[dm-devel] [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement

[dm-devel] [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement

[Matthias Kaehlcke]

Verity targets can be configured to ignore corrupted data blocks.
LoadPin must only trust verity targets that are configured to
perform some kind of enforcement when data corruption is detected,
like returning an error, restarting the system or triggering a
panic.

Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin")
Reported-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
---

 drivers/md/dm-verity-loadpin.c |  8 ++++++++
 drivers/md/dm-verity-target.c  | 16 ++++++++++++++++
 drivers/md/dm-verity.h         |  1 +
 3 files changed, 25 insertions(+)

diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c
index 387ec43aef72..4f78cc55c251 100644
--- a/drivers/md/dm-verity-loadpin.c
+++ b/drivers/md/dm-verity-loadpin.c
@@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests);
 
 static bool is_trusted_verity_target(struct dm_target *ti)
 {
+	int verity_mode;
 	u8 *root_digest;
 	unsigned int digest_size;
 	struct dm_verity_loadpin_trusted_root_digest *trd;
@@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti)
 	if (!dm_is_verity_target(ti))
 		return false;
 
+	verity_mode = dm_verity_get_mode(ti);
+
+	if ((verity_mode != DM_VERITY_MODE_EIO) &&
+	    (verity_mode != DM_VERITY_MODE_RESTART) &&
+	    (verity_mode != DM_VERITY_MODE_PANIC))
+		return false;
+
 	if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
 		return false;
 
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 94b6cb599db4..8a00cc42e498 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti)
 	return ti->type->module == THIS_MODULE;
 }
 
+/*
+ * Get the verity mode (error behavior) of a verity target.
+ *
+ * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity
+ * target.
+ */
+int dm_verity_get_mode(struct dm_target *ti)
+{
+	struct dm_verity *v = ti->private;
+
+	if (!dm_is_verity_target(ti))
+		return -EINVAL;
+
+	return v->mode;
+}
+
 /*
  * Get the root digest of a verity target.
  *
diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h
index 45455de1b4bc..98f306ec6a33 100644
--- a/drivers/md/dm-verity.h
+++ b/drivers/md/dm-verity.h
@@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io,
 				 sector_t block, u8 *digest, bool *is_zero);
 
 extern bool dm_is_verity_target(struct dm_target *ti);
+extern int dm_verity_get_mode(struct dm_target *ti);
 extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest,
 				     unsigned int *digest_size);
 
-- 
2.37.2.789.g6183377224-goog

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

[PATCH] dm: verity-loadpin: Only trust verity targets with enforcement

[Matthias Kaehlcke]

Verity targets can be configured to ignore corrupted data blocks.
LoadPin must only trust verity targets that are configured to
perform some kind of enforcement when data corruption is detected,
like returning an error, restarting the system or triggering a
panic.

Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin")
Reported-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
---

 drivers/md/dm-verity-loadpin.c |  8 ++++++++
 drivers/md/dm-verity-target.c  | 16 ++++++++++++++++
 drivers/md/dm-verity.h         |  1 +
 3 files changed, 25 insertions(+)

diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c
index 387ec43aef72..4f78cc55c251 100644
--- a/drivers/md/dm-verity-loadpin.c
+++ b/drivers/md/dm-verity-loadpin.c
@@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests);
 
 static bool is_trusted_verity_target(struct dm_target *ti)
 {
+	int verity_mode;
 	u8 *root_digest;
 	unsigned int digest_size;
 	struct dm_verity_loadpin_trusted_root_digest *trd;
@@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti)
 	if (!dm_is_verity_target(ti))
 		return false;
 
+	verity_mode = dm_verity_get_mode(ti);
+
+	if ((verity_mode != DM_VERITY_MODE_EIO) &&
+	    (verity_mode != DM_VERITY_MODE_RESTART) &&
+	    (verity_mode != DM_VERITY_MODE_PANIC))
+		return false;
+
 	if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
 		return false;
 
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 94b6cb599db4..8a00cc42e498 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti)
 	return ti->type->module == THIS_MODULE;
 }
 
+/*
+ * Get the verity mode (error behavior) of a verity target.
+ *
+ * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity
+ * target.
+ */
+int dm_verity_get_mode(struct dm_target *ti)
+{
+	struct dm_verity *v = ti->private;
+
+	if (!dm_is_verity_target(ti))
+		return -EINVAL;
+
+	return v->mode;
+}
+
 /*
  * Get the root digest of a verity target.
  *
diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h
index 45455de1b4bc..98f306ec6a33 100644
--- a/drivers/md/dm-verity.h
+++ b/drivers/md/dm-verity.h
@@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io,
 				 sector_t block, u8 *digest, bool *is_zero);
 
 extern bool dm_is_verity_target(struct dm_target *ti);
+extern int dm_verity_get_mode(struct dm_target *ti);
 extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest,
 				     unsigned int *digest_size);
 
-- 
2.37.2.789.g6183377224-goog

Re: [dm-devel] [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement

[Sarthak Kukreti]

Reviewed-by: Sarthak Kukreti <sarthakkukreti@chromium.org>

On Wed, Sep 7, 2022 at 1:31 PM Matthias Kaehlcke <mka@chromium.org> wrote:
>
> Verity targets can be configured to ignore corrupted data blocks.
> LoadPin must only trust verity targets that are configured to
> perform some kind of enforcement when data corruption is detected,
> like returning an error, restarting the system or triggering a
> panic.
>
> Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin")
> Reported-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
> Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> ---
>
>  drivers/md/dm-verity-loadpin.c |  8 ++++++++
>  drivers/md/dm-verity-target.c  | 16 ++++++++++++++++
>  drivers/md/dm-verity.h         |  1 +
>  3 files changed, 25 insertions(+)
>
> diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c
> index 387ec43aef72..4f78cc55c251 100644
> --- a/drivers/md/dm-verity-loadpin.c
> +++ b/drivers/md/dm-verity-loadpin.c
> @@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests);
>
>  static bool is_trusted_verity_target(struct dm_target *ti)
>  {
> +       int verity_mode;
>         u8 *root_digest;
>         unsigned int digest_size;
>         struct dm_verity_loadpin_trusted_root_digest *trd;
> @@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti)
>         if (!dm_is_verity_target(ti))
>                 return false;
>
> +       verity_mode = dm_verity_get_mode(ti);
> +
> +       if ((verity_mode != DM_VERITY_MODE_EIO) &&
> +           (verity_mode != DM_VERITY_MODE_RESTART) &&
> +           (verity_mode != DM_VERITY_MODE_PANIC))
> +               return false;
> +
>         if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
>                 return false;
>
> diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
> index 94b6cb599db4..8a00cc42e498 100644
> --- a/drivers/md/dm-verity-target.c
> +++ b/drivers/md/dm-verity-target.c
> @@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti)
>         return ti->type->module == THIS_MODULE;
>  }
>
> +/*
> + * Get the verity mode (error behavior) of a verity target.
> + *
> + * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity
> + * target.
> + */
> +int dm_verity_get_mode(struct dm_target *ti)

nit: It might be cleaner to combine the mode check above into this
function; eg. dm_verity_is_enforcing_mode(struct dm_target *ti).

> +{
> +       struct dm_verity *v = ti->private;
> +
> +       if (!dm_is_verity_target(ti))
> +               return -EINVAL;
> +
> +       return v->mode;
> +}
> +
>  /*
>   * Get the root digest of a verity target.
>   *
> diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h
> index 45455de1b4bc..98f306ec6a33 100644
> --- a/drivers/md/dm-verity.h
> +++ b/drivers/md/dm-verity.h
> @@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io,
>                                  sector_t block, u8 *digest, bool *is_zero);
>
>  extern bool dm_is_verity_target(struct dm_target *ti);
> +extern int dm_verity_get_mode(struct dm_target *ti);
>  extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest,
>                                      unsigned int *digest_size);
>
> --
> 2.37.2.789.g6183377224-goog
>

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement

[Sarthak Kukreti]

Reviewed-by: Sarthak Kukreti <sarthakkukreti@chromium.org>

On Wed, Sep 7, 2022 at 1:31 PM Matthias Kaehlcke <mka@chromium.org> wrote:
>
> Verity targets can be configured to ignore corrupted data blocks.
> LoadPin must only trust verity targets that are configured to
> perform some kind of enforcement when data corruption is detected,
> like returning an error, restarting the system or triggering a
> panic.
>
> Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin")
> Reported-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
> Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> ---
>
>  drivers/md/dm-verity-loadpin.c |  8 ++++++++
>  drivers/md/dm-verity-target.c  | 16 ++++++++++++++++
>  drivers/md/dm-verity.h         |  1 +
>  3 files changed, 25 insertions(+)
>
> diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c
> index 387ec43aef72..4f78cc55c251 100644
> --- a/drivers/md/dm-verity-loadpin.c
> +++ b/drivers/md/dm-verity-loadpin.c
> @@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests);
>
>  static bool is_trusted_verity_target(struct dm_target *ti)
>  {
> +       int verity_mode;
>         u8 *root_digest;
>         unsigned int digest_size;
>         struct dm_verity_loadpin_trusted_root_digest *trd;
> @@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti)
>         if (!dm_is_verity_target(ti))
>                 return false;
>
> +       verity_mode = dm_verity_get_mode(ti);
> +
> +       if ((verity_mode != DM_VERITY_MODE_EIO) &&
> +           (verity_mode != DM_VERITY_MODE_RESTART) &&
> +           (verity_mode != DM_VERITY_MODE_PANIC))
> +               return false;
> +
>         if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
>                 return false;
>
> diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
> index 94b6cb599db4..8a00cc42e498 100644
> --- a/drivers/md/dm-verity-target.c
> +++ b/drivers/md/dm-verity-target.c
> @@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti)
>         return ti->type->module == THIS_MODULE;
>  }
>
> +/*
> + * Get the verity mode (error behavior) of a verity target.
> + *
> + * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity
> + * target.
> + */
> +int dm_verity_get_mode(struct dm_target *ti)

nit: It might be cleaner to combine the mode check above into this
function; eg. dm_verity_is_enforcing_mode(struct dm_target *ti).

> +{
> +       struct dm_verity *v = ti->private;
> +
> +       if (!dm_is_verity_target(ti))
> +               return -EINVAL;
> +
> +       return v->mode;
> +}
> +
>  /*
>   * Get the root digest of a verity target.
>   *
> diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h
> index 45455de1b4bc..98f306ec6a33 100644
> --- a/drivers/md/dm-verity.h
> +++ b/drivers/md/dm-verity.h
> @@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io,
>                                  sector_t block, u8 *digest, bool *is_zero);
>
>  extern bool dm_is_verity_target(struct dm_target *ti);
> +extern int dm_verity_get_mode(struct dm_target *ti);
>  extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest,
>                                      unsigned int *digest_size);
>
> --
> 2.37.2.789.g6183377224-goog
>

Re: [dm-devel] [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement

[Kees Cook]

On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> Verity targets can be configured to ignore corrupted data blocks.
> LoadPin must only trust verity targets that are configured to
> perform some kind of enforcement when data corruption is detected,
> like returning an error, restarting the system or triggering a
> panic.
> 
> 
> [...]

Applied to for-next/hardening, thanks!

[1/1] dm: verity-loadpin: Only trust verity targets with enforcement
      https://git.kernel.org/kees/c/2e1875c05267

-- 
Kees Cook

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement

[Kees Cook]

On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> Verity targets can be configured to ignore corrupted data blocks.
> LoadPin must only trust verity targets that are configured to
> perform some kind of enforcement when data corruption is detected,
> like returning an error, restarting the system or triggering a
> panic.
> 
> 
> [...]

Applied to for-next/hardening, thanks!

[1/1] dm: verity-loadpin: Only trust verity targets with enforcement
      https://git.kernel.org/kees/c/2e1875c05267

-- 
Kees Cook

Re: [dm-devel] dm: verity-loadpin: Only trust verity targets with enforcement

[Mike Snitzer]

On Wed, Sep 07 2022 at  6:34P -0400,
Kees Cook <keescook@chromium.org> wrote:

> On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> > Verity targets can be configured to ignore corrupted data blocks.
> > LoadPin must only trust verity targets that are configured to
> > perform some kind of enforcement when data corruption is detected,
> > like returning an error, restarting the system or triggering a
> > panic.
> > 
> > 
> > [...]
> 
> Applied to for-next/hardening, thanks!
> 
> [1/1] dm: verity-loadpin: Only trust verity targets with enforcement
>       https://git.kernel.org/kees/c/2e1875c05267

Does this mean you're intending to send this upstream?  I prefer to
take all DM changes unless there is an external dependency.

Thanks,
Mike

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: dm: verity-loadpin: Only trust verity targets with enforcement

[Mike Snitzer]

On Wed, Sep 07 2022 at  6:34P -0400,
Kees Cook <keescook@chromium.org> wrote:

> On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> > Verity targets can be configured to ignore corrupted data blocks.
> > LoadPin must only trust verity targets that are configured to
> > perform some kind of enforcement when data corruption is detected,
> > like returning an error, restarting the system or triggering a
> > panic.
> > 
> > 
> > [...]
> 
> Applied to for-next/hardening, thanks!
> 
> [1/1] dm: verity-loadpin: Only trust verity targets with enforcement
>       https://git.kernel.org/kees/c/2e1875c05267

Does this mean you're intending to send this upstream?  I prefer to
take all DM changes unless there is an external dependency.

Thanks,
Mike

Re: [dm-devel] dm: verity-loadpin: Only trust verity targets with enforcement

[Kees Cook]

On Thu, Sep 08, 2022 at 11:25:36AM -0400, Mike Snitzer wrote:
> On Wed, Sep 07 2022 at  6:34P -0400,
> Kees Cook <keescook@chromium.org> wrote:
> 
> > On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> > > Verity targets can be configured to ignore corrupted data blocks.
> > > LoadPin must only trust verity targets that are configured to
> > > perform some kind of enforcement when data corruption is detected,
> > > like returning an error, restarting the system or triggering a
> > > panic.
> > > 
> > > 
> > > [...]
> > 
> > Applied to for-next/hardening, thanks!
> > 
> > [1/1] dm: verity-loadpin: Only trust verity targets with enforcement
> >       https://git.kernel.org/kees/c/2e1875c05267
> 
> Does this mean you're intending to send this upstream?  I prefer to
> take all DM changes unless there is an external dependency.

Oh! Yeah, I added it to my tree since you'd asked me to take the
original verity-loadpin series and this was a fix. I'm happy either
way. Shall I drop this change from my tree?

-- 
Kees Cook

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: dm: verity-loadpin: Only trust verity targets with enforcement

[Kees Cook]

On Thu, Sep 08, 2022 at 11:25:36AM -0400, Mike Snitzer wrote:
> On Wed, Sep 07 2022 at  6:34P -0400,
> Kees Cook <keescook@chromium.org> wrote:
> 
> > On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> > > Verity targets can be configured to ignore corrupted data blocks.
> > > LoadPin must only trust verity targets that are configured to
> > > perform some kind of enforcement when data corruption is detected,
> > > like returning an error, restarting the system or triggering a
> > > panic.
> > > 
> > > 
> > > [...]
> > 
> > Applied to for-next/hardening, thanks!
> > 
> > [1/1] dm: verity-loadpin: Only trust verity targets with enforcement
> >       https://git.kernel.org/kees/c/2e1875c05267
> 
> Does this mean you're intending to send this upstream?  I prefer to
> take all DM changes unless there is an external dependency.

Oh! Yeah, I added it to my tree since you'd asked me to take the
original verity-loadpin series and this was a fix. I'm happy either
way. Shall I drop this change from my tree?

-- 
Kees Cook

Re: [dm-devel] dm: verity-loadpin: Only trust verity targets with enforcement

[Mike Snitzer]

On Thu, Sep 08 2022 at 12:13P -0400,
Kees Cook <keescook@chromium.org> wrote:

> On Thu, Sep 08, 2022 at 11:25:36AM -0400, Mike Snitzer wrote:
> > On Wed, Sep 07 2022 at  6:34P -0400,
> > Kees Cook <keescook@chromium.org> wrote:
> > 
> > > On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> > > > Verity targets can be configured to ignore corrupted data blocks.
> > > > LoadPin must only trust verity targets that are configured to
> > > > perform some kind of enforcement when data corruption is detected,
> > > > like returning an error, restarting the system or triggering a
> > > > panic.
> > > > 
> > > > 
> > > > [...]
> > > 
> > > Applied to for-next/hardening, thanks!
> > > 
> > > [1/1] dm: verity-loadpin: Only trust verity targets with enforcement
> > >       https://git.kernel.org/kees/c/2e1875c05267
> > 
> > Does this mean you're intending to send this upstream?  I prefer to
> > take all DM changes unless there is an external dependency.
> 
> Oh! Yeah, I added it to my tree since you'd asked me to take the
> original verity-loadpin series and this was a fix. I'm happy either
> way. Shall I drop this change from my tree?

Let's leave it in your tree if you'll be sending this as a fix for
6.0-rc?

But moving forward, I'll take new development that is localized to DM.
Sound good?

Thanks,
Mike

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: dm: verity-loadpin: Only trust verity targets with enforcement

[Mike Snitzer]

On Thu, Sep 08 2022 at 12:13P -0400,
Kees Cook <keescook@chromium.org> wrote:

> On Thu, Sep 08, 2022 at 11:25:36AM -0400, Mike Snitzer wrote:
> > On Wed, Sep 07 2022 at  6:34P -0400,
> > Kees Cook <keescook@chromium.org> wrote:
> > 
> > > On Wed, 7 Sep 2022 13:30:58 -0700, Matthias Kaehlcke wrote:
> > > > Verity targets can be configured to ignore corrupted data blocks.
> > > > LoadPin must only trust verity targets that are configured to
> > > > perform some kind of enforcement when data corruption is detected,
> > > > like returning an error, restarting the system or triggering a
> > > > panic.
> > > > 
> > > > 
> > > > [...]
> > > 
> > > Applied to for-next/hardening, thanks!
> > > 
> > > [1/1] dm: verity-loadpin: Only trust verity targets with enforcement
> > >       https://git.kernel.org/kees/c/2e1875c05267
> > 
> > Does this mean you're intending to send this upstream?  I prefer to
> > take all DM changes unless there is an external dependency.
> 
> Oh! Yeah, I added it to my tree since you'd asked me to take the
> original verity-loadpin series and this was a fix. I'm happy either
> way. Shall I drop this change from my tree?

Let's leave it in your tree if you'll be sending this as a fix for
6.0-rc?

But moving forward, I'll take new development that is localized to DM.
Sound good?

Thanks,
Mike