kexec_load(2) bypasses signature verification
Theodore Ts'o
tytso at mit.edu
Sun Jun 14 20:50:51 PDT 2015
>From experimentation and from looking at the sources, it appears that
the signature checking is only done in the kexec_file_load(2) system
all, and not in the kexec_load(2) system call. And I understand why
-- the signature is not sent from userspace to the kernel in the older
kexec_load(2) system call.
The problem is that if you use an old version of kexec, it will use
the old kexec_load(2) system call, and even though
CONFIG_KEXEC_VERIFY_SIG is enabled, kexec_load(2) will happily load an
unsigned kernel, and then "kexec -e" will happily boot into it.
Correct me if I am wrong, but this appears to be a hole in Secure Boot
you could drive a Mack Truck through.
(I noticed this because Debian is still using a kexec-tools from the
stone ages, version 2.0.7, and I was wondering **why** I was able to
kexec boot completely unsigned kernels.)
It would appear to me that if CONFIG_KEXEC_VERIFY_SIG is enabled, the
old kexec_load(2) system call should be disabled (and a warning be
placed in the Kconfig help that the user should have at least verision
2.X of kexec-tools if they enable this kernel option).
Am I missing something?
- Ted
More information about the kexec
mailing list