kexec_load(2) bypasses signature verification

Theodore Ts'o tytso at mit.edu
Sun Jun 14 20:50:51 PDT 2015


>From experimentation and from looking at the sources, it appears that
the signature checking is only done in the kexec_file_load(2) system
all, and not in the kexec_load(2) system call.  And I understand why
-- the signature is not sent from userspace to the kernel in the older
kexec_load(2) system call.

The problem is that if you use an old version of kexec, it will use
the old kexec_load(2) system call, and even though
CONFIG_KEXEC_VERIFY_SIG is enabled, kexec_load(2) will happily load an
unsigned kernel, and then "kexec -e" will happily boot into it.

Correct me if I am wrong, but this appears to be a hole in Secure Boot
you could drive a Mack Truck through.

(I noticed this because Debian is still using a kexec-tools from the
stone ages, version 2.0.7, and I was wondering **why** I was able to
kexec boot completely unsigned kernels.)

It would appear to me that if CONFIG_KEXEC_VERIFY_SIG is enabled, the
old kexec_load(2) system call should be disabled (and a warning be
placed in the Kconfig help that the user should have at least verision
2.X of kexec-tools if they enable this kernel option).

Am I missing something?

						- Ted



More information about the kexec mailing list