From Fedora Project Wiki

< Changes

Revision as of 13:32, 10 July 2013 by Vgoyal (talk | contribs)


Enable kdump on secureboot machines

Summary

Currently kexec/kdump is disabled on machines with secureboot enabled. This feature aims to enable kexec/kdump on such machines.

Owner

  • Name: Vivek Goyal
  • Email: vgoyal@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 20
  • Last updated: (DATE)
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

/sbin/kexec prepares a binary blob, called purgatory. This code runs at priviliged level between kernel transition. With secureboot enabled, no unsigned code should run at privilige level 0, hence kexec/kdump is currently disabled if secureboot is enabled.

One proposed way to solve the problem is that sign /sbin/kexec utility. And upon successful signature verification, allow it to load kernel, initramfs, and binary blob. /sbin/kexec will verify signatures of kernel being loaded before it asks running kernel to load it.

There are quite a few pieces to the puzzle. I am listing the some of the things which need to be done.

Build and ship ima-evm-utils package

  • /sbin/kexec will be signed by evmctl. This utility will put an xattr security.ima on /sbin/kexec file and kernel will leverage IMA infrastructure in kernel to verify signature of /sbin/kexec upon execution.
  • There is a bz open 807476 for inclusion of this package since long time. Not sure what it is stuck on though.
  • There are some patches which are not upstream yet (like lock down executable in memory) which we need to carry in this patckage till patches get upstream.

Changes to kexec-tools

  • Build /sbin/kexec statically. There is no infrastructure to sign and verify signature of shared libraries. Even if we can sign and verify shared libraries, currently kernel allows writing to shared libraries while these are mapped. So one can overwrite the library after signature verification. So build /sbin/kexec statically. kexec does not use nss related code, so there should not be any issues w.r.t glibc calling into other shared libraries.
  • Generate detached /sbin/kexec signautre at build time and install these signature on target in seucurity.ima xattr when kexec-tools is installed.
  • Modify kexec-tools so that it can call keyctl() and verify signature of a new kernel being loaded.

Kernel Changes

  • Kernel needs to carry additional patches to do verify elf binary signature.
  • There are patches to extend keyctl() so that user space can use it to verify signature of a user buffer (vmlinuz in this case).
  • These patches are not upstream, so these need to be carried in fedora till patches get upstream.
  • Kernel need to be signed using evmctl and detached signature need to be generated. These signatures need to be installed on vmlinuz upon kernel rpm installation in security.ima xattr.

Signing Key Management

Yet to be figured out. There are couple of ideas on table.

  • Embed few keys in kernel and one of these keys will be used to sign /sbin/kexec. In case of a key is revoked, use a new key from set of embedded keys.
  • Ship a PE/COFF wrapped key in kexec-tools package. This PE/COFF binary should be signed by appropriate authority so it can be loaded in system keyring.

Benefit to Fedora

Scope

  • Proposal owners:
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

N/A (not a System Wide Change)

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes