From: Eric Biggers <ebiggers@kernel.org>
To: Fan Wu <wufan@linux.microsoft.com>
Cc: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, axboe@kernel.dk, agk@redhat.com,
snitzer@kernel.org, mpatocka@redhat.com, eparis@redhat.com,
paul@paul-moore.com, linux-doc@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, fsverity@lists.linux.dev,
linux-block@vger.kernel.org, dm-devel@lists.linux.dev,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>
Subject: Re: [PATCH v19 12/20] dm verity: expose root hash digest and signature data to LSMs
Date: Fri, 31 May 2024 21:07:23 +0000 [thread overview]
Message-ID: <20240531210723.GB2838215@google.com> (raw)
In-Reply-To: <1716583609-21790-13-git-send-email-wufan@linux.microsoft.com>
On Fri, May 24, 2024 at 01:46:41PM -0700, Fan Wu wrote:
> +#ifdef CONFIG_SECURITY
> +
> +#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
> +
> +static int verity_security_set_signature(struct block_device *bdev,
> + struct dm_verity *v)
> +{
> + return security_bdev_setintegrity(bdev,
> + LSM_INT_DMVERITY_SIG_VALID,
> + v->root_digest_sig,
> + v->sig_size);
> +}
> +
> +#else
> +
> +static inline int verity_security_set_signature(struct block_device *bdev,
> + struct dm_verity *v)
> +{
> + return 0;
> +}
> +
> +#endif /* CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG */
> +
> +/*
> + * Expose verity target's root hash and signature data to LSMs before resume.
> + *
> + * Returns 0 on success, or -ENOMEM if the system is out of memory.
> + */
> +static int verity_preresume(struct dm_target *ti)
> +{
> + struct block_device *bdev;
> + struct dm_verity_digest root_digest;
> + struct dm_verity *v;
> + int r;
> +
> + v = ti->private;
> + bdev = dm_disk(dm_table_get_md(ti->table))->part0;
> + root_digest.digest = v->root_digest;
> + root_digest.digest_len = v->digest_size;
> + root_digest.alg = crypto_ahash_alg_name(v->tfm);
> +
> + r = security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, &root_digest,
> + sizeof(root_digest));
> + if (r)
> + return r;
> +
> + r = verity_security_set_signature(bdev, v);
> + if (r)
> + goto bad;
> +
> + return 0;
> +
> +bad:
> +
> + security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, NULL, 0);
> +
> + return r;
> +}
> +
> +#endif /* CONFIG_SECURITY */
> +
> static struct target_type verity_target = {
> .name = "verity",
> .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE,
Due to the possibility of table reloads, it looks like the security of this
scheme is dependent on (a) DM_TARGET_SINGLETON, (b) DM_TARGET_IMMUTABLE, *and*
(c) sending LSM_INT_DMVERITY_ROOTHASH and LSM_INT_DMVERITY_SIG_VALID to the
LSM(s) even when there is no signature. Notably, this differs from the
similar-looking code in fsverity where updates are not possible and
LSM_INT_FSVERITY_BUILTINSIG_VALID is not sent when there's no signature.
Given the subtleties here and the fact that getting any of these things wrong
would allow the LSM checks to be bypassed, it would really be worth leaving a
comment that explicitly documents why this is secure. And maybe also a
/* Note: singleton and immutable are depended on by the LSM hooks */ just above
the 'DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE' in case someone tries to remove
those. I see they were added only recently, which was a breaking UAPI change,
so I worry about people trying to revert it.
- Eric
next prev parent reply other threads:[~2024-05-31 21:07 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 20:46 [PATCH v19 00/20] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-05-24 20:46 ` [PATCH v19 01/20] security: add ipe lsm Fan Wu
2024-05-24 20:46 ` [PATCH v19 02/20] ipe: add policy parser Fan Wu
2024-05-24 20:46 ` [PATCH v19 03/20] ipe: add evaluation loop Fan Wu
2024-05-24 20:46 ` [PATCH v19 04/20] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-05-24 20:46 ` [PATCH v19 05/20] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-05-24 20:46 ` [PATCH v19 06/20] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-05-24 20:46 ` [PATCH v19 07/20] security: add new securityfs delete function Fan Wu
2024-05-24 20:46 ` [PATCH v19 08/20] ipe: add userspace interface Fan Wu
2024-05-24 20:46 ` [PATCH v19 09/20] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-05-24 20:46 ` [PATCH v19 10/20] ipe: add permissive toggle Fan Wu
2024-05-24 20:46 ` [PATCH v19 11/20] block,lsm: add LSM blob and new LSM hooks for block device Fan Wu
2024-05-31 20:48 ` Eric Biggers
2024-05-24 20:46 ` [PATCH v19 12/20] dm verity: expose root hash digest and signature data to LSMs Fan Wu
2024-05-25 9:02 ` Mikulas Patocka
2024-05-31 21:07 ` Eric Biggers [this message]
2024-05-24 20:46 ` [PATCH v19 13/20] ipe: add support for dm-verity as a trust provider Fan Wu
2024-05-30 1:44 ` Paul Moore
2024-05-30 3:58 ` Fan Wu
2024-05-30 5:53 ` Jarkko Sakkinen
2024-05-30 5:49 ` Jarkko Sakkinen
2024-05-24 20:46 ` [PATCH v19 14/20] security: add security_inode_setintegrity() hook Fan Wu
2024-05-24 20:46 ` [PATCH v19 15/20] fsverity: expose verified fsverity built-in signatures to LSMs Fan Wu
2024-05-30 1:44 ` Paul Moore
2024-05-30 5:51 ` Jarkko Sakkinen
2024-05-30 6:01 ` Eric Biggers
2024-05-30 6:07 ` Jarkko Sakkinen
2024-05-30 1:46 ` Paul Moore
2024-05-30 3:06 ` Eric Biggers
2024-05-30 3:38 ` Fan Wu
2024-05-30 20:54 ` Paul Moore
2024-05-31 0:43 ` Eric Biggers
2024-05-31 15:51 ` Paul Moore
2024-05-31 17:47 ` Eric Biggers
2024-06-03 1:40 ` Paul Moore
2024-05-24 20:46 ` [PATCH v19 16/20] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-05-24 20:46 ` [PATCH v19 17/20] scripts: add boot policy generation program Fan Wu
2024-05-24 20:46 ` [PATCH v19 18/20] ipe: kunit test for parser Fan Wu
2024-05-24 20:46 ` [PATCH v19 19/20] Documentation: add ipe documentation Fan Wu
2024-05-24 20:46 ` [PATCH v19 20/20] MAINTAINERS: ipe: add ipe maintainer information Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240531210723.GB2838215@google.com \
--to=ebiggers@kernel.org \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@lists.linux.dev \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).