From: Paul Moore <paul@paul-moore.com>
To: Fan Wu <wufan@linux.microsoft.com>,
corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, fsverity@lists.linux.dev,
linux-block@vger.kernel.org, dm-devel@lists.linux.dev,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
Fan Wu <wufan@linux.microsoft.com>
Subject: Re: [PATCH v16 11/20] block|security: add LSM blob to block_device
Date: Mon, 01 Apr 2024 21:26:42 -0400 [thread overview]
Message-ID: <18dfbc23f04422e88993a13ff15b6229@paul-moore.com> (raw)
In-Reply-To: <1711657047-10526-12-git-send-email-wufan@linux.microsoft.com>
On Mar 28, 2024 Fan Wu <wufan@linux.microsoft.com> wrote:
>
> Some block devices have valuable security properties that is only
> accessible during the creation time.
You should mention the new hook in the subject line, something like
the following: "block,lsm: add LSM blob and new LSM hook for block
devices".
> For example, when creating a dm-verity block device, the dm-verity's
> roothash and roothash signature, which are extreme important security
> metadata, are passed to the kernel. However, the roothash will be saved
> privately in dm-verity, which prevents the security subsystem to easily
> access that information. Worse, in the current implementation the
> roothash signature will be discarded after the verification, making it
> impossible to utilize the roothash signature by the security subsystem.
>
> With this patch, an LSM blob is added to the block_device structure.
> This enables the security subsystem to store security-sensitive data
> related to block devices within the security blob. For example, LSM can
> use the new LSM blob to save the roothash signature of a dm-verity,
> and LSM can make access decision based on the data inside the signature,
> like the signer certificate.
>
> The implementation follows the same approach used for security blobs in
> other structures like struct file, struct inode, and struct superblock.
> The initialization of the security blob occurs after the creation of the
> struct block_device, performed by the security subsystem. Similarly, the
> security blob is freed by the security subsystem before the struct
> block_device is deallocated or freed.
>
> This patch also introduces a new hook to save block device's integrity
> data. For example, for dm-verity, LSMs can use this hook to save
> the roothash signature of a dm-verity into the security blob,
> and LSMs can make access decisions based on the data inside
> the signature, like the signer certificate.
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> ---
> v2:
> + No Changes
>
> v3:
> + Minor style changes from checkpatch --strict
>
> v4:
> + No Changes
>
> v5:
> + Allow multiple callers to call security_bdev_setsecurity
>
> v6:
> + Simplify security_bdev_setsecurity break condition
>
> v7:
> + Squash all dm-verity related patches to two patches,
> the additions to dm-verity/fs, and the consumption of
> the additions.
>
> v8:
> + Split dm-verity related patches squashed in v7 to 3 commits based on
> topic:
> + New LSM hook
> + Consumption of hook outside LSM
> + Consumption of hook inside LSM.
>
> + change return of security_bdev_alloc / security_bdev_setsecurity
> to LSM_RET_DEFAULT instead of 0.
>
> + Change return code to -EOPNOTSUPP, bring inline with other
> setsecurity hooks.
>
> v9:
> + Add Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
> + Remove unlikely when calling LSM hook
> + Make the security field dependent on CONFIG_SECURITY
>
> v10:
> + No changes
>
> v11:
> + No changes
>
> v12:
> + No changes
>
> v13:
> + No changes
>
> v14:
> + No changes
>
> v15:
> + Drop security_bdev_setsecurity() for new hook
> security_bdev_setintegrity() in the next commit
> + Update call_int_hook() for 260017f
>
> v16:
> + Drop Reviewed-by tag for the new changes
> + Squash the security_bdev_setintegrity() into this commit
> + Rename enum from lsm_intgr_type to lsm_integrity_type
> + Switch to use call_int_hook() for bdev_setintegrity()
> + Correct comment
> + Fix return in security_bdev_alloc()
> ---
> block/bdev.c | 7 +++
> include/linux/blk_types.h | 3 ++
> include/linux/lsm_hook_defs.h | 5 ++
> include/linux/lsm_hooks.h | 1 +
> include/linux/security.h | 26 ++++++++++
> security/security.c | 89 +++++++++++++++++++++++++++++++++++
> 6 files changed, 131 insertions(+)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index f35af7b6cfba..8e646189740e 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1483,6 +1492,23 @@ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
> {
> return -EOPNOTSUPP;
> }
> +
> +static inline int security_bdev_alloc(struct block_device *bdev)
> +{
> + return 0;
> +}
> +
> +static inline void security_bdev_free(struct block_device *bdev)
> +{
> +}
> +
> +static inline int security_bdev_setintegrity(struct block_device *bdev,
> + enum lsm_integrity_type, type,
I'm sure by now you've seen the reports about the errant comma ...
> + const void *value, size_t size)
> +{
> + return 0;
> +}
> +
> #endif /* CONFIG_SECURITY */
--
paul-moore.com
next prev parent reply other threads:[~2024-04-02 1:26 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 20:17 [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-03-28 20:17 ` [PATCH v16 01/20] security: add ipe lsm Fan Wu
2024-03-28 20:45 ` Jarkko Sakkinen
2024-03-28 22:11 ` Randy Dunlap
2024-03-30 11:11 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 02/20] ipe: add policy parser Fan Wu
2024-03-28 20:46 ` Jarkko Sakkinen
2024-03-28 20:47 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 03/20] ipe: add evaluation loop Fan Wu
2024-03-28 20:49 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 04/20] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-03-28 20:17 ` [PATCH v16 05/20] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-03-28 20:17 ` [PATCH v16 06/20] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-03-28 20:17 ` [PATCH v16 07/20] security: add new securityfs delete function Fan Wu
2024-03-28 20:17 ` [PATCH v16 08/20] ipe: add userspace interface Fan Wu
2024-03-28 20:17 ` [PATCH v16 09/20] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-03-28 20:17 ` [PATCH v16 10/20] ipe: add permissive toggle Fan Wu
2024-03-28 20:17 ` [PATCH v16 11/20] block|security: add LSM blob to block_device Fan Wu
2024-03-30 11:26 ` kernel test robot
2024-04-02 1:26 ` Paul Moore [this message]
2024-03-28 20:17 ` [PATCH v16 12/20] dm: add finalize hook to target_type Fan Wu
2024-03-28 20:17 ` [PATCH v16 13/20] dm verity: consume root hash digest and signature data via LSM hook Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 14/20] ipe: add support for dm-verity as a trust provider Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 15/20] security: add security_inode_setintegrity() hook Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 16/20] fsverity: consume fsverity built-in signatures via LSM hook Fan Wu
2024-04-03 5:02 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 17/20] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-04-03 5:10 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 18/20] scripts: add boot policy generation program Fan Wu
2024-03-28 20:17 ` [PATCH v16 19/20] ipe: kunit test for parser Fan Wu
2024-03-28 20:17 ` [PATCH v16 20/20] documentation: add ipe documentation Fan Wu
2024-03-28 20:36 ` [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Jarkko Sakkinen
2024-03-28 20:38 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=18dfbc23f04422e88993a13ff15b6229@paul-moore.com \
--to=paul@paul-moore.com \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@lists.linux.dev \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).