| index : archi486 | |
| Archlinux32 i486 tools | gitolite user |
| summaryrefslogtreecommitdiff |
| -rw-r--r-- | floppy/doc/www.spinics.net_lists_linux-integrity_msg14580.txt | 188 |
diff --git a/floppy/doc/www.spinics.net_lists_linux-integrity_msg14580.txt b/floppy/doc/www.spinics.net_lists_linux-integrity_msg14580.txt new file mode 100644 index 0000000..3d25656 --- /dev/null +++ b/floppy/doc/www.spinics.net_lists_linux-integrity_msg14580.txt @@ -0,0 +1,188 @@ + #[1]Linux Integrity + + _________________________ Search + + Re: Fwd: How to extract linux kernel version information from a kernel image? + + [[2]Date Prev][[3]Date Next][[4]Thread Prev][[5]Thread Next][[6]Date + Index][[7]Thread Index] + + + [INS: :INS] + __________________________________________________________________ + + * Subject: Re: Fwd: How to extract linux kernel version information + from a kernel image? + * From: Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx> + * Date: Mon, 28 Sep 2020 15:31:38 -0700 + * In-reply-to: <[8]a1c877b3-9f99-04a6-2f21-495fc62d0591@unh.edu> + * User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) + Gecko/20100101 Thunderbird/68.12.0 + __________________________________________________________________ + +On 9/25/2020 4:06 PM, Kayaalp, Mehmet wrote: + +On 9/24/20 4:05 PM, Raphael Gianotti wrote: + +Forwarding this here since the final intent here is an IMA related +change to see if anyone has any suggestions. + + +-------- Forwarded Message -------- +Subject: How to extract linux kernel version information from a +kernel +image? +Date: Fri, 18 Sep 2020 12:47:13 -0700 +From: Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx> +To: linux-kernel@xxxxxxxxxxxxxxx + + + +Hi, + +I have been investigating a way to extract the version strong from a +kernel image (e.g., vmlinux). The version string I've been looking at is +essentially the linux_banner symbol. + +We'll use IMA to measure the version string on the kexec system call, +providing a way for an attestation service, for instance, to attest to +what version of the kernel is running on the client. + +I haven't found a way to extract the version from the image that isn't +simply searching the whole image for it. I was hoping someone here may +be able to point me to a better approach to retrieve the linux_banner +symbol value from an image or any existing kernel code that does +similar parsing. + +If that matters for any suggestions, my current focus is on ARM64 images +(if the code ends up having to be arch specific). + +Thanks, + +-Raphael + + +In Linux/x86 Boot Protocol [1], the kernel header contains a pointer to +the kernel_version string at offset 020E (2-byte value): + + # hexdump -s 0x020E -n 2 -e '/2 "%x"' +/boot/vmlinuz-5.4.0-48-generic; echo + 3900 + +Starting after the header (512 bytes), the string is 0x3900 bytes into +the vmlinuz file: + + # dd bs=1 skip=$((0x3900+512)) if=/boot/vmlinuz-5.4.0-48-generic +|tr -s '\000' '\n'|head -n 1 + 5.4.0-48-generic (buildd@lcy01-amd64-010) #52-Ubuntu SMP Thu Sep 10 +10:58:49 UTC 2020 + +In ARM64, the vmlinux is stripped of symbols and compressed into the +bzImage. To find the linux_banner, System.map file is needed: + + # grep ' linux_banner$' /boot/System.map-5.4.0-48-generic + ffff800010df00d0 R linux_banner + +The offset into the file can be found by subtracting the load address: + + # grep ' _head$' /boot/System.map-5.4.0-48-generic + ffff800010080000 t _head + + # zcat /boot/vmlinuz-5.4.0-48-generic | dd bs=1 +skip=$((0xffff800010df00d0-0xffff800010080000)) | tr -s '\000' '\n' | +head -n 1 + Linux version 5.4.0-48-generic (buildd@bos02-arm64-053) (gcc +version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #52-Ubuntu SMP Thu Sep 10 +11:01:50 UTC 2020 (Ubuntu 5.4.0-48.52-generic 5.4.60) + +[1]: [9]https://www.kernel.org/doc/html/latest/x86/boot.html + +Mehmet + + + + Regarding the arm64 vmlinux files, I've noticed in some, if you run the + file command for them in the terminal, it does give a "not stripped" + string in its result. Also, for those files, objdump does print out + symbols, including linux_banner. I've found that out last Friday and I + am in the process of looking at what the code for objdump to see how it + finds the symbols there and see if I can get its value from the image. + I wonder if I am missing something and that reported linux_banner + symbol I get from objdump is not what I think it is, so do let me know + if I am just wasting my time in investigating that when it comes to + arm64. + +Thanks, + +Raphael + + + + __________________________________________________________________ + + [[10]Date Prev][[11]Date Next][[12]Thread Prev][[13]Thread + Next][[14]Date Index][[15]Thread Index] + * References: + + [16]Fwd: How to extract linux kernel version information from + a kernel image? + o From: Raphael Gianotti + + [17]Re: Fwd: How to extract linux kernel version information + from a kernel image? + o From: Kayaalp, Mehmet + + * Prev by Date: [18]Re: [PATCH] Fix Atmel TPM crash caused by too + frequent queries + * Next by Date: [19]More interrupt problems with TIS TPM + * Previous by thread: [20]Re: Fwd: How to extract linux kernel + version information from a kernel image? + * Next by thread: [21][PATCH 0/4] TPM 2.0 fixes in IMA tests + * Index(es): + + [22]Date + + [23]Thread + + [24][Index of Archives] [25][Linux Kernel] + [26][Linux Kernel Hardening] [27][Linux NFS] [28][Linux NILFS] + [29][Linux USB Devel] [30][Video for Linux] + [31][Linux Audio Users] [32][Yosemite News] [33][Linux SCSI] + __________________________________________________________________ + + [INS: :INS] + + [34]Powered by Linux + +References + + 1. https://feeds.feedburner.com/LinuxIntegrity + 2. https://www.spinics.net/lists/linux-integrity/msg14579.html + 3. https://www.spinics.net/lists/linux-integrity/msg14581.html + 4. https://www.spinics.net/lists/linux-integrity/msg14511.html + 5. https://www.spinics.net/lists/linux-integrity/msg14496.html + 6. https://www.spinics.net/lists/linux-integrity/mail5.html#14580 + 7. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580 + 8. https://www.spinics.net/lists/linux-integrity/msg14511.html + 9. https://www.kernel.org/doc/html/latest/x86/boot.html + 10. https://www.spinics.net/lists/linux-integrity/msg14579.html + 11. https://www.spinics.net/lists/linux-integrity/msg14581.html + 12. https://www.spinics.net/lists/linux-integrity/msg14511.html + 13. https://www.spinics.net/lists/linux-integrity/msg14496.html + 14. https://www.spinics.net/lists/linux-integrity/mail5.html#14580 + 15. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580 + 16. https://www.spinics.net/lists/linux-integrity/msg14473.html + 17. https://www.spinics.net/lists/linux-integrity/msg14511.html + 18. https://www.spinics.net/lists/linux-integrity/msg14579.html + 19. https://www.spinics.net/lists/linux-integrity/msg14581.html + 20. https://www.spinics.net/lists/linux-integrity/msg14511.html + 21. https://www.spinics.net/lists/linux-integrity/msg14496.html + 22. https://www.spinics.net/lists/linux-integrity/mail5.html#14580 + 23. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580 + 24. https://www.spinics.net/lists/ + 25. https://www.spinics.net/lists/kernel/ + 26. https://www.spinics.net/lists/kernel-hardening/ + 27. https://www.spinics.net/lists/linux-nfs/ + 28. https://www.spinics.net/lists/linux-nilfs/ + 29. https://www.spinics.net/lists/linux-usb/ + 30. https://www.spinics.net/lists/vfl/ + 31. https://www.spinics.net/lists/linux-audio-users/ + 32. https://yosemitenews.info/ + 33. https://www.spinics.net/lists/linux-scsi/ + 34. https://www.spinics.net/lists/ |