From bf8fcd943508a755a11d2f8eacdc6322250164f0 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 7 Jul 2015 14:26:38 +0800
Subject: [PATCH v2 13/16] PM / hibernate: Add configuration to enforce signature
verification
Patch-mainline: Not yet, reviewing on linux-efi
References: fate#316350
Like kernel module signature checking, there's both a config option and
a boot parameter which control whether we accept or fail with unsigned
hibernate image and image that are signed with an unknown key.
If hibernate signing is enabled, the kernel will be tainted if a snapshot
image is restored that is unsigned or has a signature for which we don't
have the key. When the enforce flag is enabled, then the hibernate
restoring process will be failed and boot as normal.
Reviewed-by: Jiri Kosina <jkosina@suse.com>
Tested-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
Documentation/kernel-parameters.txt | 5 +++++
arch/x86/power/hibernate_keys.c | 19 +++++++++++++++++--
include/linux/kernel.h | 3 ++-
include/linux/suspend.h | 3 +++
kernel/panic.c | 2 ++
kernel/power/Kconfig | 8 ++++++++
kernel/power/hibernate.c | 7 +++++++
kernel/power/snapshot.c | 6 +++++-
8 files changed, 49 insertions(+), 4 deletions(-)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -3462,6 +3462,11 @@ bytes respectively. Such letter suffixes
present during boot.
nocompress Don't compress/decompress hibernation images.
no Disable hibernation and resume.
+ sigenforce When CONFIG_HIBERNATE_VERIFICATION is set, this
+ menas that snapshot image without (valid)
+ signature will fail to restore. Note that if
+ HIBERNATE_VERIFICATION_FORCE is set, that is
+ always true, so this option does nothing.
retain_initrd [RAM] Keep initrd memory after extraction
--- a/arch/x86/power/hibernate_keys.c
+++ b/arch/x86/power/hibernate_keys.c
@@ -89,6 +89,7 @@ void fill_forward_info(void *forward_buf
memset(forward_buff_page, 0, PAGE_SIZE);
info = (struct forward_info *)forward_buff_page;
info->sig_verify_ret = verify_ret;
+ info->sig_enforce = sigenforce;
if (hibernation_keys && !hibernation_keys->hkey_status) {
info->hibernation_keys = *hibernation_keys;
@@ -106,10 +107,24 @@ void restore_sig_forward_info(void)
return;
}
- if (forward_buff->sig_verify_ret)
- pr_warn("PM: Signature verifying failed: %d\n",
+ sigenforce = forward_buff->sig_enforce;
+ if (sigenforce)
+ pr_info("PM: Enforce hibernate signature verifying\n");
+
+ if (forward_buff->sig_verify_ret) {
+ pr_warn("PM: Hibernate signature verifying failed: %d\n",
forward_buff->sig_verify_ret);
+ /* taint kernel */
+ if (!sigenforce) {
+ pr_warn("PM: System restored from unsafe snapshot - "
+ "tainting kernel\n");
+ add_taint(TAINT_UNSAFE_HIBERNATE, LOCKDEP_STILL_OK);
+ pr_info("%s\n", print_tainted());
+ }
+ } else
+ pr_info("PM: Signature verifying pass\n");
+
if (hibernation_keys) {
memset(hibernation_keys, 0, PAGE_SIZE);
*hibernation_keys = forward_buff->hibernation_keys;
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -521,6 +521,7 @@ extern enum system_states {
#define TAINT_UNSIGNED_MODULE 13
#define TAINT_SOFTLOCKUP 14
#define TAINT_LIVEPATCH 15
+#define TAINT_UNSAFE_HIBERNATE 16
/* !!! Keep TAINT_FLAGS_COUNT in sync !!! */
#ifdef CONFIG_SUSE_KERNEL_SUPPORTED
@@ -532,7 +533,7 @@ extern enum system_states {
#define TAINT_EXTERNAL_SUPPORT 31
#define TAINT_FLAGS_COUNT 32
#else
-#define TAINT_FLAGS_COUNT 16
+#define TAINT_FLAGS_COUNT 17
#endif
extern const char hex_asc[];
--- a/include/linux/suspend.h
+++ b/include/linux/suspend.h
@@ -371,6 +371,9 @@ struct platform_hibernation_ops {
#define HIBERNATION_HMAC "hmac(sha1)"
#define HIBERNATION_DIGEST_SIZE 20
+/* kernel/power/hibernate.c */
+extern int sigenforce;
+
/* kernel/power/snapshot.c */
extern void __register_nosave_region(unsigned long b, unsigned long e, int km);
static inline void __init register_nosave_region(unsigned long b, unsigned long e)
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -263,6 +263,7 @@ static const struct tnt tnts[] = {
{ TAINT_UNSIGNED_MODULE, 'E', ' ' },
{ TAINT_SOFTLOCKUP, 'L', ' ' },
{ TAINT_LIVEPATCH, 'K', ' ' },
+ { TAINT_UNSAFE_HIBERNATE, 'H', ' ' },
#ifdef CONFIG_SUSE_KERNEL_SUPPORTED
{ TAINT_NO_SUPPORT, 'N', ' ' },
{ TAINT_EXTERNAL_SUPPORT, 'X', ' ' },
@@ -288,6 +289,7 @@ static const struct tnt tnts[] = {
* 'E' - Unsigned module has been loaded.
* 'L' - A soft lockup has previously occurred.
* 'K' - Kernel has been live patched.
+ * 'H' - System restored from unsafe hibernate snapshot image.
* 'N' - Unsuported modules loaded.
* 'X' - Modules with external support loaded.
*
--- a/kernel/power/Kconfig
+++ b/kernel/power/Kconfig
@@ -89,6 +89,14 @@ config HIBERNATE_VERIFICATION
relies on UEFI secure boot environment, EFI stub generates HMAC
key for hibernate verification.
+config HIBERNATE_VERIFICATION_FORCE
+ bool "Require hibernate snapshot image to be validly signed"
+ depends on HIBERNATE_VERIFICATION
+ help
+ Reject hibernate resuming from unsigned snapshot image or signed
+ snapshot image for which we don't have a key. Without this, such
+ snapshot image will simply taint the kernel when resuming.
+
config ARCH_SAVE_PAGE_KEYS
bool
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -44,6 +44,11 @@ static char resume_file[256] = CONFIG_PM
dev_t swsusp_resume_device;
sector_t swsusp_resume_block;
__visible int in_suspend __nosavedata;
+#ifdef CONFIG_HIBERNATE_VERIFICATION_FORCE
+int sigenforce = 1;
+#else
+int sigenforce;
+#endif
enum {
HIBERNATION_INVALID,
@@ -1130,6 +1135,8 @@ static int __init hibernate_setup(char *
noresume = 1;
nohibernate = 1;
}
+ else if (!strncmp(str, "sigenforce", 10))
+ sigenforce = 1;
return 1;
}
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -1469,7 +1469,11 @@ error_digest:
forward_ret:
if (ret)
pr_warn("PM: Signature verifying failed: %d\n", ret);
- snapshot_fill_sig_forward_info(ret);
+ /* forward check result when verifying pass or not enforce verifying */
+ if (!ret || !sigenforce) {
+ snapshot_fill_sig_forward_info(ret);
+ ret = 0;
+ }
return ret;
}