This bug is missing log files that will aid in diagnosing the problem.
While running an Ubuntu kernel (not a mainline or third-party kernel)
please enter the following command in a terminal window:
apport-collect 1735977
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1735977
Title:
Using asymmetric key for IMA appraisal crashes the system in Ubuntu
16.04
Status in linux package in Ubuntu:
Incomplete
Bug description:
I'm trying to enable IMA appraisal with signatures for executable files on
xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to
my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to
build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at
/home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev
input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa
ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul
crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul
glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti:
ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>]
public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX:
0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI:
ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09:
0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12:
0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15:
ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000)
knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4:
00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec
ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000
0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100
0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5
b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b
0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132
("crypto: KEYS: convert public key and digsig asym to the akcipher
api") has changed public keys APIs, but the IMA usage of that API was
fixed only by commit eb5798f2e28f ("integrity: convert digsig to
akcipher api")
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1735977/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
