From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Fan Wu" <wufan@linux.microsoft.com>,
"Paul Moore" <paul@paul-moore.com>, <corbet@lwn.net>,
<zohar@linux.ibm.com>, <jmorris@namei.org>, <serge@hallyn.com>,
<tytso@mit.edu>, <ebiggers@kernel.org>, <axboe@kernel.dk>,
<agk@redhat.com>, <snitzer@kernel.org>, <mpatocka@redhat.com>,
<eparis@redhat.com>
Cc: <linux-doc@vger.kernel.org>, <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<fsverity@lists.linux.dev>, <linux-block@vger.kernel.org>,
<dm-devel@lists.linux.dev>, <audit@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
"Deven Bowers" <deven.desai@linux.microsoft.com>
Subject: Re: [PATCH v19 13/20] ipe: add support for dm-verity as a trust provider
Date: Thu, 30 May 2024 08:53:52 +0300 [thread overview]
Message-ID: <D1MQVCEITGPS.2HU8JUF2MAYQ7@kernel.org> (raw)
In-Reply-To: <67da2ff3-e0c4-4552-93dd-cf9cb04d0d78@linux.microsoft.com>
On Thu May 30, 2024 at 6:58 AM EEST, Fan Wu wrote:
>
>
> On 5/29/2024 6:44 PM, Paul Moore wrote:
> > On May 24, 2024 Fan Wu <wufan@linux.microsoft.com> wrote:
> >>
> >> Allows author of IPE policy to indicate trust for a singular dm-verity
> >> volume, identified by roothash, through "dmverity_roothash" and all
> >> signed and validated dm-verity volumes, through "dmverity_signature".
> >>
> >> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> >> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> >> ---
> >> v2:
> >> + No Changes
> >>
> >> v3:
> >> + No changes
> >>
> >> v4:
> >> + No changes
> >>
> >> v5:
> >> + No changes
> >>
> >> v6:
> >> + Fix an improper cleanup that can result in
> >> a leak
> >>
> >> v7:
> >> + Squash patch 08/12, 10/12 to [11/16]
> >>
> >> v8:
> >> + Undo squash of 08/12, 10/12 - separating drivers/md/ from security/
> >> & block/
> >> + Use common-audit function for dmverity_signature.
> >> + Change implementation for storing the dm-verity digest to use the
> >> newly introduced dm_verity_digest structure introduced in patch
> >> 14/20.
> >>
> >> v9:
> >> + Adapt to the new parser
> >>
> >> v10:
> >> + Select the Kconfig when all dependencies are enabled
> >>
> >> v11:
> >> + No changes
> >>
> >> v12:
> >> + Refactor to use struct digest_info* instead of void*
> >> + Correct audit format
> >>
> >> v13:
> >> + Remove the CONFIG_IPE_PROP_DM_VERITY dependency inside the parser
> >> to make the policy grammar independent of the kernel config.
> >>
> >> v14:
> >> + No changes
> >>
> >> v15:
> >> + Fix one grammar issue in KCONFIG
> >> + Switch to use security_bdev_setintegrity() hook
> >>
> >> v16:
> >> + Refactor for enum integrity type
> >>
> >> v17:
> >> + Add years to license header
> >> + Fix code and documentation style issues
> >> + Return -EINVAL in ipe_bdev_setintegrity when passed type is not
> >> supported
> >> + Use new enum name LSM_INT_DMVERITY_SIG_VALID
> >>
> >> v18:
> >> + Add Kconfig IPE_PROP_DM_VERITY_SIGNATURE and make both DM_VERITY
> >> config auto-selected
> >>
> >> v19:
> >> + No changes
> >> ---
> >> security/ipe/Kconfig | 27 ++++++++
> >> security/ipe/Makefile | 1 +
> >> security/ipe/audit.c | 29 ++++++++-
> >> security/ipe/digest.c | 118 +++++++++++++++++++++++++++++++++++
> >> security/ipe/digest.h | 26 ++++++++
> >> security/ipe/eval.c | 93 ++++++++++++++++++++++++++-
> >> security/ipe/eval.h | 12 ++++
> >> security/ipe/hooks.c | 93 +++++++++++++++++++++++++++
> >> security/ipe/hooks.h | 8 +++
> >> security/ipe/ipe.c | 15 +++++
> >> security/ipe/ipe.h | 4 ++
> >> security/ipe/policy.h | 3 +
> >> security/ipe/policy_parser.c | 24 ++++++-
> >> 13 files changed, 449 insertions(+), 4 deletions(-)
> >> create mode 100644 security/ipe/digest.c
> >> create mode 100644 security/ipe/digest.h
> >
> > ...
> >
> >> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
> >> index b68719bf44fb..51f1e63c295c 100644
> >> --- a/security/ipe/hooks.c
> >> +++ b/security/ipe/hooks.c
> >> @@ -191,3 +193,94 @@ void ipe_unpack_initramfs(void)
> >> {
> >> ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
> >> }
> >> +
> >> +#ifdef CONFIG_IPE_PROP_DM_VERITY
> >> +/**
> >> + * ipe_bdev_free_security() - Free IPE's LSM blob of block_devices.
> >> + * @bdev: Supplies a pointer to a block_device that contains the structure
> >> + * to free.
> >> + */
> >> +void ipe_bdev_free_security(struct block_device *bdev)
> >> +{
> >> + struct ipe_bdev *blob = ipe_bdev(bdev);
> >> +
> >> + ipe_digest_free(blob->root_hash);
> >> +}
> >> +
> >> +#ifdef CONFIG_IPE_PROP_DM_VERITY_SIGNATURE
> >> +static void ipe_set_dmverity_signature(struct ipe_bdev *blob,
> >> + const void *value,
> >> + size_t size)
> >> +{
> >> + blob->dm_verity_signed = size > 0 && value;
> >> +}
> >> +#else
> >> +static inline void ipe_set_dmverity_signature(struct ipe_bdev *blob,
> >> + const void *value,
> >> + size_t size)
> >> +{
> >> +}
> >> +#endif /* CONFIG_IPE_PROP_DM_VERITY_SIGNATURE */
> >> +
> >> +/**
> >> + * ipe_bdev_setintegrity() - Save integrity data from a bdev to IPE's LSM blob.
> >> + * @bdev: Supplies a pointer to a block_device that contains the LSM blob.
> >> + * @type: Supplies the integrity type.
> >> + * @value: Supplies the value to store.
> >> + * @size: The size of @value.
> >> + *
> >> + * This hook is currently used to save dm-verity's root hash or the existence
> >> + * of a validated signed dm-verity root hash into LSM blob.
> >> + *
> >> + * Return: %0 on success. If an error occurs, the function will return the
> >> + * -errno.
> >> + */
> >> +int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
> >> + const void *value, size_t size)
> >> +{
> >> + const struct dm_verity_digest *digest = NULL;
> >> + struct ipe_bdev *blob = ipe_bdev(bdev);
> >> + struct digest_info *info = NULL;
> >> +
> >> + if (type == LSM_INT_DMVERITY_ROOTHASH) {
> >> + if (!value) {
> >> + ipe_digest_free(blob->root_hash);
> >> + blob->root_hash = NULL;
> >> +
> >> + return 0;
> >> + }
> >> + digest = value;
> >> +
> >> + info = kzalloc(sizeof(*info), GFP_KERNEL);
> >> + if (!info)
> >> + return -ENOMEM;
> >> +
> >> + info->digest = kmemdup(digest->digest, digest->digest_len,
> >> + GFP_KERNEL);
> >> + if (!info->digest)
> >> + goto dmv_roothash_err;
> >> +
> >> + info->alg = kstrdup(digest->alg, GFP_KERNEL);
> >> + if (!info->alg)
> >> + goto dmv_roothash_err;
> >> +
> >> + info->digest_len = digest->digest_len;
> >> +
> >> + if (blob->root_hash)
> >> + ipe_digest_free(blob->root_hash);
> >
> > The above if/free looks like a new addition from v18 and I'm not quite
> > sure why the `blob->root_hash` NULL check is necessary as
> > ipe_digest_free() does a IS_ERR_OR_NULL() check right at the top.
> >
> > Likely harmless and doubtful to have any noticable performance impact,
> > but I wanted to mention it just in case ...
> >
>
> Yes directly call ipe_digest_free() should be enough.
>
> Also this new free is introduced because the mapped device with an
> existing dm-verity target can be suspended and associated with a new
> dm-verity target. In this case, the root hash associated with the
> security blob will be stale and needs to be freed before setting the new
> data.
>
> -Fan
>
> >> + blob->root_hash = info;
> >> +
> >> + return 0;
> >> +dmv_roothash_err:
Just a nitpick but 9/10 'err' is a prefix...
Also now this patch set uses 'err'' ambiguously given the use
as name of the variable to store a return code. Similar naming
pattern would do miracles.
> >> + ipe_digest_free(info);
> >> +
> >> + return -ENOMEM;
> >> + } else if (type == LSM_INT_DMVERITY_SIG_VALID) {
> >> + ipe_set_dmverity_signature(blob, value, size);
> >> +
> >> + return 0;
> >> + }
> >> +
> >> + return -EINVAL;
> >> +}
> >> +#endif /* CONFIG_IPE_PROP_DM_VERITY */
> >
> > --
> > paul-moore.com
BR, Jarkko
next prev parent reply other threads:[~2024-05-30 5:54 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 20:46 [PATCH v19 00/20] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-05-24 20:46 ` [PATCH v19 01/20] security: add ipe lsm Fan Wu
2024-05-24 20:46 ` [PATCH v19 02/20] ipe: add policy parser Fan Wu
2024-05-24 20:46 ` [PATCH v19 03/20] ipe: add evaluation loop Fan Wu
2024-05-24 20:46 ` [PATCH v19 04/20] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-05-24 20:46 ` [PATCH v19 05/20] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-05-24 20:46 ` [PATCH v19 06/20] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-05-24 20:46 ` [PATCH v19 07/20] security: add new securityfs delete function Fan Wu
2024-05-24 20:46 ` [PATCH v19 08/20] ipe: add userspace interface Fan Wu
2024-05-24 20:46 ` [PATCH v19 09/20] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-05-24 20:46 ` [PATCH v19 10/20] ipe: add permissive toggle Fan Wu
2024-05-24 20:46 ` [PATCH v19 11/20] block,lsm: add LSM blob and new LSM hooks for block device Fan Wu
2024-05-31 20:48 ` Eric Biggers
2024-05-24 20:46 ` [PATCH v19 12/20] dm verity: expose root hash digest and signature data to LSMs Fan Wu
2024-05-25 9:02 ` Mikulas Patocka
2024-05-31 21:07 ` Eric Biggers
2024-05-24 20:46 ` [PATCH v19 13/20] ipe: add support for dm-verity as a trust provider Fan Wu
2024-05-30 1:44 ` Paul Moore
2024-05-30 3:58 ` Fan Wu
2024-05-30 5:53 ` Jarkko Sakkinen [this message]
2024-05-30 5:49 ` Jarkko Sakkinen
2024-05-24 20:46 ` [PATCH v19 14/20] security: add security_inode_setintegrity() hook Fan Wu
2024-05-24 20:46 ` [PATCH v19 15/20] fsverity: expose verified fsverity built-in signatures to LSMs Fan Wu
2024-05-30 1:44 ` Paul Moore
2024-05-30 5:51 ` Jarkko Sakkinen
2024-05-30 6:01 ` Eric Biggers
2024-05-30 6:07 ` Jarkko Sakkinen
2024-05-30 1:46 ` Paul Moore
2024-05-30 3:06 ` Eric Biggers
2024-05-30 3:38 ` Fan Wu
2024-05-30 20:54 ` Paul Moore
2024-05-31 0:43 ` Eric Biggers
2024-05-31 15:51 ` Paul Moore
2024-05-31 17:47 ` Eric Biggers
2024-06-03 1:40 ` Paul Moore
2024-05-24 20:46 ` [PATCH v19 16/20] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-05-24 20:46 ` [PATCH v19 17/20] scripts: add boot policy generation program Fan Wu
2024-05-24 20:46 ` [PATCH v19 18/20] ipe: kunit test for parser Fan Wu
2024-05-24 20:46 ` [PATCH v19 19/20] Documentation: add ipe documentation Fan Wu
2024-05-24 20:46 ` [PATCH v19 20/20] MAINTAINERS: ipe: add ipe maintainer information Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D1MQVCEITGPS.2HU8JUF2MAYQ7@kernel.org \
--to=jarkko@kernel.org \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@lists.linux.dev \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).