From: Fan Wu <wufan@linux.microsoft.com>
To: Paul Moore <paul@paul-moore.com>,
corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
mpatocka@redhat.com, eparis@redhat.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, fsverity@lists.linux.dev,
linux-block@vger.kernel.org, dm-devel@lists.linux.dev,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>
Subject: Re: [PATCH v19 13/20] ipe: add support for dm-verity as a trust provider
Date: Wed, 29 May 2024 20:58:30 -0700 [thread overview]
Message-ID: <67da2ff3-e0c4-4552-93dd-cf9cb04d0d78@linux.microsoft.com> (raw)
In-Reply-To: <2ecde610ca3f0cabcbb111e3432f2dd5@paul-moore.com>
On 5/29/2024 6:44 PM, Paul Moore wrote:
> On May 24, 2024 Fan Wu <wufan@linux.microsoft.com> wrote:
>>
>> Allows author of IPE policy to indicate trust for a singular dm-verity
>> volume, identified by roothash, through "dmverity_roothash" and all
>> signed and validated dm-verity volumes, through "dmverity_signature".
>>
>> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
>> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
>> ---
>> v2:
>> + No Changes
>>
>> v3:
>> + No changes
>>
>> v4:
>> + No changes
>>
>> v5:
>> + No changes
>>
>> v6:
>> + Fix an improper cleanup that can result in
>> a leak
>>
>> v7:
>> + Squash patch 08/12, 10/12 to [11/16]
>>
>> v8:
>> + Undo squash of 08/12, 10/12 - separating drivers/md/ from security/
>> & block/
>> + Use common-audit function for dmverity_signature.
>> + Change implementation for storing the dm-verity digest to use the
>> newly introduced dm_verity_digest structure introduced in patch
>> 14/20.
>>
>> v9:
>> + Adapt to the new parser
>>
>> v10:
>> + Select the Kconfig when all dependencies are enabled
>>
>> v11:
>> + No changes
>>
>> v12:
>> + Refactor to use struct digest_info* instead of void*
>> + Correct audit format
>>
>> v13:
>> + Remove the CONFIG_IPE_PROP_DM_VERITY dependency inside the parser
>> to make the policy grammar independent of the kernel config.
>>
>> v14:
>> + No changes
>>
>> v15:
>> + Fix one grammar issue in KCONFIG
>> + Switch to use security_bdev_setintegrity() hook
>>
>> v16:
>> + Refactor for enum integrity type
>>
>> v17:
>> + Add years to license header
>> + Fix code and documentation style issues
>> + Return -EINVAL in ipe_bdev_setintegrity when passed type is not
>> supported
>> + Use new enum name LSM_INT_DMVERITY_SIG_VALID
>>
>> v18:
>> + Add Kconfig IPE_PROP_DM_VERITY_SIGNATURE and make both DM_VERITY
>> config auto-selected
>>
>> v19:
>> + No changes
>> ---
>> security/ipe/Kconfig | 27 ++++++++
>> security/ipe/Makefile | 1 +
>> security/ipe/audit.c | 29 ++++++++-
>> security/ipe/digest.c | 118 +++++++++++++++++++++++++++++++++++
>> security/ipe/digest.h | 26 ++++++++
>> security/ipe/eval.c | 93 ++++++++++++++++++++++++++-
>> security/ipe/eval.h | 12 ++++
>> security/ipe/hooks.c | 93 +++++++++++++++++++++++++++
>> security/ipe/hooks.h | 8 +++
>> security/ipe/ipe.c | 15 +++++
>> security/ipe/ipe.h | 4 ++
>> security/ipe/policy.h | 3 +
>> security/ipe/policy_parser.c | 24 ++++++-
>> 13 files changed, 449 insertions(+), 4 deletions(-)
>> create mode 100644 security/ipe/digest.c
>> create mode 100644 security/ipe/digest.h
>
> ...
>
>> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
>> index b68719bf44fb..51f1e63c295c 100644
>> --- a/security/ipe/hooks.c
>> +++ b/security/ipe/hooks.c
>> @@ -191,3 +193,94 @@ void ipe_unpack_initramfs(void)
>> {
>> ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
>> }
>> +
>> +#ifdef CONFIG_IPE_PROP_DM_VERITY
>> +/**
>> + * ipe_bdev_free_security() - Free IPE's LSM blob of block_devices.
>> + * @bdev: Supplies a pointer to a block_device that contains the structure
>> + * to free.
>> + */
>> +void ipe_bdev_free_security(struct block_device *bdev)
>> +{
>> + struct ipe_bdev *blob = ipe_bdev(bdev);
>> +
>> + ipe_digest_free(blob->root_hash);
>> +}
>> +
>> +#ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
>> +static void ipe_set_dmverity_signature(struct ipe_bdev *blob,
>> + const void *value,
>> + size_t size)
>> +{
>> + blob->dm_verity_signed = size > 0 && value;
>> +}
>> +#else
>> +static inline void ipe_set_dmverity_signature(struct ipe_bdev *blob,
>> + const void *value,
>> + size_t size)
>> +{
>> +}
>> +#endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */
>> +
>> +/**
>> + * ipe_bdev_setintegrity() - Save integrity data from a bdev to IPE's LSM blob.
>> + * @bdev: Supplies a pointer to a block_device that contains the LSM blob.
>> + * @type: Supplies the integrity type.
>> + * @value: Supplies the value to store.
>> + * @size: The size of @value.
>> + *
>> + * This hook is currently used to save dm-verity's root hash or the existence
>> + * of a validated signed dm-verity root hash into LSM blob.
>> + *
>> + * Return: %0 on success. If an error occurs, the function will return the
>> + * -errno.
>> + */
>> +int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
>> + const void *value, size_t size)
>> +{
>> + const struct dm_verity_digest *digest = NULL;
>> + struct ipe_bdev *blob = ipe_bdev(bdev);
>> + struct digest_info *info = NULL;
>> +
>> + if (type == LSM_INT_DMVERITY_ROOTHASH) {
>> + if (!value) {
>> + ipe_digest_free(blob->root_hash);
>> + blob->root_hash = NULL;
>> +
>> + return 0;
>> + }
>> + digest = value;
>> +
>> + info = kzalloc(sizeof(*info), GFP_KERNEL);
>> + if (!info)
>> + return -ENOMEM;
>> +
>> + info->digest = kmemdup(digest->digest, digest->digest_len,
>> + GFP_KERNEL);
>> + if (!info->digest)
>> + goto dmv_roothash_err;
>> +
>> + info->alg = kstrdup(digest->alg, GFP_KERNEL);
>> + if (!info->alg)
>> + goto dmv_roothash_err;
>> +
>> + info->digest_len = digest->digest_len;
>> +
>> + if (blob->root_hash)
>> + ipe_digest_free(blob->root_hash);
>
> The above if/free looks like a new addition from v18 and I'm not quite
> sure why the `blob->root_hash` NULL check is necessary as
> ipe_digest_free() does a IS_ERR_OR_NULL() check right at the top.
>
> Likely harmless and doubtful to have any noticable performance impact,
> but I wanted to mention it just in case ...
>
Yes directly call ipe_digest_free() should be enough.
Also this new free is introduced because the mapped device with an
existing dm-verity target can be suspended and associated with a new
dm-verity target. In this case, the root hash associated with the
security blob will be stale and needs to be freed before setting the new
data.
-Fan
>> + blob->root_hash = info;
>> +
>> + return 0;
>> +dmv_roothash_err:
>> + ipe_digest_free(info);
>> +
>> + return -ENOMEM;
>> + } else if (type == LSM_INT_DMVERITY_SIG_VALID) {
>> + ipe_set_dmverity_signature(blob, value, size);
>> +
>> + return 0;
>> + }
>> +
>> + return -EINVAL;
>> +}
>> +#endif /* CONFIG_IPE_PROP_DM_VERITY */
>
> --
> paul-moore.com
next prev parent reply other threads:[~2024-05-30 3:58 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 20:46 [PATCH v19 00/20] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-05-24 20:46 ` [PATCH v19 01/20] security: add ipe lsm Fan Wu
2024-05-24 20:46 ` [PATCH v19 02/20] ipe: add policy parser Fan Wu
2024-05-24 20:46 ` [PATCH v19 03/20] ipe: add evaluation loop Fan Wu
2024-05-24 20:46 ` [PATCH v19 04/20] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-05-24 20:46 ` [PATCH v19 05/20] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-05-24 20:46 ` [PATCH v19 06/20] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-05-24 20:46 ` [PATCH v19 07/20] security: add new securityfs delete function Fan Wu
2024-05-24 20:46 ` [PATCH v19 08/20] ipe: add userspace interface Fan Wu
2024-05-24 20:46 ` [PATCH v19 09/20] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-05-24 20:46 ` [PATCH v19 10/20] ipe: add permissive toggle Fan Wu
2024-05-24 20:46 ` [PATCH v19 11/20] block,lsm: add LSM blob and new LSM hooks for block device Fan Wu
2024-05-31 20:48 ` Eric Biggers
2024-05-24 20:46 ` [PATCH v19 12/20] dm verity: expose root hash digest and signature data to LSMs Fan Wu
2024-05-25 9:02 ` Mikulas Patocka
2024-05-31 21:07 ` Eric Biggers
2024-05-24 20:46 ` [PATCH v19 13/20] ipe: add support for dm-verity as a trust provider Fan Wu
2024-05-30 1:44 ` Paul Moore
2024-05-30 3:58 ` Fan Wu [this message]
2024-05-30 5:53 ` Jarkko Sakkinen
2024-05-30 5:49 ` Jarkko Sakkinen
2024-05-24 20:46 ` [PATCH v19 14/20] security: add security_inode_setintegrity() hook Fan Wu
2024-05-24 20:46 ` [PATCH v19 15/20] fsverity: expose verified fsverity built-in signatures to LSMs Fan Wu
2024-05-30 1:44 ` Paul Moore
2024-05-30 5:51 ` Jarkko Sakkinen
2024-05-30 6:01 ` Eric Biggers
2024-05-30 6:07 ` Jarkko Sakkinen
2024-05-30 1:46 ` Paul Moore
2024-05-30 3:06 ` Eric Biggers
2024-05-30 3:38 ` Fan Wu
2024-05-30 20:54 ` Paul Moore
2024-05-31 0:43 ` Eric Biggers
2024-05-31 15:51 ` Paul Moore
2024-05-31 17:47 ` Eric Biggers
2024-06-03 1:40 ` Paul Moore
2024-05-24 20:46 ` [PATCH v19 16/20] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-05-24 20:46 ` [PATCH v19 17/20] scripts: add boot policy generation program Fan Wu
2024-05-24 20:46 ` [PATCH v19 18/20] ipe: kunit test for parser Fan Wu
2024-05-24 20:46 ` [PATCH v19 19/20] Documentation: add ipe documentation Fan Wu
2024-05-24 20:46 ` [PATCH v19 20/20] MAINTAINERS: ipe: add ipe maintainer information Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67da2ff3-e0c4-4552-93dd-cf9cb04d0d78@linux.microsoft.com \
--to=wufan@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@lists.linux.dev \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).