Re: [PATCH v2] security/integrity: fix pointer to ESL data and its size on pseries

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: R Nageswara Sastry <rnsastry@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
	linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
	linux-integrity <linux-integrity@vger.kernel.org>
Cc: stable@vger.kenrnel.org, Andrew Donnellan <ajd@linux.ibm.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Russell Currey <ruscur@russell.cc>,
	George Wilson <gcwilson@linux.ibm.com>
Subject: Re: [PATCH v2] security/integrity: fix pointer to ESL data and its size on pseries
Date: Tue, 20 Jun 2023 17:55:13 +0530	[thread overview]
Message-ID: <3a9bdc60-c9c7-d5ea-0674-0235cd6b9fc6@linux.ibm.com> (raw)
In-Reply-To: <20230608120444.382527-1-nayna@linux.ibm.com>



On 08/06/23 5:34 pm, Nayna Jain wrote:
> On PowerVM guest, variable data is prefixed with 8 bytes of timestamp.
> Extract ESL by stripping off the timestamp before passing to ESL parser.
> 
> Fixes: 4b3e71e9a34c ("integrity/powerpc: Support loading keys from PLPKS")
> Cc: stable@vger.kenrnel.org # v6.3
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---

Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>

Seeing the keyring difference with and with out patch:
With out patch:
[root@ltcrain80-lp2 ~]# grep keyring /proc/keys | grep -v _ses
0131ebb4 I--Q---     1 perm 0c030000     0 65534 keyring   .user_reg: 2
039dfd93 I------     1 perm 1f0f0000     0     0 keyring   .ima: 1
03a160b5 I------     1 perm 1f0b0000     0     0 keyring 
.builtin_trusted_keys: 2
05377b73 I------     1 perm 1f0b0000     0     0 keyring   .platform: empty
0d7ea730 I------     1 perm 0f0b0000     0     0 keyring   .blacklist: empty
16235f2d I--Q---     6 perm 1f3f0000     0 65534 keyring   _uid.0: empty
1721f130 I------     1 perm 1f0f0000     0     0 keyring   .evm: empty

With patch:
[root@ltcrain80-lp2 ~]# grep keyring /proc/keys | grep -v _ses
04820159 I------     1 perm 0f0b0000     0     0 keyring   .blacklist: 1
16d05827 I--Q---     1 perm 0c030000     0 65534 keyring   .user_reg: 2
17648d6a I------     1 perm 1f0b0000     0     0 keyring 
.builtin_trusted_keys: 2
2158b34f I--Q---     6 perm 1f3f0000     0 65534 keyring   _uid.0: empty
2237eff6 I------     1 perm 1f0f0000     0     0 keyring   .evm: empty
26d0330c I------     1 perm 1f0b0000     0     0 keyring   .platform: 1
2daa48ab I------     1 perm 1f0f0000     0     0 keyring   .ima: 1

Thank you.
> Changelog:
> v2: Fixed feedback from Jarkko
>        * added CC to stable
>        * moved *data declaration to same line as *db,*dbx
>      Renamed extract_data() macro to extract_esl() for clarity
>   .../integrity/platform_certs/load_powerpc.c   | 40 ++++++++++++-------
>   1 file changed, 26 insertions(+), 14 deletions(-)
> 
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> index b9de70b90826..170789dc63d2 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -15,6 +15,9 @@
>   #include "keyring_handler.h"
>   #include "../integrity.h"
>   
> +#define extract_esl(db, data, size, offset)	\
> +	do { db = data + offset; size = size - offset; } while (0)
> +
>   /*
>    * Get a certificate list blob from the named secure variable.
>    *
> @@ -55,8 +58,9 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
>    */
>   static int __init load_powerpc_certs(void)
>   {
> -	void *db = NULL, *dbx = NULL;
> -	u64 dbsize = 0, dbxsize = 0;
> +	void *db = NULL, *dbx = NULL, *data = NULL;
> +	u64 dsize = 0;
> +	u64 offset = 0;
>   	int rc = 0;
>   	ssize_t len;
>   	char buf[32];
> @@ -74,38 +78,46 @@ static int __init load_powerpc_certs(void)
>   		return -ENODEV;
>   	}
>   
> +	if (strcmp("ibm,plpks-sb-v1", buf) == 0)
> +		/* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
> +		offset = 8;
> +
>   	/*
>   	 * Get db, and dbx. They might not exist, so it isn't an error if we
>   	 * can't get them.
>   	 */
> -	db = get_cert_list("db", 3, &dbsize);
> -	if (!db) {
> +	data = get_cert_list("db", 3, &dsize);
> +	if (!data) {
>   		pr_info("Couldn't get db list from firmware\n");
> -	} else if (IS_ERR(db)) {
> -		rc = PTR_ERR(db);
> +	} else if (IS_ERR(data)) {
> +		rc = PTR_ERR(data);
>   		pr_err("Error reading db from firmware: %d\n", rc);
>   		return rc;
>   	} else {
> -		rc = parse_efi_signature_list("powerpc:db", db, dbsize,
> +		extract_esl(db, data, dsize, offset);
> +
> +		rc = parse_efi_signature_list("powerpc:db", db, dsize,
>   					      get_handler_for_db);
>   		if (rc)
>   			pr_err("Couldn't parse db signatures: %d\n", rc);
> -		kfree(db);
> +		kfree(data);
>   	}
>   
> -	dbx = get_cert_list("dbx", 4,  &dbxsize);
> -	if (!dbx) {
> +	data = get_cert_list("dbx", 4,  &dsize);
> +	if (!data) {
>   		pr_info("Couldn't get dbx list from firmware\n");
> -	} else if (IS_ERR(dbx)) {
> -		rc = PTR_ERR(dbx);
> +	} else if (IS_ERR(data)) {
> +		rc = PTR_ERR(data);
>   		pr_err("Error reading dbx from firmware: %d\n", rc);
>   		return rc;
>   	} else {
> -		rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
> +		extract_esl(dbx, data, dsize, offset);
> +
> +		rc = parse_efi_signature_list("powerpc:dbx", dbx, dsize,
>   					      get_handler_for_dbx);
>   		if (rc)
>   			pr_err("Couldn't parse dbx signatures: %d\n", rc);
> -		kfree(dbx);
> +		kfree(data);
>   	}
>   
>   	return rc;

-- 
Thanks and Regards
R.Nageswara Sastry

next prev parent reply	other threads:[~2023-06-20 12:26 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-08 12:04 [PATCH v2] security/integrity: fix pointer to ESL data and its size on pseries Nayna Jain
2023-06-08 13:16 ` Jarkko Sakkinen
2023-06-20 12:25 ` R Nageswara Sastry [this message]
2023-07-03  5:26 ` Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3a9bdc60-c9c7-d5ea-0674-0235cd6b9fc6@linux.ibm.com \
    --to=rnsastry@linux.ibm.com \
    --cc=ajd@linux.ibm.com \
    --cc=gcwilson@linux.ibm.com \
    --cc=jarkko@kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=nayna@linux.ibm.com \
    --cc=ruscur@russell.cc \
    --cc=stable@vger.kenrnel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).