1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
#[1]Linux Integrity
_________________________ Search
Re: Fwd: How to extract linux kernel version information from a kernel image?
[[2]Date Prev][[3]Date Next][[4]Thread Prev][[5]Thread Next][[6]Date
Index][[7]Thread Index]
[INS: :INS]
__________________________________________________________________
* Subject: Re: Fwd: How to extract linux kernel version information
from a kernel image?
* From: Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx>
* Date: Mon, 28 Sep 2020 15:31:38 -0700
* In-reply-to: <[8]a1c877b3-9f99-04a6-2f21-495fc62d0591@unh.edu>
* User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0)
Gecko/20100101 Thunderbird/68.12.0
__________________________________________________________________
On 9/25/2020 4:06 PM, Kayaalp, Mehmet wrote:
On 9/24/20 4:05 PM, Raphael Gianotti wrote:
Forwarding this here since the final intent here is an IMA related
change to see if anyone has any suggestions.
-------- Forwarded Message --------
Subject: How to extract linux kernel version information from a
kernel
image?
Date: Fri, 18 Sep 2020 12:47:13 -0700
From: Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx>
To: linux-kernel@xxxxxxxxxxxxxxx
Hi,
I have been investigating a way to extract the version strong from a
kernel image (e.g., vmlinux). The version string I've been looking at is
essentially the linux_banner symbol.
We'll use IMA to measure the version string on the kexec system call,
providing a way for an attestation service, for instance, to attest to
what version of the kernel is running on the client.
I haven't found a way to extract the version from the image that isn't
simply searching the whole image for it. I was hoping someone here may
be able to point me to a better approach to retrieve the linux_banner
symbol value from an image or any existing kernel code that does
similar parsing.
If that matters for any suggestions, my current focus is on ARM64 images
(if the code ends up having to be arch specific).
Thanks,
-Raphael
In Linux/x86 Boot Protocol [1], the kernel header contains a pointer to
the kernel_version string at offset 020E (2-byte value):
# hexdump -s 0x020E -n 2 -e '/2 "%x"'
/boot/vmlinuz-5.4.0-48-generic; echo
3900
Starting after the header (512 bytes), the string is 0x3900 bytes into
the vmlinuz file:
# dd bs=1 skip=$((0x3900+512)) if=/boot/vmlinuz-5.4.0-48-generic
|tr -s '\000' '\n'|head -n 1
5.4.0-48-generic (buildd@lcy01-amd64-010) #52-Ubuntu SMP Thu Sep 10
10:58:49 UTC 2020
In ARM64, the vmlinux is stripped of symbols and compressed into the
bzImage. To find the linux_banner, System.map file is needed:
# grep ' linux_banner$' /boot/System.map-5.4.0-48-generic
ffff800010df00d0 R linux_banner
The offset into the file can be found by subtracting the load address:
# grep ' _head$' /boot/System.map-5.4.0-48-generic
ffff800010080000 t _head
# zcat /boot/vmlinuz-5.4.0-48-generic | dd bs=1
skip=$((0xffff800010df00d0-0xffff800010080000)) | tr -s '\000' '\n' |
head -n 1
Linux version 5.4.0-48-generic (buildd@bos02-arm64-053) (gcc
version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #52-Ubuntu SMP Thu Sep 10
11:01:50 UTC 2020 (Ubuntu 5.4.0-48.52-generic 5.4.60)
[1]: [9]https://www.kernel.org/doc/html/latest/x86/boot.html
Mehmet
Regarding the arm64 vmlinux files, I've noticed in some, if you run the
file command for them in the terminal, it does give a "not stripped"
string in its result. Also, for those files, objdump does print out
symbols, including linux_banner. I've found that out last Friday and I
am in the process of looking at what the code for objdump to see how it
finds the symbols there and see if I can get its value from the image.
I wonder if I am missing something and that reported linux_banner
symbol I get from objdump is not what I think it is, so do let me know
if I am just wasting my time in investigating that when it comes to
arm64.
Thanks,
Raphael
__________________________________________________________________
[[10]Date Prev][[11]Date Next][[12]Thread Prev][[13]Thread
Next][[14]Date Index][[15]Thread Index]
* References:
+ [16]Fwd: How to extract linux kernel version information from
a kernel image?
o From: Raphael Gianotti
+ [17]Re: Fwd: How to extract linux kernel version information
from a kernel image?
o From: Kayaalp, Mehmet
* Prev by Date: [18]Re: [PATCH] Fix Atmel TPM crash caused by too
frequent queries
* Next by Date: [19]More interrupt problems with TIS TPM
* Previous by thread: [20]Re: Fwd: How to extract linux kernel
version information from a kernel image?
* Next by thread: [21][PATCH 0/4] TPM 2.0 fixes in IMA tests
* Index(es):
+ [22]Date
+ [23]Thread
[24][Index of Archives] [25][Linux Kernel]
[26][Linux Kernel Hardening] [27][Linux NFS] [28][Linux NILFS]
[29][Linux USB Devel] [30][Video for Linux]
[31][Linux Audio Users] [32][Yosemite News] [33][Linux SCSI]
__________________________________________________________________
[INS: :INS]
[34]Powered by Linux
References
1. https://feeds.feedburner.com/LinuxIntegrity
2. https://www.spinics.net/lists/linux-integrity/msg14579.html
3. https://www.spinics.net/lists/linux-integrity/msg14581.html
4. https://www.spinics.net/lists/linux-integrity/msg14511.html
5. https://www.spinics.net/lists/linux-integrity/msg14496.html
6. https://www.spinics.net/lists/linux-integrity/mail5.html#14580
7. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580
8. https://www.spinics.net/lists/linux-integrity/msg14511.html
9. https://www.kernel.org/doc/html/latest/x86/boot.html
10. https://www.spinics.net/lists/linux-integrity/msg14579.html
11. https://www.spinics.net/lists/linux-integrity/msg14581.html
12. https://www.spinics.net/lists/linux-integrity/msg14511.html
13. https://www.spinics.net/lists/linux-integrity/msg14496.html
14. https://www.spinics.net/lists/linux-integrity/mail5.html#14580
15. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580
16. https://www.spinics.net/lists/linux-integrity/msg14473.html
17. https://www.spinics.net/lists/linux-integrity/msg14511.html
18. https://www.spinics.net/lists/linux-integrity/msg14579.html
19. https://www.spinics.net/lists/linux-integrity/msg14581.html
20. https://www.spinics.net/lists/linux-integrity/msg14511.html
21. https://www.spinics.net/lists/linux-integrity/msg14496.html
22. https://www.spinics.net/lists/linux-integrity/mail5.html#14580
23. https://www.spinics.net/lists/linux-integrity/thrd5.html#14580
24. https://www.spinics.net/lists/
25. https://www.spinics.net/lists/kernel/
26. https://www.spinics.net/lists/kernel-hardening/
27. https://www.spinics.net/lists/linux-nfs/
28. https://www.spinics.net/lists/linux-nilfs/
29. https://www.spinics.net/lists/linux-usb/
30. https://www.spinics.net/lists/vfl/
31. https://www.spinics.net/lists/linux-audio-users/
32. https://yosemitenews.info/
33. https://www.spinics.net/lists/linux-scsi/
34. https://www.spinics.net/lists/
|