Ubuntu
linux package

Bug #1866909
Comment #33

Comment 33 for bug 1866909

Revision history for this message

bugproxy (bugproxy) wrote on 2020-04-06: Comment bridged from LTC Bugzilla

#33

------- Comment From <email address hidden> 2020-04-06 11:23 EDT-------
Tested the updated ppa kernel.

Everything looks good and here are the test results:

secure boot is enabled as seen by device-tree entry "os-secure-enforcing"
ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible ibm,cvc phandle
hw-key-hash name secure-enabled
hw-key-hash-size os-secureboot-enforcing trusted-enabled

IMA policies are as below. It doesn't have MODULE_CHECK enabled now.
root@ltc-wspoon13:/home/ubuntu# cat /sys/kernel/security/ima/policy
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist

Platform keyring is loaded with db keys:
root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.platform
Keyring
1002253804 ---lswrv 0 0 keyring: .platform
900087744 ---lswrv 0 0 \_ asymmetric: PPA sforshee lp1866909 Opal: d9be99d351bd1a2bdef604427612399dc47cb452

Build time generated key used for signing modules is:
root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.builtin_trusted_keys
Keyring
929665685 ---lswrv 0 0 keyring: .builtin_trusted_keys
110783576 ---lswrv 0 0 \_ asymmetric: Build time autogenerated kernel key: d80d11780f22b0a033c0a787e075d0f0eb784d2c

sysfs interface is enabled:
root@ltc-wspoon13:/home/ubuntu# ls /sys/firmware/secvar/vars/
db dbx KEK PK TS

kexec load is disabled:
root@ltc-wspoon13:/boot# kexec -l /boot/vmlinux-5.4.0-21-generic -i /boot/initrd.img-5.4.0-21-generic
Warning: append= option is not passed. Using the first kernel root partition
Modified cmdline:root=UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09
[ 1150.964096] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.
kexec_load failed: Permission denied
entry = 0x39f0600 flags = 0x150000
nr_segments = 3
segment[0].buf = 0x76a989590010
segment[0].bufsz = 0x1aca0d8
segment[0].mem = 0x1d00000
segment[0].memsz = 0x1cf0000
segment[1].buf = 0xac9705e7260
segment[1].bufsz = 0x38c0
segment[1].mem = 0x39f0000
segment[1].memsz = 0x10000
segment[2].buf = 0x76a989430010
segment[2].bufsz = 0x648dc
segment[2].mem = 0x2ff90000
segment[2].memsz = 0x70000

kexec_file_load failed when trying for a kernel signed with a different key. The key for this kernel is not present in .platform keyring. It says "invalid-signature" in the audit log.
root@ltc-wspoon13:/boot# kexec -s -l /boot/vmlinux-5.4.27signpatch.signed
kexec_file_load failed: Permission denied-l /boot/vmlinux-5.4.27signpatch.signed

And here is the audit log message for it:
Apr 6 10:12:52 ltc-wspoon13 kernel: [ 233.996642] audit: type=1800 audit(158611
85972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-sigg
nature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=22
017357 res=0

Next tried to load the signed kernel whose key is present in .platform keyring.
root@ltc-wspoon13:/home/ubuntu# kexec -s -l /boot/vmlinux-5.4.0-21-generic
root@ltc-wspoon13:/home/ubuntu# dmesg | tail
[ 9.127873] Console: switching to colour frame buffer device 128x48
[ 233.996640] kauditd_printk_skb: 1 callbacks suppressed
[ 233.996642] audit: type=1800 audit(1586185972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-signature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=2017357 res=0
[ 762.188842] ima dump: 01 00 00 00 00 00 00 00 8f 38 00 00 00 00 00 00 .........8......
[ 762.188844] ima dump: 4a 00 00 00 00 00 00 00 0a 00 00 00 bc b0 e5 18 J...............
[ 762.188845] ima dump: b7 9d e0 d7 f2 cd 20 b8 a2 9a 70 92 e6 5d b7 ef ...... ...p..]..
[ 762.188846] ima dump: 07 00 00 00 69 6d 61 2d 73 69 67 35 00 00 00 1a ....ima-sig5....
[ 762.188847] ima dump: 00 00 00 73 68 61 31 3a 00 00 00 00 00 00 00 00 ...sha1:........
[ 762.188847] ima dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 ................
[ 762.188848] ima dump: 00 62 6f 6f .boo
root@ltc-wspoon13:/home/ubuntu#

Thanks to Canonical for including the patch and respining the new kernel for testing.

Thanks to Michael for installing the latest kernel and setting up the system and helping throughout the testing.

Thanks to Mimi for helping with the fix to resolve the issue.

Thanks & Regards,
- Nayna

------- Comment From naynjain@ibm.com 2020-04-06 11:23 EDT-------
Tested the updated ppa kernel.

Everything looks good and here are the test results:

secure boot is enabled as seen by device-tree entry "os-secure-enforcing"
ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible        ibm,cvc                  phandle
hw-key-hash       name                     secure-enabled
hw-key-hash-size  os-secureboot-enforcing  trusted-enabled

Platform keyring is loaded with db keys:
root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.platform
Keyring
1002253804 ---lswrv      0     0  keyring: .platform
900087744 ---lswrv      0     0   \_ asymmetric: PPA sforshee lp1866909 Opal: d9be99d351bd1a2bdef604427612399dc47cb452

Build time generated key used for signing modules is:
root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.builtin_trusted_keys
Keyring
929665685 ---lswrv      0     0  keyring: .builtin_trusted_keys
110783576 ---lswrv      0     0   \_ asymmetric: Build time autogenerated kernel key: d80d11780f22b0a033c0a787e075d0f0eb784d2c

sysfs interface is enabled:
root@ltc-wspoon13:/home/ubuntu# ls /sys/firmware/secvar/vars/
db  dbx  KEK  PK  TS

kexec load is disabled:
root@ltc-wspoon13:/boot# kexec -l /boot/vmlinux-5.4.0-21-generic -i /boot/initrd.img-5.4.0-21-generic
Warning: append= option is not passed. Using the first kernel root partition
Modified cmdline:root=UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09
[ 1150.964096] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.
kexec_load failed: Permission denied
entry       = 0x39f0600 flags = 0x150000
nr_segments = 3
segment[0].buf   = 0x76a989590010
segment[0].bufsz = 0x1aca0d8
segment[0].mem   = 0x1d00000
segment[0].memsz = 0x1cf0000
segment[1].buf   = 0xac9705e7260
segment[1].bufsz = 0x38c0
segment[1].mem   = 0x39f0000
segment[1].memsz = 0x10000
segment[2].buf   = 0x76a989430010
segment[2].bufsz = 0x648dc
segment[2].mem   = 0x2ff90000
segment[2].memsz = 0x70000

And here is the audit log message for it:
Apr  6 10:12:52 ltc-wspoon13 kernel: [  233.996642] audit: type=1800 audit(158611
85972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-sigg
nature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=22
017357 res=0

Next tried to load the signed kernel whose key is present in .platform keyring.
root@ltc-wspoon13:/home/ubuntu# kexec -s -l /boot/vmlinux-5.4.0-21-generic
root@ltc-wspoon13:/home/ubuntu# dmesg | tail
[    9.127873] Console: switching to colour frame buffer device 128x48
[  233.996640] kauditd_printk_skb: 1 callbacks suppressed
[  233.996642] audit: type=1800 audit(1586185972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-signature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=2017357 res=0
[  762.188842] ima dump: 01 00 00 00 00 00 00 00 8f 38 00 00 00 00 00 00  .........8......
[  762.188844] ima dump: 4a 00 00 00 00 00 00 00 0a 00 00 00 bc b0 e5 18  J...............
[  762.188845] ima dump: b7 9d e0 d7 f2 cd 20 b8 a2 9a 70 92 e6 5d b7 ef  ...... ...p..]..
[  762.188846] ima dump: 07 00 00 00 69 6d 61 2d 73 69 67 35 00 00 00 1a  ....ima-sig5....
[  762.188847] ima dump: 00 00 00 73 68 61 31 3a 00 00 00 00 00 00 00 00  ...sha1:........
[  762.188847] ima dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00  ................
[  762.188848] ima dump: 00 62 6f 6f                                      .boo
root@ltc-wspoon13:/home/ubuntu#