Ubuntu
linux package

Bug #1735977
Comment #0

Comment 0 for bug 1735977

Revision history for this message

rppt (mike-rapoport) wrote on 2017-12-03:

I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():

[ 1395.036910] kernel BUG at /home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti: ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX: 0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI: ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09: 0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12: 0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15: ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4: 00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000 0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100 0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5 b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---

I did some checks and it appears that upstream commit db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") has changed public keys APIs, but the IMA usage of that API was fixed only by commit eb5798f2e28f ("integrity: convert digsig to akcipher api")

I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
  appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():

[ 1395.036910] kernel BUG at /home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP 
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti: ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>]  [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98  EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX: 0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI: ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09: 0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12: 0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15: ffff88042a849ac4
[ 1395.063404] FS:  00007f5e21958700(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[ 1395.064771] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4: 00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540]  ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec ffff88042c52fb38
[ 1395.068964]  ffffffff813a759e ffff88042c52fac8 0000000000000000 0000000000000000
[ 1395.070417]  ffff88042a849ac4 0000000002000114 ffff88042a849100 0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510]  [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605]  [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526]  [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475]  [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481]  [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518]  [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479]  [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381]  [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274]  [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165]  [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050]  [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046]  [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056]  [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952]  [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016]  [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877]  [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711]  [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5 b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00 
[ 1395.093215] RIP  [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322]  RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---

Ubuntulinux package

Comment 0 for bug 1735977

Ubuntu
linux package