Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable signature verification of kexec kernel and use new Mariner Trusted Base CA in trusted keyring #10961

Merged
merged 5 commits into from
Nov 22, 2024
Merged

Enable signature verification of kexec kernel and use new Mariner Trusted Base CA in trusted keyring #10961

merged 5 commits into from
Nov 22, 2024

Conversation

christopherco
Copy link
Contributor

@christopherco christopherco commented Nov 7, 2024
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Currently, kexec and features that utilize kexec like kdump are blocked from executing due to IMA apprasial runtime policies introduced in this commit 3e0884c . However, since we utilize Secure Boot PE verification of the kernel, the expectation should be that our official signed kernels are verified by a key that is trusted in the kernel's trusted keyring.
So this change enables signature verification of kexec kernel, utilizing PE file signature verification method to verify the kernel is signed by an x.509 cert in the kernel keyring, and append our updated Azure Linux (aka Mariner) Trusted Base CA into the kernel's trusted keyring.

Signed-off-by: Chris Co [email protected]

Does this affect the toolchain?

YES

Associated issues
Test Methodology
root [ /home/azureuser ]# keyctl show %:.builtin_trusted_keys
Keyring
 461486341 ---lswrv      0     0  keyring: .builtin_trusted_keys
 827138104 ---lswrv      0     0   \_ asymmetric: Build time autogenerated kernel key: 7089ab4c0b7d02e48af80578b97416fde41f6a3d
 338913632 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation: Mariner Trusted Base RSA Code Signing CA: 7554b15f7d70fcf08db90faa6a75c1beb48a7e5c
 486285024 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation: Mariner Secure Boot(Production Signing): b42d6b9e2809b7b9097cff9e9b0194b86e80bf95

@christopherco
enable kexec signature verification
4802eda 
Signed-off-by: Chris Co <[email protected]>
@christopherco
chore: bump kernel related specs
2f29574 
Signed-off-by: Chris Co <[email protected]>
@christopherco
include support for verifying PE images
cb253a7 
Signed-off-by: Chris Co <[email protected]>
@christopherco
update trusted keys to use azurelinux CA
1a3a0af 
We still leave in the older certificate for the time being, until we
switch fully to the new azurelinux CA

Signed-off-by: Chris Co <[email protected]>
@christopherco christopherco changed the title Enable signature verification of kexec kernel Enable signature verification of kexec kernel and append updated Azure Linux Trusted Base CA into trusted keyring Nov 10, 2024
@christopherco christopherco marked this pull request as ready for review November 10, 2024 06:54
@christopherco christopherco requested a review from a team as a code owner November 10, 2024 06:54
@christopherco christopherco changed the title Enable signature verification of kexec kernel and append updated Azure Linux Trusted Base CA into trusted keyring Enable signature verification of kexec kernel and append updated Mariner Trusted Base CA into trusted keyring Nov 10, 2024
@rlmenge rlmenge mentioned this pull request Nov 15, 2024
Open
12 tasks
@rlmenge
Remove kernel key ca-20211013 entirely
1c1727c 
Remove the old CBL-Mariner Secureboot .pem in favor of only having
the new azurelinux-ca-20230216.pem. This new key should appear as
"Microsoft Corporation: Mariner Trusted Base RSA Code Signing CA"
in the keyring.
rlmenge
rlmenge reviewed Nov 20, 2024
View reviewed changes
Copy link
Contributor

@rlmenge rlmenge left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added new commit to replace the old key completely rather than appending to it.

Verification steps:
New BuddyBuild with removing the old key

Tests performed

  • copied kernel-6.6.57.1-3 rpm from buddybuild to both arm and x86
  • copied an unsigned vmlinuz-6.6.35.1-5.azl3 and a signed arm vmlinuz-6.6.57.1-3.azl3 and a signed x86 vmlinuz-6.6.57.1-1000.azl3
  • installed "kexec-tools" and "keyutils"
  • confirmed only 2 keys in keyring: autogenerated and Mariner Trusted Base RSA
  • confirmed can only kexec --load the signed image

x86 test - local hyperv VM
image

Arm64 test - Cobalt100 Azure VM
kexec-arm-test

@rlmenge rlmenge changed the title Enable signature verification of kexec kernel and append updated Mariner Trusted Base CA into trusted keyring Enable signature verification of kexec kernel and use new Mariner Trusted Base CA in trusted keyring Nov 20, 2024
rlmenge
rlmenge reviewed Nov 21, 2024
View reviewed changes
SPECS/kernel/config
@@ -296,7 +296,9 @@ CONFIG_KEXEC_CORE=y
CONFIG_HAVE_IMA_KEXEC=y
# CONFIG_KEXEC is not set
CONFIG_KEXEC_FILE=y
# CONFIG_KEXEC_SIG is not set
CONFIG_KEXEC_SIG=y
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kconfig

rlmenge
rlmenge reviewed Nov 21, 2024
View reviewed changes
SPECS/kernel/config
@@ -296,7 +296,9 @@ CONFIG_KEXEC_CORE=y
CONFIG_HAVE_IMA_KEXEC=y
# CONFIG_KEXEC is not set
CONFIG_KEXEC_FILE=y
# CONFIG_KEXEC_SIG is not set
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
Copy link
Contributor

@rlmenge rlmenge Nov 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kconfig

Only available on x86: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/blob/rolling-lts/mariner-3/6.6.57.1/arch/x86/Kconfig#L2038
Requires that signatures ALWAYS be checked. KEXEC_SIG only checks when a signature is present

(Note not supported on arm64: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/blob/rolling-lts/mariner-3/6.6.57.1/arch/arm64/Kconfig)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarification: for this PR we are simply enabling kexec signature validation as an option and not forcing for now

rlmenge
rlmenge reviewed Nov 21, 2024
View reviewed changes
SPECS/kernel/config
@@ -7697,7 +7699,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y
# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set
CONFIG_PKCS7_MESSAGE_PARSER=y
# CONFIG_PKCS7_TEST_KEY is not set
# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kconfig

rlmenge
rlmenge reviewed Nov 21, 2024
View reviewed changes
SPECS/kernel/config
# CONFIG_KEXEC_SIG is not set
CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kconfig

rlmenge
rlmenge approved these changes Nov 21, 2024
View reviewed changes
Copy link
Contributor

@rlmenge rlmenge left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new .pem is aligned with the changes in the upcoming Shim 15.8 release: #10995

And the required updates to our pipeline: https://dev.azure.com/mariner-org/mariner/_git/CBL-Mariner-Pipelines/pullRequest/21027#1732229328

Approving as the initial changes look good but will get more eyes as I also updated the key in this PR :)

@rlmenge rlmenge merged commit d647152 into 3.0-dev Nov 22, 2024
13 checks passed
@rlmenge rlmenge deleted the chrco/kexec-sig-2 branch November 22, 2024 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rlmenge rlmenge rlmenge approved these changes

@Camelron Camelron Camelron approved these changes

@trungams trungams trungams approved these changes

@reubeno reubeno reubeno approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@christopherco @rlmenge @reubeno @trungams @Camelron