Reply
Thread Tools
javispedro's Avatar
Posts: 2,122 | Thanked: 4,125 times | Joined on Jan 2009 @ Barcelona
#11
Originally Posted by qole View Post
So javispedro, can you explain how to get into this "non-enforcing mode"? Because I'm still stuck in the same place.
The main goal is to disable the aegis "seal" that prevents tampering from userspace to the Aegis enforcing settings. I mentioned userspace because nothing prevents a kernel module from tampering with the seal, and that is exactly what can be done: a module that removes the seal.

So, the steps should be:
  1. Put the kernel module binary and the modhash.py script into a directory accessible by root.
  2. Open a root shell, and then enter develsh.
    Code:
    # develsh
  3. Calculate the hash of the unseal.ko module using the modhash.py script. It will also try to add it to the Aegis whitelist.
    Code:
    # python modhash.py unseal.ko 
    2ff9c8645c953d97bbd31b4b36fe401b3932a038
    (You do not need to do anything with the hash; it should all be done automatically)
  4. Load the module!
    Code:
    # insmod unseal.ko
  5. Check the results
    Code:
    # dmesg -c
    ...
    [  416.146728] unseal: valinfo.seal=0
  6. Now that Aegis configuration is no longer sealed, disable it!
    Code:
    # echo 0 > /sys/kernel/security/validator/enforce

In non-enforcing mode, Aegis will print all of the "security warnings" it prints on dmesg as usual, but it will not actually reject binaries.

Some things to note:
  • Note that you need to repeat all of the steps every time you reboot.
  • Do not blame me if you trigger Aegis selfdestruction doing this (you will need to reflash)
  • Do not use this kernel module in anything other than the current N950 image
  • The modhash.py script can be used to hash any other kernel module you would wish to load.
  • This can be at any moment disabled by a future firmware so I suggest not making a fuss about it. I suggest using it for developer convenience only for the time being. It it is not a hack -- in fact, it will only work when developer mode and develsh are available and contain the many required privileges.

Last edited by javispedro; 2011-09-20 at 23:04. Reason: removing unneeded stuff
 

The Following 37 Users Say Thank You to javispedro For This Useful Post:
hawaii's Avatar
Posts: 1,027 | Thanked: 781 times | Joined on Jun 2009 @ Toronto
#12
Woot!

I have to also suspect that this "hole" was intentional. I've not come across TC platforms in my entire life, so I'm hoping engineers who implemented this and left a plaintext file for policy configuration, did so on purpose.

The config file can't be reloaded into the tcb module without developer mode, so at least that's a small hurdle :P
__________________
Blog: Know Nokia
 
qole's Avatar
Moderator | Posts: 7,098 | Thanked: 8,678 times | Joined on Oct 2007 @ Vancouver, BC, Canada
#13
I'm getting Internal Server Error trying to get the modhash.py script...
__________________
qole.org --- twitter --- Easy Debian wiki page
Please don't send me a private message, post to the appropriate thread.
Thank you all for your donations!
 

The Following User Says Thank You to qole For This Useful Post:
hawaii's Avatar
Posts: 1,027 | Thanked: 781 times | Joined on Jun 2009 @ Toronto
#14
403. Bad perms on dir?
__________________
Blog: Know Nokia
 
javispedro's Avatar
Posts: 2,122 | Thanked: 4,125 times | Joined on Jan 2009 @ Barcelona
#15
Yes, fixed.
 
hawaii's Avatar
Posts: 1,027 | Thanked: 781 times | Joined on Jun 2009 @ Toronto
#16
Got files. Will test now.
__________________
Blog: Know Nokia
 
hawaii's Avatar
Posts: 1,027 | Thanked: 781 times | Joined on Jun 2009 @ Toronto
#17
Code:
[29046.856658] unseal: Hello World !!
[29046.856719] unseal: valinfo at 0xb0541780
[29046.856719] unseal: valinfo.seal=1
[29046.856750] unseal: Aegis unsealed
[29046.856781] unseal: valinfo.seal=0
Success. Didn't burn itself.

Curiously, the only reason this works is because kernel modules don't need signing to be loaded? You simply need a SHA1 hash of the module injected into the loading whitelist?
__________________
Blog: Know Nokia
 
Posts: 2,803 | Thanked: 4,472 times | Joined on Nov 2007
#18
Originally Posted by hawaii View Post
I have to also suspect that this "hole" was intentional. I've not come across TC platforms in my entire life, so I'm hoping engineers who implemented this and left a plaintext file for policy configuration, did so on purpose.

The config file can't be reloaded into the tcb module without developer mode, so at least that's a small hurdle :P
Well, the entire thing hinges on having develsh pre-installed and with enough credentials to even load kernel modules. I'm 99.99% certain that retail devices won't be so lucky.
 
javispedro's Avatar
Posts: 2,122 | Thanked: 4,125 times | Joined on Jan 2009 @ Barcelona
#19
Remember to do the echo 0 > enforce part, otherwise Aegis is kept in enforce mode.

Originally Posted by hawaii View Post
Curiously, the only reason this works is because kernel modules don't need signing to be loaded? You simply need a SHA1 hash of the module injected into the loading whitelist?
Yes. In the initial version, I modified restok.conf to give the unknown source all of the privileges I wanted (dac_admin, setuid, setgid, and sys_module). But then I realized develsh already has all of those tokens... so I deduced you could already load modules; only the hashes were missing, but develsh also had the privileges to load those.

Therefore, I used develsh as a replacement for the restok.conf trick.
 

The Following User Says Thank You to javispedro For This Useful Post:
javispedro's Avatar
Posts: 2,122 | Thanked: 4,125 times | Joined on Jan 2009 @ Barcelona
#20
Originally Posted by lma View Post
Well, the entire thing hinges on having develsh pre-installed and with enough credentials to even load kernel modules. I'm 99.99% certain that retail devices won't be so lucky.
Nokia has indeed said that certain "locked" (operator locked?) devices won't have developer mode (and thus no develsh)

However, not even in my worst nightmares I expect unlocked devices to be shipped without developer mode -- cause they would be as locked as an iPhone or even more.
 

The Following User Says Thank You to javispedro For This Useful Post:
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 16:33.