Changeset 99536 in vbox

Timestamp:

Apr 26, 2023 7:04:57 PM (19 months ago)

Author:

vboxsync

Message:

Linux: rcvboxdrv, rcvboxadd: Improved condition check when kernel modules need to be signed, bugref:10287.

Also fixed issue with parsing kernel config when scripts/config tool is not available.

Location:

trunk/src/VBox

Files:

• Additions/linux/installer/vboxadd.sh (modified) (8 diffs)
• Installer/linux/vboxdrv.sh (modified) (7 diffs)

trunk/src/VBox/Additions/linux/installer/vboxadd.sh

@@ -397 +397 @@
 kernel_get_config_opt()
 {
-    opt_name="$1"
+    kern_ver="$1"
+    opt_name="$2"
+
+    [ -n "$kern_ver" ] || return
     [ -n "$opt_name" ] || return
 
     # Check if there is a kernel tool which can extract config option.
-    if test -x /lib/modules/"$KERN_VER"/build/scripts/config; then
-        /lib/modules/"$KERN_VER"/build/scripts/config \
-            --file /lib/modules/"$KERN_VER"/build/.config \
+    if test -x /lib/modules/"$kern_ver"/build/scripts/config; then
+        /lib/modules/"$kern_ver"/build/scripts/config \
+            --file /lib/modules/"$kern_ver"/build/.config \
             --state "$opt_name" 2>/dev/null
-    elif test -f /lib/modules/"$KERN_VER"/build/.config; then
+    elif test -f /lib/modules/"$kern_ver"/build/.config; then
         # Extract config option manually.
-        grep "$opt_name" /lib/modules/"$KERN_VER"/build/.config | sed -e "s/^$opt_name=//" -e "s/\"//g"
+        grep "$opt_name=" /lib/modules/"$kern_ver"/build/.config | sed -e "s/^$opt_name=//" -e "s/\"//g"
     fi
 }
@@ -414 +417 @@
 kernel_module_sig_hash()
 {
-    kernel_get_config_opt "CONFIG_MODULE_SIG_HASH"
+    kern_ver="$1"
+    [ -n "$kern_ver" ] || return
+
+    kernel_get_config_opt "$kern_ver" "CONFIG_MODULE_SIG_HASH"
 }
 
@@ -434 +440 @@
 }
 
+# Check if kernel configuration requires modules signature.
+kernel_requires_module_signature()
+{
+    kern_ver="$1"
+    vbox_sys_lockdown_path="/sys/kernel/security/lockdown"
+
+    [ -n "$kern_ver" ] || return
+
+    requires=""
+    # We consider that if kernel is running in the following configurations,
+    # it will require modules to be signed.
+    if [ "$(kernel_get_config_opt "$kern_ver" "CONFIG_MODULE_SIG")" = "y" ]; then
+
+        # Modules signature verification is hardcoded in kernel config.
+        [ "$(kernel_get_config_opt "$kern_ver" "CONFIG_MODULE_SIG_FORCE")" = "y" ] && requires="1"
+
+        # Unsigned modules loading is restricted by "lockdown" feature in runtime.
+        if [   "$(kernel_get_config_opt "$kern_ver" "CONFIG_SECURITY_LOCKDOWN_LSM")" = "y" \
+            -o "$(kernel_get_config_opt "$kern_ver" "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY")" = "y" ]; then
+
+            # Once lockdown level is set to something different from "none" (e.g., "integrity"
+            # or "confidentiality"), kernel will reject unsigned modules loading.
+            if [ -r "$vbox_sys_lockdown_path" ]; then
+                [ -n "$(cat "$vbox_sys_lockdown_path" | grep "\[integrity\]")" ] && requires="1"
+                [ -n "$(cat "$vbox_sys_lockdown_path" | grep "\[confidentiality\]")" ] && requires="1"
+            fi
+
+            # This configuration is used by a number of modern Linux distributions and restricts
+            # unsigned modules loading when Secure Boot mode is enabled.
+            [ "$(kernel_get_config_opt "$kern_ver" "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT")" = "y" -a -n "$HAVE_SEC_BOOT" ] && requires="1"
+        fi
+    fi
+
+    [ -n "$requires" ] && echo "1"
+}
+
 sign_modules()
 {
@@ -444 +486 @@
     [ -f "/lib/modules/"$KERN_VER"/misc/vboxvideo.ko" ] && MODULE_LIST="$MODULE_LIST vboxvideo"
 
-    # Secure boot on Ubuntu, Debian and Oracle Linux.
-    if test -n "$HAVE_SEC_BOOT"; then
+    # Sign kernel modules if kernel configuration requires it.
+    if test "$(kernel_requires_module_signature $KERN_VER)" = "1"; then
         begin "Signing VirtualBox Guest Additions kernel modules"
 
@@ -475 +517 @@
 
         # Get kernel signature hash algorithm from kernel config and validate it.
-        sig_hashalgo=$(kernel_module_sig_hash)
+        sig_hashalgo=$(kernel_module_sig_hash "$KERN_VER")
         [ "$(module_sig_hash_supported $sig_hashalgo)" = "1" ] \
             || fail "Unsupported kernel signature hash algorithm $sig_hashalgo"
@@ -532 +574 @@
     # Detect if kernel was built with clang.
     unset LLVM
-    vbox_cc_is_clang=$(kernel_get_config_opt "CONFIG_CC_IS_CLANG")
+    vbox_cc_is_clang=$(kernel_get_config_opt "$KERN_VER" "CONFIG_CC_IS_CLANG")
     if test "${vbox_cc_is_clang}" = "y"; then
         info "Using clang compiler."
@@ -795 +837 @@
     [ "$mod_dir" = "misc" ] || return
 
-    # In case if system is running in Secure Boot mode, check if module is signed.
-    if test -n "$HAVE_SEC_BOOT"; then
+    # In case if kernel configuration (for currently loaded kernel) requires
+    # module signature, check if module is signed.
+    if test "$(kernel_requires_module_signature $(uname -r))" = "1"; then
         [ "$(module_signed "$mod")" = "1" ] || return
     fi
@@ -903 +946 @@
 
     # Warn if Secure Boot setup not yet complete.
-    if test -n "$HAVE_SEC_BOOT" && test -z "$DEB_KEY_ENROLLED"; then
+    if test "$(kernel_requires_module_signature)" = "1" && test -z "$DEB_KEY_ENROLLED"; then
         if test -n "$HAVE_DEB_KEY"; then
             info "You must re-start your system to finish secure boot set-up."

trunk/src/VBox/Installer/linux/vboxdrv.sh

@@ -355 +355 @@
     elif test -f /lib/modules/"$KERN_VER"/build/.config; then
         # Extract config option manually.
-        grep "$opt_name" /lib/modules/"$KERN_VER"/build/.config | sed -e "s/^$opt_name=//" -e "s/\"//g"
+        grep "$opt_name=" /lib/modules/"$KERN_VER"/build/.config | sed -e "s/^$opt_name=//" -e "s/\"//g"
     fi
 }
@@ -380 +380 @@
 
     echo "1"
+}
+
+# Check if kernel configuration requires modules signature.
+kernel_requires_module_signature()
+{
+    vbox_sys_lockdown_path="/sys/kernel/security/lockdown"
+
+    requires=""
+    # We consider that if kernel is running in the following configurations,
+    # it will require modules to be signed.
+    if [ "$(kernel_get_config_opt "CONFIG_MODULE_SIG")" = "y" ]; then
+
+        # Modules signature verification is hardcoded in kernel config.
+        [ "$(kernel_get_config_opt "CONFIG_MODULE_SIG_FORCE")" = "y" ] && requires="1"
+
+        # Unsigned modules loading is restricted by "lockdown" feature in runtime.
+        if [   "$(kernel_get_config_opt "CONFIG_SECURITY_LOCKDOWN_LSM")" = "y" \
+            -o "$(kernel_get_config_opt "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY")" = "y" ]; then
+
+            # Once lockdown level is set to something different than "none" (e.g., "integrity"
+            # or "confidentiality"), kernel will reject unsigned modules loading.
+            if [ -r "$vbox_sys_lockdown_path" ]; then
+                [ -n "$(cat "$vbox_sys_lockdown_path" | grep "\[integrity\]")" ] && requires="1"
+                [ -n "$(cat "$vbox_sys_lockdown_path" | grep "\[confidentiality\]")" ] && requires="1"
+            fi
+
+            # This configuration is used by a number of modern Linux distributions and restricts
+            # unsigned modules loading when Secure Boot mode is enabled.
+            [ "$(kernel_get_config_opt "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT")" = "y" -a -n "$HAVE_SEC_BOOT" ] && requires="1"
+        fi
+    fi
+
+    [ -n "$requires" ] && echo "1"
 }
 
@@ -467 +500 @@
     [ "$mod_dir" = "misc" ] || return
 
-    # In case if system is running in Secure Boot mode, check if module is signed.
-    if test -n "$HAVE_SEC_BOOT"; then
+    # In case if kernel configuration requires module signature, check if module is signed.
+    if test "$(kernel_requires_module_signature)" = "1"; then
         [ "$(module_signed "$mod")" = "1" ] || return
     fi
@@ -492 +525 @@
         failure "Running VirtualBox in a Xen environment is not supported"
     fi
-    if test -n "$HAVE_SEC_BOOT" && test -z "$DEB_KEY_ENROLLED"; then
+    if test "$(kernel_requires_module_signature)" = "1" && test -z "$DEB_KEY_ENROLLED"; then
         if test -n "$HAVE_DEB_KEY"; then
             begin_msg "You must re-start your system to finish Debian secure boot set-up." console
@@ -553 +586 @@
     fi
     # Create the /dev/vboxusb directory if the host supports that method
-    # of USB access.  The USB code checks for the existance of that path.
+    # of USB access.  The USB code checks for the existence of that path.
     if grep -q usb_device /proc/devices; then
         mkdir -p -m 0750 /dev/vboxusb 2>/dev/null
@@ -701 +734 @@
         failure "Look at $LOG to find out what went wrong"
     fi
-    log "Building the net adaptor module."
+    log "Building the net adapter module."
     if ! myerr=`$BUILDINTMP \
         --use-module-symvers /tmp/vboxdrv-Module.symvers \
@@ -726 +759 @@
     succ_msg "VirtualBox kernel modules built"
 
-    # Secure boot on Ubuntu, Debian and Oracle Linux.
-    if test -n "$HAVE_SEC_BOOT"; then
+    # Sign kernel modules if kernel configuration requires it.
+    if test "$(kernel_requires_module_signature)" = "1"; then
         begin_msg "Signing VirtualBox kernel modules" console