initrd_sig =3D true; + else if (!strcmp(str, "checking")) + enforce_initrd_sig =3D false; + return 1; +} +__setup("initrdsig=3D", initrd_sig_setup); +#endif + + extern char __initramfs_start[]; extern unsigned long __initramfs_size; #include @@ -766,7 +780,10 @@ static void __init do_populate_rootfs(void *unused, as= ync_cookie_t cookie) else printk(KERN_INFO "Unpacking initramfs...\n"); =20 - initrd_signature_check(&initrd_len); + if (initrd_signature_check(&initrd_len) && enforce_initrd_sig) { + printk(KERN_EMERG "Initramfs signature required\n"); + goto done; + } =20 err =3D unpack_to_rootfs((char *)initrd_start, initrd_len); if (err) { --=20 2.46.0