From patchwork Fri Oct 26 17:55:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 989707 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42hWqq2V8Zz9sMp; Sat, 27 Oct 2018 04:55:35 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1gG6KU-0006SW-Ht; Fri, 26 Oct 2018 17:55:26 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1gG6KR-0006Rf-Hu for kernel-team@lists.ubuntu.com; Fri, 26 Oct 2018 17:55:23 +0000 Received: from mail-pf1-f199.google.com ([209.85.210.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1gG6KR-0000bJ-65 for kernel-team@lists.ubuntu.com; Fri, 26 Oct 2018 17:55:23 +0000 Received: by mail-pf1-f199.google.com with SMTP id v88-v6so1270837pfk.19 for ; Fri, 26 Oct 2018 10:55:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GDptrDJiCHAP0ynlsCknmwk5n4KE5oOEWyJUx300tGk=; b=tOuT7vK1LS1l8Ek/ixYwJxPp4gnRhcswYjhlw0Iv8oUYCoJDae4bekTFwpfRXw9EVm ogM6xoFlK+kqtdZIgBcxIGyTmJ1NdqbKOwiW7cQ2Zl9wQQX5vGtaT2sr+sha1AwSXcI4 r++SprYtBSLLzC3EBmk1DmU4r6sNa4yavnI2DJHsf0AqMG4iRorf27Oz8GCLWOeWUtE4 Oi2CNb7RgAdDLolPk9zBgNkK5wNJFWM80CZvIGJ4u9MgTMc9ttAN4NxXvqgA/wXJK738 Q7Pl7yfODBNEATFukL0/hbkWyhsg3NPPbNygpGW4mc4eEbQcEw/DEfIxU28olP4B8SdQ MC1A== X-Gm-Message-State: AGRZ1gKm9m0D/yWPhi0XVrD2/AUgD3n8AWLodh9y2cmti8Ona/gA2ga2 iFRzZz2RiXRn07JHNc/kUOtSH9B/sQmrpLgeqcWeXv+DNg4bMQQQAxU5dLfPo+uA6+OVHqkd0W9 o5QscUlH2i31VcZQgXdib3ae6nHbL8mCi/iMLOVI0Lg== X-Received: by 2002:a62:8dcd:: with SMTP id p74-v6mr4842582pfk.217.1540576521474; Fri, 26 Oct 2018 10:55:21 -0700 (PDT) X-Google-Smtp-Source: AJdET5e6BT7OH1uV9TKA1Gitt0WAur45cNbPogE76/lLpDJ3NCklMD8/r/g7qv70R2L3T4eykpXVXA== X-Received: by 2002:a62:8dcd:: with SMTP id p74-v6mr4842552pfk.217.1540576521043; Fri, 26 Oct 2018 10:55:21 -0700 (PDT) Received: from localhost (h59.232.132.40.static.ip.windstream.net. [40.132.232.59]) by smtp.gmail.com with ESMTPSA id h87-v6sm18948051pfj.78.2018.10.26.10.55.19 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Oct 2018 10:55:20 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary keyring for module signing Date: Fri, 26 Oct 2018 11:55:15 -0600 Message-Id: <20181026175516.21251-2-seth.forshee@canonical.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181026175516.21251-1-seth.forshee@canonical.com> References: <20181026175516.21251-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1798863 For signing dkms modules we use a machine owner key whose public half is enrolled into shim. This gets imported into the kernel's secondary keyring, thus keys in this keyring need to be trusted for module signing. Unfortunately the revision of the "secure boot lockdown" patches imported into cosmic had a bug whereby keys in the secondary keyring are not trusted for module signing. Another bug resulted in the modules still being loaded under lockdown, so before fixing that bug we need to fix the bug with trusting the MOK for module signing so that dkms modules sigend with the MOK will continue to load. CVE-2018-18653 Signed-off-by: Seth Forshee Acked-by: Tyler Hicks --- kernel/module_signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 937c844bee4a..d3d6f95a96b4 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) } return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, - NULL, VERIFYING_MODULE_SIGNATURE, + (void *)1UL, VERIFYING_MODULE_SIGNATURE, NULL, NULL); } From patchwork Fri Oct 26 17:55:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 989709 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42hWqp3sftz9sLw; Sat, 27 Oct 2018 04:55:34 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1gG6KU-0006Sh-Mq; Fri, 26 Oct 2018 17:55:26 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1gG6KT-0006S3-A8 for kernel-team@lists.ubuntu.com; Fri, 26 Oct 2018 17:55:25 +0000 Received: from mail-pg1-f200.google.com ([209.85.215.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1gG6KS-0000bO-Ug for kernel-team@lists.ubuntu.com; Fri, 26 Oct 2018 17:55:25 +0000 Received: by mail-pg1-f200.google.com with SMTP id b7-v6so1050609pgt.10 for ; Fri, 26 Oct 2018 10:55:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Mf5+KAGR1MNp+txcPdsyGGtojkTpiTE/o3R37v9yb4Q=; b=eVuwZ7F8IeQ6CVs+VYGd06tYJvQJWcx3yQolFepsFFsqYLtm4nSdRxu+3uDazyTqom mDAiutfX8F1/xwgYSVfkpbvwhUT7P1hJXb/SeSsx2mb8fgCGbECyNf4eGEe93BQnaSJb ra5i4ZiLZyDF1M3R3yGQWEXh640jX6pCpqre+1HR/gUFbnjrVUQqFyDLBf3IlKyVWpFi jxLvuY4UWVeqfwK6e2IEzHIKoqGoBZOdWGRerkLVcOV6XpIVMTKcBV3rBkFytaBoeqAH nPmdVEZRvW+rgYlr3sw6XBVOh3PtGWQRDyGnHgnxRcHwd13naxNayFgjADBM0gEmDP1S Q+3A== X-Gm-Message-State: AGRZ1gJZqkY7OHg185rk874HHWGDmMuwhrRHOBLZFdp/0EnqI1gcwFzN yg5v/3lxBPE3HCpAn9svC83/DxYDOWM8c0hgPQm5h10HBPp+MlctpWhpb+v7mMGuXe3O6pWohWi ZFn7wv7QlfikrKHcICQMwp77iJfIXkmNF+lD+1yDwMA== X-Received: by 2002:a63:561b:: with SMTP id k27mr4415253pgb.271.1540576523258; Fri, 26 Oct 2018 10:55:23 -0700 (PDT) X-Google-Smtp-Source: AJdET5eUSvANgy/AZuEU6MSUNXCQRNFdX7IEbgN/NGUPgNOl3IVyv+bOMwGzhN4vRTateplDVbhA+Q== X-Received: by 2002:a63:561b:: with SMTP id k27mr4415228pgb.271.1540576522824; Fri, 26 Oct 2018 10:55:22 -0700 (PDT) Received: from localhost (h59.232.132.40.static.ip.windstream.net. [40.132.232.59]) by smtp.gmail.com with ESMTPSA id i6-v6sm2167945pfb.135.2018.10.26.10.55.22 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Oct 2018 10:55:22 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: remove support for deferring module signature verification to IMA Date: Fri, 26 Oct 2018 11:55:16 -0600 Message-Id: <20181026175516.21251-3-seth.forshee@canonical.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181026175516.21251-1-seth.forshee@canonical.com> References: <20181026175516.21251-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1798863 Recent versions of the "secure boot lockdown" patches introduced support for using IMA signatures for module signing instead of the standard mechanism. This was causing issues and was removed, but the code was missed which actually defers the verification to IMA when IMA enforcement is enabled. With our config this means that by default module signatures are not being enforced under kernel lockdown. Remove the remaining code to restore module signature enforcement under lockdown. CVE-2018-18653 Signed-off-by: Seth Forshee Acked-by: Thadeu Lima de Souza Cascardo Acked-by: Tyler Hicks --- kernel/module.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 9af04eebd711..a767bd326b43 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2760,8 +2760,7 @@ static inline void kmemleak_load_module(const struct module *mod, #endif #ifdef CONFIG_MODULE_SIG -static int module_sig_check(struct load_info *info, int flags, - bool can_do_ima_check) +static int module_sig_check(struct load_info *info, int flags) { int err = -ENODATA; const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; @@ -2803,8 +2802,6 @@ static int module_sig_check(struct load_info *info, int flags, return -EKEYREJECTED; } - if (can_do_ima_check && is_ima_appraise_enabled()) - return 0; if (kernel_is_locked_down(reason)) return -EPERM; return 0; @@ -2818,8 +2815,7 @@ static int module_sig_check(struct load_info *info, int flags, } } #else /* !CONFIG_MODULE_SIG */ -static int module_sig_check(struct load_info *info, int flags, - bool can_do_ima_check) +static int module_sig_check(struct load_info *info, int flags) { return 0; } @@ -3684,13 +3680,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, /* Allocate and load the module: note that size of section 0 is always zero, and we rely on this for optional sections. */ static int load_module(struct load_info *info, const char __user *uargs, - int flags, bool can_do_ima_check) + int flags) { struct module *mod; long err; char *after_dashes; - err = module_sig_check(info, flags, can_do_ima_check); + err = module_sig_check(info, flags); if (err) goto free_copy; @@ -3879,7 +3875,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, if (err) return err; - return load_module(&info, uargs, 0, false); + return load_module(&info, uargs, 0); } SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) @@ -3906,7 +3902,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) info.hdr = hdr; info.len = size; - return load_module(&info, uargs, flags, true); + return load_module(&info, uargs, flags); } static inline int within(unsigned long addr, void *start, unsigned long size)