From: Paul Moore <paul@paul-moore.com>
To: Fan Wu <wufan@linux.microsoft.com>,
corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, fsverity@lists.linux.dev,
linux-block@vger.kernel.org, dm-devel@lists.linux.dev,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
Fan Wu <wufan@linux.microsoft.com>
Subject: Re: [PATCH v16 14/20] ipe: add support for dm-verity as a trust provider
Date: Mon, 01 Apr 2024 21:26:44 -0400 [thread overview]
Message-ID: <a811e4dda817d7a01f39b14ffa16a484@paul-moore.com> (raw)
In-Reply-To: <1711657047-10526-15-git-send-email-wufan@linux.microsoft.com>
On Mar 28, 2024 Fan Wu <wufan@linux.microsoft.com> wrote:
>
> Allows author of IPE policy to indicate trust for a singular dm-verity
> volume, identified by roothash, through "dmverity_roothash" and all
> signed dm-verity volumes, through "dmverity_signature".
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> ---
> v2:
> + No Changes
>
> v3:
> + No changes
>
> v4:
> + No changes
>
> v5:
> + No changes
>
> v6:
> + Fix an improper cleanup that can result in
> a leak
>
> v7:
> + Squash patch 08/12, 10/12 to [11/16]
>
> v8:
> + Undo squash of 08/12, 10/12 - separating drivers/md/ from security/
> & block/
> + Use common-audit function for dmverity_signature.
> + Change implementation for storing the dm-verity digest to use the
> newly introduced dm_verity_digest structure introduced in patch
> 14/20.
>
> v9:
> + Adapt to the new parser
>
> v10:
> + Select the Kconfig when all dependencies are enabled
>
> v11:
> + No changes
>
> v12:
> + Refactor to use struct digest_info* instead of void*
> + Correct audit format
>
> v13:
> + Remove the CONFIG_IPE_PROP_DM_VERITY dependency inside the parser
> to make the policy grammar independent of the kernel config.
>
> v14:
> + No changes
>
> v15:
> + Fix one grammar issue in KCONFIG
> + Switch to use security_bdev_setintegrity() hook
>
> v16:
> + Refactor for enum integrity type
> ---
> security/ipe/Kconfig | 18 ++++++
> security/ipe/Makefile | 1 +
> security/ipe/audit.c | 29 ++++++++-
> security/ipe/digest.c | 120 +++++++++++++++++++++++++++++++++++
> security/ipe/digest.h | 26 ++++++++
> security/ipe/eval.c | 91 +++++++++++++++++++++++++-
> security/ipe/eval.h | 10 +++
> security/ipe/hooks.c | 72 +++++++++++++++++++++
> security/ipe/hooks.h | 8 +++
> security/ipe/ipe.c | 15 +++++
> security/ipe/ipe.h | 4 ++
> security/ipe/policy.h | 3 +
> security/ipe/policy_parser.c | 24 ++++++-
> 13 files changed, 417 insertions(+), 4 deletions(-)
> create mode 100644 security/ipe/digest.c
> create mode 100644 security/ipe/digest.h
...
> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
> index 6bcc7908ed13..f95986a87d51 100644
> --- a/security/ipe/hooks.c
> +++ b/security/ipe/hooks.c
> @@ -187,3 +191,71 @@ void ipe_unpack_initramfs(void)
> {
> ipe_sb(current->fs->root.mnt->mnt_sb)->initramfs = true;
> }
> +
> +#ifdef CONFIG_IPE_PROP_DM_VERITY
> +/**
> + * ipe_bdev_free_security - free IPE's LSM blob of block_devices.
> + * @bdev: Supplies a pointer to a block_device that contains the structure
> + * to free.
> + */
> +void ipe_bdev_free_security(struct block_device *bdev)
> +{
> + struct ipe_bdev *blob = ipe_bdev(bdev);
> +
> + ipe_digest_free(blob->root_hash);
> +}
> +
> +/**
> + * ipe_bdev_setintegrity - save integrity data from a bdev to IPE's LSM blob.
> + * @bdev: Supplies a pointer to a block_device that contains the LSM blob.
> + * @type: Supplies the integrity type.
> + * @value: Supplies the value to store.
> + * @size: The size of @value.
> + */
> +int ipe_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type,
> + const void *value, size_t size)
> +{
> + struct ipe_bdev *blob = ipe_bdev(bdev);
> +
> + if (type == LSM_INT_DMVERITY_ROOTHASH) {
> + if (!value) {
> + ipe_digest_free(blob->root_hash);
> + blob->root_hash = NULL;
> +
> + return 0;
> + }
> +
> + const struct dm_verity_digest *digest = value;
> + struct digest_info *info = NULL;
General kernel coding conventions put variable declarations at the top
of the scope; in other words, move the '!value' if-statement below
this.
> + info = kzalloc(sizeof(*info), GFP_KERNEL);
> + if (!info)
> + return -ENOMEM;
> +
> + info->digest_len = digest->digest_len;
> +
> + info->digest = kmemdup(digest->digest, info->digest_len,
> + GFP_KERNEL);
> + if (!info->digest)
> + goto err;
It's always a good practice to not do any work you might not need to
do in case of error:
info->digest = kmemdup(...);
if (!info->digest)
goto dmv_roothash_err;
info->digest_len = digest->digest_len;
> + info->alg = kstrdup(digest->alg, GFP_KERNEL);
> + if (!info->alg)
> + goto err;
> +
> + blob->root_hash = info;
> +
> + return 0;
> +err:
You might want to consider naming this 'dmv_roothash_err' to help
indicate that it is a jump label specifically for use within the
DMVERITY_ROOTHASH block.
> + ipe_digest_free(info);
> +
> + return -ENOMEM;
> + } else if (type == LSM_INT_DMVERITY_SIG) {
> + blob->dm_verity_signed = size > 0 && value;
> +
> + return 0;
> + }
Woule it be worth returning -EINVAL if some other lsm_integrity_type
value was used here?
if (ROOTHASH) {
...
} else if (SIG) {
...
} else
return -EINVAL;
> + return 0;
> +}
> +#endif /* CONFIG_IPE_PROP_DM_VERITY */
--
paul-moore.com
next prev parent reply other threads:[~2024-04-02 1:26 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 20:17 [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-03-28 20:17 ` [PATCH v16 01/20] security: add ipe lsm Fan Wu
2024-03-28 20:45 ` Jarkko Sakkinen
2024-03-28 22:11 ` Randy Dunlap
2024-03-30 11:11 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 02/20] ipe: add policy parser Fan Wu
2024-03-28 20:46 ` Jarkko Sakkinen
2024-03-28 20:47 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 03/20] ipe: add evaluation loop Fan Wu
2024-03-28 20:49 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 04/20] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-03-28 20:17 ` [PATCH v16 05/20] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-03-28 20:17 ` [PATCH v16 06/20] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-03-28 20:17 ` [PATCH v16 07/20] security: add new securityfs delete function Fan Wu
2024-03-28 20:17 ` [PATCH v16 08/20] ipe: add userspace interface Fan Wu
2024-03-28 20:17 ` [PATCH v16 09/20] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-03-28 20:17 ` [PATCH v16 10/20] ipe: add permissive toggle Fan Wu
2024-03-28 20:17 ` [PATCH v16 11/20] block|security: add LSM blob to block_device Fan Wu
2024-03-30 11:26 ` kernel test robot
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 12/20] dm: add finalize hook to target_type Fan Wu
2024-03-28 20:17 ` [PATCH v16 13/20] dm verity: consume root hash digest and signature data via LSM hook Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 14/20] ipe: add support for dm-verity as a trust provider Fan Wu
2024-04-02 1:26 ` Paul Moore [this message]
2024-03-28 20:17 ` [PATCH v16 15/20] security: add security_inode_setintegrity() hook Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 16/20] fsverity: consume fsverity built-in signatures via LSM hook Fan Wu
2024-04-03 5:02 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 17/20] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-04-03 5:10 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 18/20] scripts: add boot policy generation program Fan Wu
2024-03-28 20:17 ` [PATCH v16 19/20] ipe: kunit test for parser Fan Wu
2024-03-28 20:17 ` [PATCH v16 20/20] documentation: add ipe documentation Fan Wu
2024-03-28 20:36 ` [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Jarkko Sakkinen
2024-03-28 20:38 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a811e4dda817d7a01f39b14ffa16a484@paul-moore.com \
--to=paul@paul-moore.com \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@lists.linux.dev \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).