#[1]Linux Integrity

   _________________________ Search

 Re: Fwd: How to extract linux kernel version information from a kernel image?

   [[2]Date Prev][[3]Date Next][[4]Thread Prev][[5]Thread Next][[6]Date
   Index][[7]Thread Index]


   [INS: :INS]
     __________________________________________________________________

     * Subject: Re: Fwd: How to extract linux kernel version information
       from a kernel image?
     * From: Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx>
     * Date: Mon, 28 Sep 2020 15:31:38 -0700
     * In-reply-to: <[8]a1c877b3-9f99-04a6-2f21-495fc62d0591@unh.edu>
     * User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0)
       Gecko/20100101 Thunderbird/68.12.0
     __________________________________________________________________

On 9/25/2020 4:06 PM, Kayaalp, Mehmet wrote:

On 9/24/20 4:05 PM, Raphael Gianotti wrote:

Forwarding this here since the final intent here is an IMA related
change to see if anyone has any suggestions.


-------- Forwarded Message --------
Subject:        How to extract linux kernel version information from a
kernel
image?
Date:   Fri, 18 Sep 2020 12:47:13 -0700
From:   Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx>
To:     linux-kernel@xxxxxxxxxxxxxxx



Hi,

I have been investigating a way to extract the version strong from a
kernel image (e.g., vmlinux). The version string I've been looking at is
essentially the linux_banner symbol.

We'll use IMA to measure the version string on the kexec system call,
providing a way for an attestation service, for instance, to attest to
what version of the kernel is running on the client.

I haven't found a way to extract the version from the image that isn't
simply searching the whole image for it. I was hoping someone here may
be able to point me to a better approach to retrieve the linux_banner
symbol value from an image or  any existing kernel code that does
similar parsing.

If that matters for any suggestions, my current focus is on ARM64 images
(if the code ends up having to be arch specific).

Thanks,

-Raphael


In Linux/x86 Boot Protocol [1], the kernel header contains a pointer to
the kernel_version string at offset 020E (2-byte value):

      # hexdump -s 0x020E -n 2 -e '/2 "%x"'
/boot/vmlinuz-5.4.0-48-generic; echo
      3900

Starting after the header (512 bytes), the string is 0x3900 bytes into
the vmlinuz file:

      # dd bs=1 skip=$((0x3900+512)) if=/boot/vmlinuz-5.4.0-48-generic
|tr -s '\000' '\n'|head -n 1
      5.4.0-48-generic (buildd@lcy01-amd64-010) #52-Ubuntu SMP Thu Sep 10
10:58:49 UTC 2020

In ARM64, the vmlinux is stripped of symbols and compressed into the
bzImage. To find the linux_banner, System.map file is needed:

      # grep ' linux_banner$' /boot/System.map-5.4.0-48-generic
      ffff800010df00d0 R linux_banner

The offset into the file can be found by subtracting the load address:

      # grep ' _head$' /boot/System.map-5.4.0-48-generic
      ffff800010080000 t _head

      # zcat /boot/vmlinuz-5.4.0-48-generic | dd bs=1
skip=$((0xffff800010df00d0-0xffff800010080000)) | tr -s '\000' '\n' |
head -n 1
      Linux version 5.4.0-48-generic (buildd@bos02-arm64-053) (gcc
version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #52-Ubuntu SMP Thu Sep 10
11:01:50 UTC 2020 (Ubuntu 5.4.0-48.52-generic 5.4.60)

[1]: [9]https://www.kernel.org/doc/html/latest/x86/boot.html

Mehmet



   Regarding the arm64 vmlinux files, I've noticed in some, if you run the
   file command for them in the terminal, it does give a "not stripped"
   string in its result. Also, for those files, objdump does print out
   symbols, including linux_banner. I've found that out last Friday and I
   am in the process of looking at what the code for objdump to see how it
   finds the symbols there and see if I can get its value from the image.
   I wonder if I am missing something and that reported linux_banner
   symbol I get from objdump is not what I think it is, so do let me know
   if I am just wasting my time in investigating that when it comes to
   arm64.

Thanks,

Raphael



     __________________________________________________________________

   [[10]Date Prev][[11]Date Next][[12]Thread Prev][[13]Thread
   Next][[14]Date Index][[15]Thread Index]
     * References:
          + [16]Fwd: How to extract linux kernel version information from
            a kernel image?
               o From: Raphael Gianotti
          + [17]Re: Fwd: How to extract linux kernel version information
            from a kernel image?
               o From: Kayaalp, Mehmet

     * Prev by Date: [18]Re: [PATCH] Fix Atmel TPM crash caused by too
       frequent queries
     * Next by Date: [19]More interrupt problems with TIS TPM
     * Previous by thread: [20]Re: Fwd: How to extract linux kernel
       version information from a kernel image?
     * Next by thread: [21][PATCH 0/4] TPM 2.0 fixes in IMA tests
     * Index(es):
          + [22]Date
          + [23]Thread

               [24][Index of Archives]     [25][Linux Kernel]
   [26][Linux Kernel Hardening]     [27][Linux NFS]     [28][Linux NILFS]
                 [29][Linux USB Devel]     [30][Video for Linux]
    [31][Linux Audio Users]     [32][Yosemite News]     [33][Linux SCSI]
     __________________________________________________________________

   [INS: :INS]

     [34]Powered by Linux

References

   1. https://feeds.feedburner.com/LinuxIntegrity
   2. https://www.spinics.net/lists/linux-integrity/msg14579.html
   3. https://www.spinics.net/lists/linux-integrity/msg14581.html
   4. https://www.spinics.net/lists/linux-integrity/msg14511.html
   5. https://www.spinics.net/lists/linux-integrity/msg14496.html
   6. https://www.spinics.net/lists/linux-integrity/mail5.html#14580
   7. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580
   8. https://www.spinics.net/lists/linux-integrity/msg14511.html
   9. https://www.kernel.org/doc/html/latest/x86/boot.html
  10. https://www.spinics.net/lists/linux-integrity/msg14579.html
  11. https://www.spinics.net/lists/linux-integrity/msg14581.html
  12. https://www.spinics.net/lists/linux-integrity/msg14511.html
  13. https://www.spinics.net/lists/linux-integrity/msg14496.html
  14. https://www.spinics.net/lists/linux-integrity/mail5.html#14580
  15. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580
  16. https://www.spinics.net/lists/linux-integrity/msg14473.html
  17. https://www.spinics.net/lists/linux-integrity/msg14511.html
  18. https://www.spinics.net/lists/linux-integrity/msg14579.html
  19. https://www.spinics.net/lists/linux-integrity/msg14581.html
  20. https://www.spinics.net/lists/linux-integrity/msg14511.html
  21. https://www.spinics.net/lists/linux-integrity/msg14496.html
  22. https://www.spinics.net/lists/linux-integrity/mail5.html#14580
  23. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580
  24. https://www.spinics.net/lists/
  25. https://www.spinics.net/lists/kernel/
  26. https://www.spinics.net/lists/kernel-hardening/
  27. https://www.spinics.net/lists/linux-nfs/
  28. https://www.spinics.net/lists/linux-nilfs/
  29. https://www.spinics.net/lists/linux-usb/
  30. https://www.spinics.net/lists/vfl/
  31. https://www.spinics.net/lists/linux-audio-users/
  32. https://yosemitenews.info/
  33. https://www.spinics.net/lists/linux-scsi/
  34. https://www.spinics.net/lists/