From patchwork Thu Sep 21 13:37:02 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pingfan Liu <kernelfans@gmail.com>
X-Patchwork-Id: 725027
Return-Path: <linux-efi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 684B4E7D0AD
 for <linux-efi@archiver.kernel.org>; Thu, 21 Sep 2023 21:17:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S232662AbjIUVRQ (ORCPT <rfc822;linux-efi@archiver.kernel.org>);
 Thu, 21 Sep 2023 17:17:16 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46190 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S232691AbjIUVQN (ORCPT
 <rfc822;linux-efi@vger.kernel.org>); Thu, 21 Sep 2023 17:16:13 -0400
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com
 [IPv6:2607:f8b0:4864:20::e35])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E00B8AC3F6
 for <linux-efi@vger.kernel.org>; Thu, 21 Sep 2023 11:01:56 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id
 ada2fe7eead31-4526d872941so671649137.1
 for <linux-efi@vger.kernel.org>; Thu, 21 Sep 2023 11:01:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1695319316; x=1695924116;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=V/sF+QqiplgSBso/5vnIDx564mKj+3dahN17Ytb8x4c=;
 b=a2YteJb9WNkUbm7crxrTBS+cnkJ3m/AE7Zg+BTp2Cfxa/82OZISZ/ptzmbnbudlgNZ
 dZ0x33SLrytDbNsLcWqvV2MQggRsH1bRfA025Iu7bUDC0Yn3+hQZ0/Q27qUR5HXwPLkN
 Bh2hxelKaapQLHX7m+c5EA8RaBfd9cDrbt/rcn9B4oRryEI8xm37JtTURlgyXbnqPgWW
 pcW+FsjP6r/Gd00AtKvc5T+VVnBbtz/tSKzxFYywUcztPZUrXcEe3A3ZxmukLC3XaNJ0
 i+vOkjIJqxcsPcHGyjoOFIhCDdBs4D6QSDQ9OoDz5NLeY1yT4/xwyDJPEfcRtSMDTQlS
 fQIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1695319316; x=1695924116;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=V/sF+QqiplgSBso/5vnIDx564mKj+3dahN17Ytb8x4c=;
 b=HG4ujjy8nBl2ynx5uBLKVQH+cXYhqw7+OdSoyIR0sIj1geu5BBZQeaSwE9yuICD42F
 XJdsfaaGa12YI6AlFIKaQ57tNzyt2S171PVoHfqRAIO7u0fCfCeWjQHyviByPxk90SSO
 KQ8JEjKMNbh0ke90s8BIwUl4jPvYilxjw1fKNT1Hyq/sc0FD5EoPUx5ifZM0iqdLYLbg
 Qsc9laQC8FBPayYGXtPlHuuw19oAD8orK78lzhmdU2IDzvInfYOL1trYyua/jR6NtHt+
 dU7vu2oByGRCxod0sMhIpD2e1lLJ2ks1HF0Q1+oH0J1tQ4ghKt14NBID3uFgjEsFFIgF
 qw+A==
X-Gm-Message-State: AOJu0Yw3KMDVAcCN1vbj56E8xYVKNocA90AcUodJjRHsKHs9Q8eomMCO
 RPFQsM0/2x2LAMSbQVOc7ezgso5Pl1O5
X-Google-Smtp-Source: AGHT+IFYH/I9kqNhfmStNK/TQjvWgoMG9nLTrTw4wEL3FMorBwBtH3/8wSbZzWlFfAXyGMUCUPjboA==
X-Received: by 2002:a05:6a00:2d08:b0:68e:2cc4:c720 with SMTP id
 fa8-20020a056a002d0800b0068e2cc4c720mr6153219pfb.12.1695303447480;
 Thu, 21 Sep 2023 06:37:27 -0700 (PDT)
Received: from piliu.users.ipa.redhat.com ([43.228.180.230])
 by smtp.gmail.com with ESMTPSA id
 d24-20020aa78158000000b00690188b124esm1389785pfn.174.2023.09.21.06.37.23
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 21 Sep 2023 06:37:26 -0700 (PDT)
From: Pingfan Liu <kernelfans@gmail.com>
To: linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org,
 kexec@lists.infradead.org
Cc: Pingfan Liu <piliu@redhat.com>, "Jan Hendrik Farr" <kernel@jfarr.cc>,
 "Baoquan He" <bhe@redhat.com>, "Dave Young" <dyoung@redhat.com>,
 "Philipp Rudo" <prudo@redhat.com>, Ard Biesheuvel <ardb@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>
Subject: [PATCH 1/2] zboot: Signing the payload
Date: Thu, 21 Sep 2023 21:37:02 +0800
Message-Id: <20230921133703.39042-2-kernelfans@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20230921133703.39042-1-kernelfans@gmail.com>
References: <20230921133703.39042-1-kernelfans@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-efi.vger.kernel.org>
X-Mailing-List: linux-efi@vger.kernel.org

From: Pingfan Liu <piliu@redhat.com>

Emulate the scheme of module signing to sign the zboot's payload i.e.
Image before it is compressed.

And overall, the signature on vmlinuz.efi will be used by UEFI boot
loader and the signature on Image will be used by kexec file load.

Signed-off-by: Pingfan Liu <piliu@redhat.com>
Cc: "Ard Biesheuvel <ardb@kernel.org>"
Cc: "Jan Hendrik Farr" <kernel@jfarr.cc>
Cc: "Baoquan He" <bhe@redhat.com>
Cc: "Dave Young" <dyoung@redhat.com>
Cc: "Philipp Rudo" <prudo@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
To: linux-arm-kernel@lists.infradead.org
To: linux-efi@vger.kernel.org
To: kexec@lists.infradead.org
---
 drivers/firmware/efi/libstub/Makefile.zboot | 23 ++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
index 2c489627a807..fd4305a4ebbd 100644
--- a/drivers/firmware/efi/libstub/Makefile.zboot
+++ b/drivers/firmware/efi/libstub/Makefile.zboot
@@ -4,13 +4,30 @@
 # EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET, EFI_ZBOOT_MACH_TYPE and
 # EFI_ZBOOT_FORWARD_CFI
 
-quiet_cmd_copy_and_pad = PAD     $@
-      cmd_copy_and_pad = cp $< $@ && \
+
+#
+# Signing
+#
+ifeq ($(CONFIG_KEXEC_ZBOOT_SIG),y)
+ifeq ($(filter pkcs11:%, $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),)
+sig-key := $(if $(wildcard $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),,$(srctree)/)$(CONFIG_KEXEC_ZBOOT_SIG_KEY)
+else
+sig-key := $(CONFIG_KEXEC_ZBOOT_SIG_KEY)
+endif
+cmd_sign = scripts/sign-file $(CONFIG_KEXEC_ZBOOT_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@
+else
+      cmd_sign := :
+endif
+
+cmd_copy_and_pad = cp $< $@ && \
 			 truncate -s $(shell hexdump -s16 -n4 -e '"%u"' $<) $@
 
+quiet_cmd_copy_and_pad_sign = PAD and SIGN     $@
+      cmd_copy_and_pad_sign = $(cmd_copy_and_pad) && $(cmd_sign)
+
 # Pad the file to the size of the uncompressed image in memory, including BSS
 $(obj)/vmlinux.bin: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
-	$(call if_changed,copy_and_pad)
+	$(call if_changed,copy_and_pad_sign)
 
 comp-type-$(CONFIG_KERNEL_GZIP)		:= gzip
 comp-type-$(CONFIG_KERNEL_LZ4)		:= lz4

From patchwork Thu Sep 21 13:37:03 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pingfan Liu <kernelfans@gmail.com>
X-Patchwork-Id: 725442
Return-Path: <linux-efi-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id A5551E7109A
 for <linux-efi@archiver.kernel.org>; Thu, 21 Sep 2023 17:00:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229853AbjIURBD (ORCPT <rfc822;linux-efi@archiver.kernel.org>);
 Thu, 21 Sep 2023 13:01:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51782 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S229864AbjIURAq (ORCPT
 <rfc822;linux-efi@vger.kernel.org>); Thu, 21 Sep 2023 13:00:46 -0400
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com
 [IPv6:2607:f8b0:4864:20::b2a])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFDF42133
 for <linux-efi@vger.kernel.org>; Thu, 21 Sep 2023 09:59:00 -0700 (PDT)
Received: by mail-yb1-xb2a.google.com with SMTP id
 3f1490d57ef6-d81d09d883dso1493901276.0
 for <linux-efi@vger.kernel.org>; Thu, 21 Sep 2023 09:59:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1695315538; x=1695920338;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=+8swn7HmC4uSQV3vzfL086oj2XFrz2A4bNyoHSHM5TA=;
 b=cdCVwiulppUWIAZFe3quU9XZfaxbHOpQy77t1TYLoJY2gwdebCZqYTqT+gKQCH2CQe
 2uv7TOV5JsrhCY6D4D6uextkReDotA3QxNisT5xqsjuJa769Pyz9cCsUcO1pQq5ZZFjv
 1HDHkTJphdXUYko8bmYSJnkRhBhVsukXqG9C5+rilijQg9bhu+eUnCQ3HYlW44ffe8sm
 M2mlk2aRhgbF1PxrXAIj5dr+fvdMfVGRrcgoXuD9Qbqyq6+14di8OuIYALdQ9IgmGh2V
 dRJ0NW3rlQwcaIti2yWza9b7k5gtTzR8NLWp+jeb3PFrULCtemKWbWVnTO9Jj45+dFEu
 h+fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1695315538; x=1695920338;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=+8swn7HmC4uSQV3vzfL086oj2XFrz2A4bNyoHSHM5TA=;
 b=LaCUDih0RExC3IjOt4Po1F9sRHKq9iLaPeHZaka3L58P2bptavPfNJbD62UHsI+rtr
 VYeNu0qH8msMSDQPQvR1HSB3DFWqSharYhcIbpmiSKP/FSBD8DuHJjayVbjpNcKX3Tpp
 WXOd8K1lm6T9+uMT7Djf+Ghfh0L3u0o+gRt1ceBTx0qGFa4C6sY+oYwBd0K2Hni2gdOE
 2ZvqnDRZb2dzT/9EViUqfdI58ldpAgPS1p5mpdlPRCMUV21vPL4spAQYMozoQga+Djqb
 YdpBEHJ34b5v5WR5wYBUWhrrCM1To29ZcBwDEK6cZyx3GNRZ2rIn1vSEDLlyJMuBzvPf
 y2vA==
X-Gm-Message-State: AOJu0YxOFd7BVqhAiX0tghPBKeC+zFKu0V7m1foWpb9oSMBLcRmWhJ0B
 gAqkF3suzutZd2so0thOwfS58fLTqgNe
X-Google-Smtp-Source: AGHT+IHcOZyXNwTzn1eSqLSYsQeU0FEqWAj2F9tL5lG2ChjxPYE8IDiLXGUX5rRRfibLUsqS4A7ejQ==
X-Received: by 2002:a05:6a00:311c:b0:691:da6:47a with SMTP id
 bi28-20020a056a00311c00b006910da6047amr1377959pfb.31.1695303451405;
 Thu, 21 Sep 2023 06:37:31 -0700 (PDT)
Received: from piliu.users.ipa.redhat.com ([43.228.180.230])
 by smtp.gmail.com with ESMTPSA id
 d24-20020aa78158000000b00690188b124esm1389785pfn.174.2023.09.21.06.37.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 21 Sep 2023 06:37:30 -0700 (PDT)
From: Pingfan Liu <kernelfans@gmail.com>
To: linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org,
 kexec@lists.infradead.org
Cc: Pingfan Liu <piliu@redhat.com>, "Jan Hendrik Farr" <kernel@jfarr.cc>,
 "Baoquan He" <bhe@redhat.com>, "Dave Young" <dyoung@redhat.com>,
 "Philipp Rudo" <prudo@redhat.com>, Ard Biesheuvel <ardb@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>
Subject: [PATCH 2/2] arm64: Enable signing on the kernel image loaded by kexec
 file load
Date: Thu, 21 Sep 2023 21:37:03 +0800
Message-Id: <20230921133703.39042-3-kernelfans@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20230921133703.39042-1-kernelfans@gmail.com>
References: <20230921133703.39042-1-kernelfans@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-efi.vger.kernel.org>
X-Mailing-List: linux-efi@vger.kernel.org

From: Pingfan Liu <piliu@redhat.com>

Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT
are configured.

Signed-off-by: Pingfan Liu <piliu@redhat.com>
Cc: "Ard Biesheuvel <ardb@kernel.org>"
Cc: "Jan Hendrik Farr" <kernel@jfarr.cc>
Cc: "Baoquan He" <bhe@redhat.com>
Cc: "Dave Young" <dyoung@redhat.com>
Cc: "Philipp Rudo" <prudo@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
To: linux-arm-kernel@lists.infradead.org
To: linux-efi@vger.kernel.org
To: kexec@lists.infradead.org
---
 arch/arm64/Kconfig        |  2 ++
 kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 kernel/Kconfig.kexec_sign

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2511b30d0f6..e067864d7ea1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1493,6 +1493,8 @@ config KEXEC_SIG
 	  verification for the corresponding kernel image type being
 	  loaded in order for this to work.
 
+source "kernel/Kconfig.kexec_sign"
+
 config KEXEC_IMAGE_VERIFY_SIG
 	bool "Enable Image signature verification support"
 	default y
diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign
new file mode 100644
index 000000000000..880aa9aed9a8
--- /dev/null
+++ b/kernel/Kconfig.kexec_sign
@@ -0,0 +1,54 @@
+
+menu "Sign the kernel Image"
+	depends on KEXEC_SIG && EFI_ZBOOT
+
+config KEXEC_ZBOOT_SIG_KEY
+	string "File name or PKCS#11 URI of Image signing key"
+	default "certs/signing_key.pem"
+	help
+         Provide the file name of a private key/certificate in PEM format,
+         or a PKCS#11 URI according to RFC7512. The file should contain, or
+         the URI should identify, both the certificate and its corresponding
+         private key.
+
+         If this option is unchanged from its default "certs/signing_key.pem",
+         then the kernel will automatically generate the private key and
+         certificate as described in Documentation/admin-guide/module-signing.rst
+
+
+choice
+	prompt "Which hash algorithm should Image be signed with?"
+	help
+	  This determines which sort of hashing algorithm will be used during
+	  signature generation.
+
+config IMAGE_SIG_SHA1
+	bool "Sign Image with SHA-1"
+	select CRYPTO_SHA1
+
+config IMAGE_SIG_SHA224
+	bool "Sign Image with SHA-224"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA256
+	bool "Sign Image with SHA-256"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA384
+	bool "Sign Image with SHA-384"
+	select CRYPTO_SHA512
+
+config IMAGE_SIG_SHA512
+	bool "Sign Image with SHA-512"
+	select CRYPTO_SHA512
+
+endchoice
+
+config IMAGE_SIG_HASH
+	string
+	default "sha1" if IMAGE_SIG_SHA1
+	default "sha224" if IMAGE_SIG_SHA224
+	default "sha256" if IMAGE_SIG_SHA256
+	default "sha384" if IMAGE_SIG_SHA384
+	default "sha512" if IMAGE_SIG_SHA512
+endmenu