From patchwork Wed May 16 02:55:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Grandbois, Brett" X-Patchwork-Id: 914140 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40lzZk5740z9s1d for ; Wed, 16 May 2018 12:55:42 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=opengear.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=opengear.com header.i=@opengear.com header.b="lsWuxEuZ"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 40lzZk2RlLzF26C for ; Wed, 16 May 2018 12:55:42 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=opengear.com Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=opengear.com header.i=@opengear.com header.b="lsWuxEuZ"; dkim-atps=neutral X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=opengear.com (client-ip=104.47.37.76; helo=nam02-cy1-obe.outbound.protection.outlook.com; envelope-from=brett.grandbois@opengear.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=opengear.com Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=opengear.com header.i=@opengear.com header.b="lsWuxEuZ"; dkim-atps=neutral Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0076.outbound.protection.outlook.com [104.47.37.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 40lzZX28LxzF255 for ; Wed, 16 May 2018 12:55:31 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opengear.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k6iEe5S1adiDZsiJh9kGXBY9AfpNS2kymrEdGJum6Ro=; b=lsWuxEuZH+h24FR4rc+N0GaYJd364YMtBarzV8iNndx10sJHZi3iV8bxZXUKUGpXO4rdF519ii6NADrXd9d+heFrnG2vfLZIDQLBeI5iiIVhjOwCI95/Drl0IxFWF5RvUqiN9wztm6WMKRJRNVJ4tCuMcLETichKE3sTTo86M9Q= Received: from opengear.com (59.167.150.161) by DM5PR1501MB2054.namprd15.prod.outlook.com (2603:10b6:4:a2::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.755.16; Wed, 16 May 2018 02:55:25 +0000 From: Brett Grandbois To: petitboot@lists.ozlabs.org Subject: [PATCH] discover/boot: abort kexec if lockdown file not present Date: Wed, 16 May 2018 12:55:11 +1000 Message-Id: <1526439311-17885-1-git-send-email-brett.grandbois@opengear.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [59.167.150.161] X-ClientProxiedBy: ME1PR01CA0108.ausprd01.prod.outlook.com (2603:10c6:200:19::17) To DM5PR1501MB2054.namprd15.prod.outlook.com (2603:10b6:4:a2::28) X-MS-PublicTrafficType: Email X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR1501MB2054; X-Microsoft-Exchange-Diagnostics: 1; DM5PR1501MB2054; 3:8gQjG6OMwAT+dXzPytoFL3pm5VnrCotq/QdBcqIAONIIxJR5bhyn92B/jusobXBvkFu/YGlOWJHV6MskrKy+U/BnsoTM2Pe2O849DgaKQDFp4iD7db4T5x2cDtRIuGaPDxWEq6WxUOH5irao6EX7ctQtoObDioU+ihMYKc9EylZiteKYnrSiwWCdBIeH5HffWIBmt6uxWqFpm3W3QsW6SYiZxcjmLkLR4nGbCkHurhBODl2mgeofdOfEkm1R9IuE; 25:MvNDo+r5daJLvy2oqMF9vbtjMJ9096oQWyd5pbKoyv/uBovrGKgHyIfE3JdMjuJ59EpTqhZ1AlCbXIs1eGU96KEo52aSKfq8iifTuvMytYKhefzxMgwxS3opkBUwt8JGsJwloLJ9VGW86dnm+OBGIMGM0sJuD7bbsu99YQGvZw6FycU152ArocTIhgVtTciKuR2ntTMv34oz93H+DqvwWJJskPrEz1Gro4UGfyhhSdtTP6eEOeMUDoYkqGilBKyCm4raLI99l7mB/OBh9JxcmZuctNHGZiWYyuBuzeuGewev6MuQjiiVSIapQuz+C622EPclMG/FTaigk4hd7WBpXg==; 31:oo4CjtiE8z1qfw92lWFHfjS9sDln/2i2X/AMB6+tTBnax3JXqEoQcvu33YDBQqxi1azwb28XMe2fss5r3QbCDfbtyONbZimhEchNrv2e5ay1AbK0JExDweoZg8L9trG5wKMPeMuE1CjF3iU3uOz3iMFa60Ub5ddvfzauPX5/x1ZlG4YBqq1emeY2ambjemo1gMJH0OP3f15zFzCGwoXrY/4PGFnb8UAnfXXZrLSj93c= X-MS-TrafficTypeDiagnostic: DM5PR1501MB2054: Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brett.grandbois@opengear.com; X-Microsoft-Exchange-Diagnostics: 1; DM5PR1501MB2054; 20:2Aq+X0UBEUIWW4t58ZG4v2U+7sgpbG9lv2TobB3xOUQqRiV/DoUxcQTKlHHYBcNZkcpoOBnXBpk+qWX95PS+dJXHQWeMSjNOIef0dJoCsfFtNmyjUoKPHmAajjE/qVcmOMLwHigmCmatB2GdXpoiAg2unTJUD9wBl2vPQd+G1ZU=; 4:ZODRF95THGT6tac7aE9UYD0bHGwe+fb5eLue9aKr1s94alMN/WiQkQy+uzfaNgeHig/kHynj4HHaUlmArl4VzgUeH0WUK98yk5wVeth+lBymSqZZsyTvWtEsgsC7G+LALE5BYGkmYfzCDWH+yiTVNX9SOxRanHS0fp3cTiWk2iXOs2NQ7S+60i1Y6zy6uGWOvPwPcN2kWLtJhtAlb8JCAZAOIv2HMezmdzVwLqfEX9daNsYLW9xZkTItvctnZjX1SAGY0lBbgCyvzYX3igFsFg== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231254)(944501410)(52105095)(93006095)(93001095)(149027)(150027)(6041310)(20161123558120)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:DM5PR1501MB2054; BCL:0; PCL:0; RULEID:; SRVR:DM5PR1501MB2054; X-Forefront-PRVS: 0674DC6DD3 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(396003)(39380400002)(346002)(366004)(39840400004)(376002)(199004)(189003)(52116002)(50466002)(8936002)(7696005)(956004)(53936002)(2616005)(3846002)(5660300001)(316002)(486006)(48376002)(55016002)(59450400001)(47776003)(81156014)(68736007)(51416003)(66066001)(8676002)(50226002)(81166006)(476003)(1857600001)(86362001)(6916009)(386003)(16586007)(44832011)(478600001)(16526019)(6666003)(36756003)(186003)(2361001)(2906002)(97736004)(7736002)(26005)(105586002)(2351001)(25786009)(33026002)(6116002)(21086003)(106356001)(69596002)(305945005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR1501MB2054; H:opengear.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; Received-SPF: None (protection.outlook.com: opengear.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM5PR1501MB2054; 23:G9aazagEaGzteAFN9c2Ra5fqXW+FKMVzWnQTQ0q?= to/5Y1GbxsnTA3/iuRPhrA6MJNdv+7TLdCvGLd6T+he+AiOAsI7afSVzd9S9eFSxf8iVb+5dxOPC/Liqa9/R/4YjgjdvVZpttW4P0qUgy23iahdfW0ndPycFxU2KfLDlX/WEqqG4a5lhNgLALZ6oUJLdP+CzsjtWPZCthNYtzqoKNfBVfd3bFD9/aJKiWn6oXunI7tK/YQxbx2wQu7jSpl/a4lWezRvBiF0l2lOUS0i9i0LR0k2JFXg1eLURA57ImPZObbeR27spAKsXcO2Kr3M1ZKfTx0dwzafp2v0IvG6z8r/QG+QgZtE/jFLWAg/RxZ/yw8tS5OZZw/iaPur6hB7PYzMgCNi/Q7MBael5riLbSh1netbMSIJeDKb7HwAT7hXjdTxRqqPOmiYBQ9RyG2x9ckBWs0oAxJawaoRcqbH11oe+DPDX44m9N3sY4eIhi9+i5N7VCkqcdvyhP2+E+uOpw8A+qQOFdEwb0eb8+I+I/Wfz8ZwCXOs8798SZ6Nl0O3CSsN/BYBEXRKkLKuIvaBvvCzqF2YeEuak0l2WSBj1TNcAXtpXt3NDtxjjtd+gealyFwgo99wAfCJuObM6Ijrx11ZYOS4WUo576ca3aTqUM3JX+5Eenn9tJmGdRq6hoOdYftC7fw1QC1odRJ8wQ70BF9LCVgd8CC4K51lua8Sed/N8FoeaWwlydTKADdiZFuwTVRVqGEAZHE5hA4Wx6B1ihOUh12vsoFGy53zd49niyKQ1Vpq6nkE+TNJtFpGB1lrr4vwMx7Fk4vnv2W4VtH58dx6lhtaGjvHjHqLYnB981yaWHkQcZdJ4x1c+gBF6Lte+r/bsdiKn/+5NLwUlpCIZwxhjUsw+ZgwOcQcQe1SegSBlZybXfPd78G7cE2kdaTLl/Wk0ng5XFNgeRYz4SK7+TSqfIT3yTJts+TP4lvmZPukO/NxRebPUfgIssaHJfRBbGG8eUhDdrhk6WVIJWbx6JgiTx7ZdxLSG0PiVDJ9nTaQcS9nTRBaRm12VM/s4v8r6rTq7yofgNyPG1v9xVGCimkDhiU1O1QG1mznbVByF8T20YX66nGt/hC/90PFN2SZ5NKb8aNgu3ppeRwGYpMWogG+DS8eCqZRyDDzaY++910yI94eQK+xSy7dnsrJcs72cGrCqpTZ0rcYWWlpNkLjLdtbi+gv5azBhFwF24Zn+ziMC3p4XY5LvnLkMoBxhOGEllNGctzkuzcN4HUdjnb+T1 X-Microsoft-Antispam-Message-Info: LJAKZLnQfZLNi2iosX2sIATgnwC/RLWf4ckVeOj5PSKlbzu1j60UeqNMc4LkBQQAQhsgMYvUgaWuyjD2gcSSPpRaKr0dEWkOzgMhZUjXNISTdLYe3tLTUGl6BLuC/28J5ydYhme4Flfg4ZJ4QnTf5sT4ShHVCEiPw6DfBq3EaRx+fqBxURIOmGgop/9gkWgH X-Microsoft-Exchange-Diagnostics: 1; DM5PR1501MB2054; 6:C8tz116wlB3Jq33yJm4LoWlMJOjqP+V4LStLBQUdXhXX5MGX4Xhb4feXIxORg0r1FtkqZ/V3zClD5WPcwNjmV33uZkPE1KmBcPFKe+tm2sWCsxap4YVPe8wwGSBbSt5LZp9REORm11j2fF5on87t03eDpGBC5Plt3kUzh6woTSQ6bA/AvgDe8oHbEfUhpj6XGVwot2iLO8x7l7/ORienKFzDr6M5ocyNP8MREfLaT1CB+pmyqBnzQyUTTkW7aLuxbC+EnRDCzCJk8XTT1oJ9urbDZq8839Z7RXtx0EoqjB/b3qW8jWj1ym2GzjROZLlf26MuRUSEZMWprowRl3ln6Ldaa8Uq8nefZVApc3fQDPsCpF+N4J3FxxL+nOTRa34wQLon4FOo97rbYjKuqD5x7ywckmezhDdfQGu26G32ryQyNANIXsBHMylg0D0gxaopCP3r1wqbi/i+z6h0GjkbeA==; 5:O7ba+CKPkn1W386HyLf9y8cipygcmgyE4R8B7/uQ1NkZ1N+ukejHYz7GQ+rnfW6r5WZd4kZr52ugUqDXwHqw6f1PYcWzUptfTHT4L6Q6wKx8FknbeWWjjtawHZvASyyLG/fsH6Mwr+PB8K0heexB+ePu13C3liHfig+dHi77RjI=; 24:0Np3MU2zTfCzgfswTpxZibJR5DKLX10O2a20Rxjk1SAsysrhcLP0hEQM4kkOX4M+pbLzlFFMcxkud/kD2mK7TedvCtDkNza8vfo66+gDlpc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DM5PR1501MB2054; 7:wKFjdPHXpI4PP9J0mQVHfGuSL2jQ0pJvhzV8Tc3cs9jtPaLkycIdmusaf7RPlZy6oD2VEtBnNyhAiNBitpAV9smL2U+oA8SdxlsZByAZ6pNQpYdZRH/ji+t+yttp5urVLPrLYmnB+iiJehhiWJWOsOSKMZNKVQu1of4kpt4j7F6vj/fEOyoqo1zTNEPFc9wAn81fnol7rWaVRh7ZRNyORMSN0r3EztcBEtfE5j8qOjoK51VG/p/M69osB43KAo5A X-MS-Office365-Filtering-Correlation-Id: e4a2e103-7273-4bc0-ebc0-08d5bad879f1 X-OriginatorOrg: opengear.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 May 2018 02:55:25.7674 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e4a2e103-7273-4bc0-ebc0-08d5bad879f1 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: a6251c26-d21f-4164-a225-1f4eaebf5f9a X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1501MB2054 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" In gpg_validate_boot_files() after the check to verify that signed boot is requested, the LOCKDOWN_FILE is then opened and if not accessible then returns an error code. The caller (kexec_load) is not checking for that particular error code (KEXEC_LOAD_SIG_SETUP_INVALID) and will proceed to kexec the image even though the validation has not been performed. Signed-off-by: Brett Grandbois --- discover/boot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/discover/boot.c b/discover/boot.c index 0da40e3..0042f96 100644 --- a/discover/boot.c +++ b/discover/boot.c @@ -83,6 +83,10 @@ static int kexec_load(struct boot_task *boot_task) " verification failure\n", __func__); goto abort_kexec; } + if (result == KEXEC_LOAD_SIG_SETUP_INVALID) { + /* already logged */ + goto abort_kexec; + } } const char* local_initrd = (boot_task->local_initrd_override) ?