From: "Michal Suchánek" <msuchanek@suse.de>
To: Philipp Rudo <prudo@redhat.com>
Cc: Nayna <nayna@linux.vnet.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Rob Herring <robh@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Baoquan He <bhe@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
James Morris <jmorris@namei.org>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Vasily Gorbik <gor@linux.ibm.com>,
linux-s390@vger.kernel.org, Heiko Carstens <hca@linux.ibm.com>,
linux-crypto@vger.kernel.org,
Hari Bathini <hbathini@linux.ibm.com>,
Daniel Axtens <dja@axtens.net>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Frank van der Linden <fllinden@amazon.com>,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Luis Chamberlain <mcgrof@kernel.org>,
Sven Schnelle <svens@linux.ibm.com>,
linux-security-module@vger.kernel.org,
Jessica Yu <jeyu@kernel.org>,
linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
"David S. Miller" <davem@davemloft.net>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
buendgen@de.ibm.com
Subject: Re: [PATCH v2 6/6] module: Move duplicate mod_check_sig users code to mod_parse_sig
Date: Mon, 13 Dec 2021 19:06:11 +0100 [thread overview]
Message-ID: <20211213180611.GU117207@kunlun.suse.cz> (raw)
In-Reply-To: <20211207171034.0b782d82@rhtmp>
Hello,
On Tue, Dec 07, 2021 at 05:10:34PM +0100, Philipp Rudo wrote:
> Hi Michal,
>
> On Thu, 25 Nov 2021 19:02:44 +0100
> Michal Suchanek <msuchanek@suse.de> wrote:
>
> > Multiple users of mod_check_sig check for the marker, then call
> > mod_check_sig, extract signature length, and remove the signature.
> >
> > Put this code in one place together with mod_check_sig.
> >
> > Signed-off-by: Michal Suchanek <msuchanek@suse.de>
> > ---
> > include/linux/module_signature.h | 1 +
> > kernel/module_signature.c | 56 ++++++++++++++++++++++++++++-
> > kernel/module_signing.c | 26 +++-----------
> > security/integrity/ima/ima_modsig.c | 22 ++----------
> > 4 files changed, 63 insertions(+), 42 deletions(-)
> >
> > diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
> > index 7eb4b00381ac..1343879b72b3 100644
> > --- a/include/linux/module_signature.h
> > +++ b/include/linux/module_signature.h
> > @@ -42,5 +42,6 @@ struct module_signature {
> >
> > int mod_check_sig(const struct module_signature *ms, size_t file_len,
> > const char *name);
> > +int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name);
> >
> > #endif /* _LINUX_MODULE_SIGNATURE_H */
> > diff --git a/kernel/module_signature.c b/kernel/module_signature.c
> > index 00132d12487c..784b40575ee4 100644
> > --- a/kernel/module_signature.c
> > +++ b/kernel/module_signature.c
> > @@ -8,14 +8,36 @@
> >
> > #include <linux/errno.h>
> > #include <linux/printk.h>
> > +#include <linux/string.h>
> > #include <linux/module_signature.h>
> > #include <asm/byteorder.h>
> >
> > +/**
> > + * mod_check_sig_marker - check that the given data has signature marker at the end
> > + *
> > + * @data: Data with appended signature
> > + * @len: Length of data. Signature marker length is subtracted on success.
> > + */
> > +static inline int mod_check_sig_marker(const void *data, size_t *len)
>
> I personally don't like it when a function has a "check" in it's name
> as it doesn't describe what the function is checking for. For me
It is consistent with mod_check_sig
> mod_has_sig_marker is much more precise. I would use that instead.
It actually would not because it does more than that.
Thanks
Michal
>
> Thanks
> Philipp
>
> > +{
> > + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
> > +
> > + if (markerlen > *len)
> > + return -ENODATA;
> > +
> > + if (memcmp(data + *len - markerlen, MODULE_SIG_STRING,
> > + markerlen))
> > + return -ENODATA;
> > +
> > + *len -= markerlen;
> > + return 0;
> > +}
> > +
> > /**
> > * mod_check_sig - check that the given signature is sane
> > *
> > * @ms: Signature to check.
> > - * @file_len: Size of the file to which @ms is appended.
> > + * @file_len: Size of the file to which @ms is appended (without the marker).
> > * @name: What is being checked. Used for error messages.
> > */
> > int mod_check_sig(const struct module_signature *ms, size_t file_len,
> > @@ -44,3 +66,35 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len,
> >
> > return 0;
> > }
> > +
> > +/**
> > + * mod_parse_sig - check that the given signature is sane and determine signature length
> > + *
> > + * @data: Data with appended signature.
> > + * @len: Length of data. Signature and marker length is subtracted on success.
> > + * @sig_len: Length of signature. Filled on success.
> > + * @name: What is being checked. Used for error messages.
> > + */
> > +int mod_parse_sig(const void *data, size_t *len, size_t *sig_len, const char *name)
> > +{
> > + const struct module_signature *sig;
> > + int rc;
> > +
> > + rc = mod_check_sig_marker(data, len);
> > + if (rc)
> > + return rc;
> > +
> > + if (*len < sizeof(*sig))
> > + return -ENODATA;
> > +
> > + sig = (const struct module_signature *)(data + (*len - sizeof(*sig)));
> > +
> > + rc = mod_check_sig(sig, *len, name);
> > + if (rc)
> > + return rc;
> > +
> > + *sig_len = be32_to_cpu(sig->sig_len);
> > + *len -= *sig_len + sizeof(*sig);
> > +
> > + return 0;
> > +}
> > diff --git a/kernel/module_signing.c b/kernel/module_signing.c
> > index cef72a6f6b5d..02bbca90f467 100644
> > --- a/kernel/module_signing.c
> > +++ b/kernel/module_signing.c
> > @@ -25,35 +25,17 @@ int verify_appended_signature(const void *data, size_t *len,
> > struct key *trusted_keys,
> > enum key_being_used_for purpose)
> > {
> > - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
> > struct module_signature ms;
> > - size_t sig_len, modlen = *len;
> > + size_t sig_len;
> > int ret;
> >
> > - pr_devel("==>%s %s(,%zu)\n", __func__, key_being_used_for[purpose], modlen);
> > + pr_devel("==>%s %s(,%zu)\n", __func__, key_being_used_for[purpose], *len);
> >
> > - if (markerlen > modlen)
> > - return -ENODATA;
> > -
> > - if (memcmp(data + modlen - markerlen, MODULE_SIG_STRING,
> > - markerlen))
> > - return -ENODATA;
> > - modlen -= markerlen;
> > -
> > - if (modlen <= sizeof(ms))
> > - return -EBADMSG;
> > -
> > - memcpy(&ms, data + (modlen - sizeof(ms)), sizeof(ms));
> > -
> > - ret = mod_check_sig(&ms, modlen, key_being_used_for[purpose]);
> > + ret = mod_parse_sig(data, len, &sig_len, key_being_used_for[purpose]);
> > if (ret)
> > return ret;
> >
> > - sig_len = be32_to_cpu(ms.sig_len);
> > - modlen -= sig_len + sizeof(ms);
> > - *len = modlen;
> > -
> > - return verify_pkcs7_signature(data, modlen, data + modlen, sig_len,
> > + return verify_pkcs7_signature(data, *len, data + *len, sig_len,
> > trusted_keys,
> > purpose,
> > NULL, NULL);
> > diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
> > index fb25723c65bc..46917eb37fd8 100644
> > --- a/security/integrity/ima/ima_modsig.c
> > +++ b/security/integrity/ima/ima_modsig.c
> > @@ -37,33 +37,17 @@ struct modsig {
> > *
> > * Return: 0 on success, error code otherwise.
> > */
> > -int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
> > +int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t len,
> > struct modsig **modsig)
> > {
> > - const size_t marker_len = strlen(MODULE_SIG_STRING);
> > - const struct module_signature *sig;
> > struct modsig *hdr;
> > - size_t sig_len;
> > - const void *p;
> > + size_t sig_len, buf_len = len;
> > int rc;
> >
> > - if (buf_len <= marker_len + sizeof(*sig))
> > - return -ENOENT;
> > -
> > - p = buf + buf_len - marker_len;
> > - if (memcmp(p, MODULE_SIG_STRING, marker_len))
> > - return -ENOENT;
> > -
> > - buf_len -= marker_len;
> > - sig = (const struct module_signature *)(p - sizeof(*sig));
> > -
> > - rc = mod_check_sig(sig, buf_len, func_tokens[func]);
> > + rc = mod_parse_sig(buf, &buf_len, &sig_len, func_tokens[func]);
> > if (rc)
> > return rc;
> >
> > - sig_len = be32_to_cpu(sig->sig_len);
> > - buf_len -= sig_len + sizeof(*sig);
> > -
> > /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */
> > hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL);
> > if (!hdr)
>
next prev parent reply other threads:[~2021-12-13 18:07 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-25 18:02 [PATCH v2 0/6] KEXEC_SIG with appended signature Michal Suchanek
2021-11-25 18:02 ` [PATCH v2 1/6] s390/kexec_file: Don't opencode appended signature check Michal Suchanek
2021-11-25 18:02 ` [PATCH v2 2/6] powerpc/kexec_file: Add KEXEC_SIG support Michal Suchanek
2021-12-09 1:51 ` Nayna
2021-12-09 9:21 ` Michal Suchánek
2021-12-09 21:53 ` Nayna
2021-12-11 23:37 ` Nayna
2021-12-13 0:46 ` Nayna
2021-12-13 18:18 ` Michal Suchánek
2021-11-25 18:02 ` [PATCH v2 3/6] kexec_file: Don't opencode appended signature verification Michal Suchanek
2021-11-25 18:02 ` [PATCH v2 4/6] module: strip the signature marker in the verification function Michal Suchanek
2021-12-07 16:11 ` Philipp Rudo
2021-11-25 18:02 ` [PATCH v2 5/6] module: Use key_being_used_for for log messages in verify_appended_signature Michal Suchanek
2021-11-25 18:02 ` [PATCH v2 6/6] module: Move duplicate mod_check_sig users code to mod_parse_sig Michal Suchanek
2021-12-07 16:10 ` Philipp Rudo
2021-12-13 18:06 ` Michal Suchánek [this message]
2021-11-30 15:28 ` [PATCH v2 0/6] KEXEC_SIG with appended signature Heiko Carstens
2021-12-01 2:37 ` Baoquan He
2021-12-01 11:48 ` Michal Suchánek
2021-12-07 16:10 ` Philipp Rudo
2021-12-07 17:32 ` Michal Suchánek
2021-12-08 9:54 ` Philipp Rudo
2021-12-09 1:50 ` Nayna
2021-12-09 14:57 ` Michal Suchánek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211213180611.GU117207@kunlun.suse.cz \
--to=msuchanek@suse.de \
--cc=agordeev@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=bhe@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=buendgen@de.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dja@axtens.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=fllinden@amazon.com \
--cc=gor@linux.ibm.com \
--cc=hbathini@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mcgrof@kernel.org \
--cc=nayna@linux.vnet.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=paulus@samba.org \
--cc=prudo@redhat.com \
--cc=robh@kernel.org \
--cc=serge@hallyn.com \
--cc=svens@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).