Fix for secure boot rules in IMA arch policy on powerpc

Bug #1877955 reported by bugproxy on 2020-05-11
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Ubuntu-power-systems project
Medium
Canonical Kernel Team
linux (Ubuntu)
Status tracked in Groovy
Focal
Undecided
Unassigned
Groovy
Undecided
Ubuntu on IBM Power Systems Bug Triage

Bug Description

SRU Justification:
==================

[Impact]

* Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA.

* To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled.

* But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1).

* Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring.

* This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead.

[Fix]

* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy"

[Test Case]

* Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command.

* If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place.

* The verification needs to be done by the IBM Power team.

[Regression Potential]

* There is (always) a certain regression risk with having code changes, especially in the secure boot area.

* But this patch is limited to the powerpc platform and will not affect any other architecture.

* It got discussed at https://<email address hidden>
  before it became finally upstream accepted with kernel 5.7-rc7.

* The secure boot code itself wasn't really touched, rather than it's basis for execution.
  The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
  Hence the change is very limited and straightforward.

[Other]

* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only.
__________

== Comment: #0 - Michael Ranweiler <email address hidden> - 2020-04-22 14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++

This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28.

The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel<email address hidden>/T/#u)

If there are any issues identified during further testing, they will get opened as separate issue to be addressed later.

Thanks & Regards,
   - Nayna

== Comment: #4 - Michael Ranweiler <email address hidden> - 2020-05-11 02:23:35 ==
Updated posting:

https://lore.kernel<email address hidden>/T/#u

CVE References

bugproxy (bugproxy) on 2020-05-11
tags: added: architecture-ppc64le bugnameltc-185515 severity-medium targetmilestone-inin2004
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → linux (Ubuntu)
Changed in ubuntu-power-systems:
importance: Undecided → Medium
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Frank Heimes (fheimes) wrote :

Thx for creating this separate bug.
I just need to set it to Incomplete until the patch got upstream accepted and is available for example from 'linux-next' (which is not yet the case, but probably soon).
In preparation for the SRU process I changed the bug title.

summary: - Followon for Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted
- Boot
+ Fix for secure boot rules in IMA arch policy on powerpc
Changed in linux (Ubuntu):
status: New → Incomplete
Changed in ubuntu-power-systems:
status: New → Incomplete
Frank Heimes (fheimes) wrote :

I had another look at the entire thread at lore.kernel.org:
https://lore.kernel<email address hidden>/T/#u
and think patch
"powerpc/ima: Fix secure boot rules in ima arch policy"
is the one that fixes 'powerpc/ima: fix secure boot rules in ima arch policy'.

I looked it up in linux-next and found it:
$ git log --oneline --grep "powerpc/ima: Fix secure boot rules in ima arch policy"
fa4f3f56ccd2 powerpc/ima: Fix secure boot rules in ima arch policy
$ git tag --contains fa4f3f56ccd2
next-20200514
next-20200515
next-20200518
next-20200526
v5.7-rc6
v5.7-rc7
So, looks like it got recently upstream accepted.

If you can confirm that fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" is the correct patch that need to be SRUed, I'll submit it for the next SRU cycle (with last for for commit June 3rd).

Frank Heimes (fheimes) on 2020-05-29
description: updated
description: updated
Frank Heimes (fheimes) on 2020-05-29
description: updated
Changed in linux (Ubuntu):
status: Incomplete → Triaged
Changed in ubuntu-power-systems:
status: Incomplete → Triaged

------- Comment From <email address hidden> 2020-05-29 13:23 EDT-------
Yes this is the right patch.

What is SRU ?

Thanks & Regards,
- Nayna

Frank Heimes (fheimes) wrote :

SRU stands for "Stable Release Update" and describes the process that is needed to get a patch (or patches) to fix critical issues into components that are part of an Ubuntu version that is already released (post GA).

The process for packages (https://wiki.ubuntu.com/StableReleaseUpdates) is slightly different compared to the SRU process for the kernel: https://wiki.ubuntu.com/KernelTeam/KernelUpdates

But there is also such a 'stable release update' process in use upstream at kernel.org.

Frank Heimes (fheimes) wrote :

Kernel SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2020-May/thread.html#110532
Updating status to 'In Progress'.

Changed in linux (Ubuntu):
status: Triaged → In Progress
Changed in ubuntu-power-systems:
status: Triaged → In Progress
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-05-29 14:23 EDT-------
Thanks for explanation.

Thanks & Regards,
- Nayna

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-05-29 14:30 EDT-------
Thanks !!

Thanks & Regards,
- Nayna

Frank Heimes (fheimes) on 2020-06-03
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Frank Heimes (fheimes) on 2020-06-05
Changed in ubuntu-power-systems:
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-06-15 13:48 EDT-------
Would start to test it today.

Thanks & Regards,
- Nayna

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-06-16 13:03 EDT-------
Hi,

I followed the steps from link - https://wiki.ubuntu.com/Testing/EnableProposed

And have installed kernel:
5.4.0-38-generic for testing.

I am looking now for the key. I am not able to find one in this link - https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/proposed

Can you please share with me the gzip of the key.

Thanks & Regards,
- Nayna

Frank Heimes (fheimes) wrote :

Hi, since 'proposed' belongs to the official archives (archive.ubuntu.com/ubuntu) and packages from proposed are just located in a special area there (we call it the proposed 'pocket'), kernels and other packages from there that are signed, are signed with the standard and common key.
Only a signed kernel that comes from a non-standard archive (like a PPA) is signed with a different key, hence requires and additional key file.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-06-16 17:36 EDT-------
Thanks. I have PPA keys as those versions we tested last time.
I do not have common or standard key. Can you please share the tar or path for that ?

Thanks & Regards,
- Nayna

Dimitri John Ledkov (xnox) wrote :

Hi,

Each signed object is published on in the repository under /$suite/main/signed/$src-$arch. I.e. the linux in focal proposed signed artefacts can be found at:

http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux-ppc64el/

I.e. http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux-ppc64el/5.4.0-38.42/signed.tar.gz

inside that tarball, there should be $version/control/opal.x509 public certificate that is used for signing.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-06-16 17:51 EDT-------
To be specific.
sudo apt-key list

shows:

ubuntu@ltc-wspoon13:/$ apt-key list
/etc/apt/trusted.gpg.d/canonical-kernel-team_ubuntu_bootstrap.gpg
-----------------------------------------------------------------
pub rsa1024 2010-12-01 [SC]
110E 21D8 B0E2 A1F0 243A F682 0856 F197 B892 ACEA
uid [ unknown] Launchpad PPA for Canonical Kernel Team
/etc/apt/trusted.gpg.d/sforshee_ubuntu_lp1866909.gpg
----------------------------------------------------
pub rsa1024 2011-10-06 [SC]
6B5B 9C22 2E05 413A F654 1676 1212 D9F6 559B 2FA8
uid [ unknown] Launchpad PPA for Seth Forshee
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <email address hidden>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <email address hidden>

I need OPAL signing key as in path - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz

If you will extract this, there is one opal.x509 which is used to sign the kernel. This one is for PPA kernel if I am not missing something. And that is the key I need for proposed. So, if you can share the common or standard OPAL signing key which I can use for proposed, it would be helpful.

Thanks & Regards,
- Nayna

Thanks & Regards,
- Nayna

Frank Heimes (fheimes) wrote :

So in general the key should be part of the firmware, in case of a standard IBM Power system, that is shipped to customers with secureboot support,
A kernel from proposed is part of the official Ubuntu archive and with that signed with the standard production key. But that might be different in case a development system is in use or so ...

Anyway, the key can also be found at the Ubuntu archive pages:
here:
http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/
http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz
or the link for proposed:
http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/
http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/current/signed.tar.gz

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-06-17 11:42 EDT-------
Thanks !! This is exactly what I needed.

I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both.

It works fine and here are the test results:

1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled.

2. With trusted boot disabled, here is the IMA rules:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist

2. With both secure and trusted boot enabled, here how the IMA rules looks like:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
[sudo] password for ubuntu:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist

And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent.
ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

Thanks & Regards,
- Nayna

tags: added: verification-done-focal
removed: verification-needed-focal
Frank Heimes (fheimes) wrote :

Great, many thx for the verification!

All autopkgtests for the newly accepted linux-oracle-5.4 (5.4.0-1019.19~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-oracle-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Launchpad Janitor (janitor) wrote :
Download full text (30.0 KiB)

This bug was fixed in the package linux - 5.4.0-40.44

---------------
linux (5.4.0-40.44) focal; urgency=medium

  * linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120)
    - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and
      -tools-host

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691)
    - e1000e: Disable TSO for buffer overrun workaround

  * CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported

  * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly
    when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147)
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before
      association for 11N chip"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being
      connected"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support"
    - rtw88: add a debugfs entry to dump coex's info
    - rtw88: add a debugfs entry to enable/disable coex mechanism
    - rtw88: 8723d: Add coex support
    - SAUCE: rtw88: coex: 8723d: set antanna control owner
    - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases
    - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier

  * CPU stress test fails with focal kernel (LP: #1867900)
    - [Config] Disable hisi_sec2 temporarily

  * Enforce all config annotations (LP: #1879327)
    - [Config]: do not enforce CONFIG_VERSION_SIGNATURE
    - [Config]: prepare to enforce all
    - [Config]: enforce all config options

  * Focal update: v5.4.44 upstream stable release (LP: #1881927)
    - ax25: fix setsockopt(SO_BINDTODEVICE)
    - dpaa_eth: fix usage as DSA master, try 3
    - net: don't return invalid table id error when we fall back to PF_UNSPEC
    - net: dsa: mt7530: fix roaming from DSA user ports
    - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
    - __netif_receive_skb_core: pass skb by reference
    - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
    - net: ipip: fix wrong address family in init error path
    - net/mlx5: Add command entry handling completion
    - net: mvpp2: fix RX hashing for non-10G ports
    - net: nlmsg_cancel() if put fails for nhmsg
    - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
    - net: revert "net: get rid of an signed integer overflow in
      ip_idents_reserve()"
    - net sched: fix reporting the first-time use timestamp
    - net/tls: fix race condition causing kernel panic
    - nexthop: Fix attribute checking for groups
    - r8152: support additional Microsoft Surface Ethernet Adapter variant
    - sctp: Don't add the shutdown timer if its already been added
    - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and
      socket is closed
    - tipc: block BH before using dst_cache
    - net/mlx5e: kTLS, Destroy key object after destroying the TIS
    - net/mlx5e: Fix inner tirs handling
    - net/m...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers