| Message ID | 20230317145240.363908-1-roberto.sassu@huaweicloud.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp390210wrt;
Fri, 17 Mar 2023 08:05:15 -0700 (PDT)
X-Google-Smtp-Source:
AK7set9hFkMIdzOox5Qq1npaDuha8RlSoyxx5Oq8yZ3qsB7y6jA+zuUv0j5JfBP0zTms4HfDev13
X-Received: by 2002:a25:dcc1:0:b0:b61:92dc:b8e with SMTP id
y184-20020a25dcc1000000b00b6192dc0b8emr3284807ybe.3.1679065515175;
Fri, 17 Mar 2023 08:05:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679065515; cv=none;
d=google.com; s=arc-20160816;
b=vseAZTYvOr+rxLIDirhUdX1XCeik+E/5Xj5273qCPJmlQIOkKqcZgB7Hv3mp9+r6K+
GcFwkUIKiq4+ybP795lEb+kBBl03zMJbiLN/TFg4xiC7GIr1n+Ug02mLDsBu/DpdSxvi
2GVTYU/cwHlwHYFwMjeao5ccdmILJXF7nH/HaDF6Ahse9ngfVnNbbEX1VJGCV58JNMHO
AoVbytzcq/Gqp5tJchexl1WHh/BLSgNMipTdoKq4ZMlF1YGI/ns9vVoTSsbJ30U2uc+O
b1XDKc7c0o6nXDDWTzT25Mxv+0YJIxsP902ixU237mQcw4p8kWbt5IDulw10LoPdFBV9
KEsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=KesyU1jnEwDAHJo2la+GWvjTzdnElb0YRE3+gxNeb04=;
b=ufE5DcTe9P9mYX620uYszkwnt0OyCtZJHLTXeaeprXzW4SqGDbFk76MYygdbXgcYxd
PRJ7zuX9v+xtF7FK7tof+XGhRJEJcLgyAajjV2FgMooM2GNFZ1d27qJhjkSDKpL2i0Qe
6BAyQAG82LgV5GBLaHiuZmuNJXH68g0tTV/Aj78PedGIaOWu9eaEb1OV/+xqcTclod1d
H4vP789PG6M3Ij7FdgDRA54YgJwKBB4yM8GSawPdbtNIDeqYve0XXWNI2UGVmlEjbW/d
BPqFnOZHxnY5+bf3zBdIZZ4e3IyxH0CQeH2r6ZpJZ9kGPFfGsW/48pyUCXl45mPwmFxk
4mlQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
k19-20020a67e3d3000000b00416c63545c2si469864vsm.656.2023.03.17.08.04.59;
Fri, 17 Mar 2023 08:05:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231305AbjCQOx5 (ORCPT <rfc822;chrisfriedt@gmail.com>
+ 99 others); Fri, 17 Mar 2023 10:53:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34016 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229772AbjCQOxy (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 17 Mar 2023 10:53:54 -0400
Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com
[14.137.139.23])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C83133D0AA;
Fri, 17 Mar 2023 07:53:52 -0700 (PDT)
Received: from mail02.huawei.com (unknown [172.18.147.227])
by frasgout11.his.huawei.com (SkyGuard) with ESMTP id
4PdRjy46Pnz9v7gg;
Fri, 17 Mar 2023 22:44:54 +0800 (CST)
Received: from huaweicloud.com (unknown [10.204.63.22])
by APP2 (Coremail) with SMTP id GxC2BwBnOWDafhRkaQemAQ--.41316S2;
Fri, 17 Mar 2023 15:53:29 +0100 (CET)
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: corbet@lwn.net, ast@kernel.org, daniel@iogearbox.net,
andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org,
sdf@google.com, haoluo@google.com, jolsa@kernel.org,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, dsahern@kernel.org, shuah@kernel.org,
brauner@kernel.org
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-kselftest@vger.kernel.org, ebiederm@xmission.com,
mcgrof@kernel.org, Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH 0/5] usermode_driver: Add management library and API
Date: Fri, 17 Mar 2023 15:52:35 +0100
Message-Id: <20230317145240.363908-1-roberto.sassu@huaweicloud.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: GxC2BwBnOWDafhRkaQemAQ--.41316S2
X-Coremail-Antispam: 1UD129KBjvJXoWxXF13Wr4xXw18KFyxZry3twb_yoW7JF18pa
yrJry3GrnYqF12yFZ3JF17ua4rXan7JF4Ykr1SqrWUZw1IvrySvr1xtr13GFZxKrWftFnI
yrn3K3W5Cws8AaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUvqb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2
6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4
vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj
xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV
AFwI0_Gr1j6F4UJwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG
6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV
Cjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0E
n4kS14v26r4a6rW5MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I
0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVW8
ZVWrXwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcV
CY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Wr1j6rW3Jr1lIxAIcVC2z280
aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0x
ZFpf9x07jxCztUUUUU=
X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgATBF1jj4asxgABsJ
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760627801785885551?=
X-GMAIL-MSGID: =?utf-8?q?1760627801785885551?=
|
| Series |
usermode_driver: Add management library and API
|
|
Message
Roberto Sassu
March 17, 2023, 2:52 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>
A User Mode Driver (UMD) is a specialization of a User Mode Helper (UMH),
which runs a user space process from a binary blob, and creates a
bidirectional pipe, so that the kernel can make a request to that process,
and the latter provides its response. It is currently used by bpfilter,
although it does not seem to do any useful work.
The problem is, if other users would like to implement a UMD similar to
bpfilter, they would have to duplicate the code. Instead, make an UMD
management library and API from the existing bpfilter and sockopt code,
and move it to common kernel code.
Also, define the software architecture and the main components of the
library: the UMD Manager, running in the kernel, acting as the frontend
interface to any user or kernel-originated request; the UMD Loader, also
running in the kernel, responsible to load the UMD Handler; the UMD
Handler, running in user space, responsible to handle requests from the UMD
Manager and to send to it the response.
I have two use cases, but for sake of brevity I will propose one.
I would like to add support for PGP keys and signatures in the kernel, so
that I can extend secure boot to applications, and allow/deny code
execution based on the signed file digests included in RPM headers.
While I proposed a patch set a while ago (based on a previous work of David
Howells), the main objection was that the PGP packet parser should not run
in the kernel.
That makes a perfect example for using a UMD. If the PGP parser is moved to
user space (UMD Handler), and the kernel (UMD Manager) just instantiates
the key and verifies the signature on already parsed data, this would
address the concern.
Patch 1 moves the function bpfilter_send_req() to usermode_driver.c and
makes the pipe between the kernel and the user space process suitable for
larger quantity of data (> 64K).
Patch 2 introduces the management library and API.
Patch 3 replaces the existing bpfilter and sockopt code with calls
to the management API. To use the new mechanism, sockopt itself (acts as
UMD Manager) now sends/receives messages to/from bpfilter_umh (acts as UMD
Handler), instead of bpfilter (acts as UMD Loader).
Patch 4 introduces a sample UMD, useful for other implementors, and uses it
for testing.
Patch 5 introduces the documentation of the new management library and API.
Roberto Sassu (5):
usermode_driver: Introduce umd_send_recv() from bpfilter
usermode_driver_mgmt: Introduce management of user mode drivers
bpfilter: Port to user mode driver management API
selftests/umd_mgmt: Add selftests for UMD management library
doc: Add documentation for the User Mode Driver management library
Documentation/driver-api/index.rst | 1 +
Documentation/driver-api/umd_mgmt.rst | 99 +++++++++++++
MAINTAINERS | 9 ++
include/linux/bpfilter.h | 12 +-
include/linux/usermode_driver.h | 2 +
include/linux/usermode_driver_mgmt.h | 35 +++++
kernel/Makefile | 2 +-
kernel/usermode_driver.c | 47 +++++-
kernel/usermode_driver_mgmt.c | 137 ++++++++++++++++++
net/bpfilter/bpfilter_kern.c | 120 +--------------
net/ipv4/bpfilter/sockopt.c | 67 +++++----
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/umd_mgmt/.gitignore | 1 +
tools/testing/selftests/umd_mgmt/Makefile | 14 ++
tools/testing/selftests/umd_mgmt/config | 1 +
.../selftests/umd_mgmt/sample_umd/Makefile | 22 +++
.../selftests/umd_mgmt/sample_umd/msgfmt.h | 13 ++
.../umd_mgmt/sample_umd/sample_binary_blob.S | 7 +
.../umd_mgmt/sample_umd/sample_handler.c | 81 +++++++++++
.../umd_mgmt/sample_umd/sample_loader.c | 28 ++++
.../umd_mgmt/sample_umd/sample_mgr.c | 124 ++++++++++++++++
tools/testing/selftests/umd_mgmt/umd_mgmt.sh | 40 +++++
22 files changed, 707 insertions(+), 156 deletions(-)
create mode 100644 Documentation/driver-api/umd_mgmt.rst
create mode 100644 include/linux/usermode_driver_mgmt.h
create mode 100644 kernel/usermode_driver_mgmt.c
create mode 100644 tools/testing/selftests/umd_mgmt/.gitignore
create mode 100644 tools/testing/selftests/umd_mgmt/Makefile
create mode 100644 tools/testing/selftests/umd_mgmt/config
create mode 100644 tools/testing/selftests/umd_mgmt/sample_umd/Makefile
create mode 100644 tools/testing/selftests/umd_mgmt/sample_umd/msgfmt.h
create mode 100644 tools/testing/selftests/umd_mgmt/sample_umd/sample_binary_blob.S
create mode 100644 tools/testing/selftests/umd_mgmt/sample_umd/sample_handler.c
create mode 100644 tools/testing/selftests/umd_mgmt/sample_umd/sample_loader.c
create mode 100644 tools/testing/selftests/umd_mgmt/sample_umd/sample_mgr.c
create mode 100755 tools/testing/selftests/umd_mgmt/umd_mgmt.sh
Comments
On Fri, Mar 17, 2023 at 7:53 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > A User Mode Driver (UMD) is a specialization of a User Mode Helper (UMH), > which runs a user space process from a binary blob, and creates a > bidirectional pipe, so that the kernel can make a request to that process, > and the latter provides its response. It is currently used by bpfilter, > although it does not seem to do any useful work. FYI the new home for bpfilter is here: https://github.com/facebook/bpfilter > The problem is, if other users would like to implement a UMD similar to > bpfilter, they would have to duplicate the code. Instead, make an UMD > management library and API from the existing bpfilter and sockopt code, > and move it to common kernel code. > > Also, define the software architecture and the main components of the > library: the UMD Manager, running in the kernel, acting as the frontend > interface to any user or kernel-originated request; the UMD Loader, also > running in the kernel, responsible to load the UMD Handler; the UMD > Handler, running in user space, responsible to handle requests from the UMD > Manager and to send to it the response. That doesn't look like a generic interface for UMD. It was a quick hack to get bpfilter off the ground, but certainly not a generic one. > I have two use cases, but for sake of brevity I will propose one. > > I would like to add support for PGP keys and signatures in the kernel, so > that I can extend secure boot to applications, and allow/deny code > execution based on the signed file digests included in RPM headers. > > While I proposed a patch set a while ago (based on a previous work of David > Howells), the main objection was that the PGP packet parser should not run > in the kernel. > > That makes a perfect example for using a UMD. If the PGP parser is moved to > user space (UMD Handler), and the kernel (UMD Manager) just instantiates > the key and verifies the signature on already parsed data, this would > address the concern. I don't think PGP parser belongs to UMD either. Please do it as a normal user space process and define a proper protocol for communication between kernel and user space.
On Tue, 2023-03-21 at 19:23 -0700, Alexei Starovoitov wrote: > On Fri, Mar 17, 2023 at 7:53 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > A User Mode Driver (UMD) is a specialization of a User Mode Helper (UMH), > > which runs a user space process from a binary blob, and creates a > > bidirectional pipe, so that the kernel can make a request to that process, > > and the latter provides its response. It is currently used by bpfilter, > > although it does not seem to do any useful work. > > FYI the new home for bpfilter is here: > https://github.com/facebook/bpfilter Thanks. I just ensured that it worked, by doing: getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen); and accepting IPT_SO_GET_INFO in main.c. > > The problem is, if other users would like to implement a UMD similar to > > bpfilter, they would have to duplicate the code. Instead, make an UMD > > management library and API from the existing bpfilter and sockopt code, > > and move it to common kernel code. > > > > Also, define the software architecture and the main components of the > > library: the UMD Manager, running in the kernel, acting as the frontend > > interface to any user or kernel-originated request; the UMD Loader, also > > running in the kernel, responsible to load the UMD Handler; the UMD > > Handler, running in user space, responsible to handle requests from the UMD > > Manager and to send to it the response. > > That doesn't look like a generic interface for UMD. What would make it more generic? I made the API message format- independent. It has the capability of starting the user space process as required, when there is a communication. > It was a quick hack to get bpfilter off the ground, but certainly > not a generic one. True, it is not generic in the sense that it can accomodate any possible use case. The main goal is to move something that was running in the kernel to user space, with the same isolation guarantees as if the code was executed in the kernel. > > I have two use cases, but for sake of brevity I will propose one. > > > > I would like to add support for PGP keys and signatures in the kernel, so > > that I can extend secure boot to applications, and allow/deny code > > execution based on the signed file digests included in RPM headers. > > > > While I proposed a patch set a while ago (based on a previous work of David > > Howells), the main objection was that the PGP packet parser should not run > > in the kernel. > > > > That makes a perfect example for using a UMD. If the PGP parser is moved to > > user space (UMD Handler), and the kernel (UMD Manager) just instantiates > > the key and verifies the signature on already parsed data, this would > > address the concern. > > I don't think PGP parser belongs to UMD either. > Please do it as a normal user space process and define a proper > protocol for communication between kernel and user space. UMD is better in the sense that it establishes a bidirectional pipe between the kernel and the user space process. With that, there is no need to further restrict the access to a sysfs file, for example. The UMD mechanism is much more effective: the pipe is already established with the right process, whose code was integrity-checked because embedded in the kernel module. In addition to that, I'm using seccomp to further restrict what the user space process can do (read, write, exit, ...). That process cannot open new communication channels, even if corrupted. It is expected to send to the kernel simple data structures, that the kernel can effectively sanitize. The last step to achieve full isolation would be to deny ptrace/kill on the user space process created by the UMD management library so that, in lockdown mode, not even root can interfer with that process. Roberto
On Wed, Mar 22, 2023 at 5:08 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > On Tue, 2023-03-21 at 19:23 -0700, Alexei Starovoitov wrote: > > On Fri, Mar 17, 2023 at 7:53 AM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > A User Mode Driver (UMD) is a specialization of a User Mode Helper (UMH), > > > which runs a user space process from a binary blob, and creates a > > > bidirectional pipe, so that the kernel can make a request to that process, > > > and the latter provides its response. It is currently used by bpfilter, > > > although it does not seem to do any useful work. > > > > FYI the new home for bpfilter is here: > > https://github.com/facebook/bpfilter > > Thanks. I just ensured that it worked, by doing: > > getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen); > > and accepting IPT_SO_GET_INFO in main.c. > > > > The problem is, if other users would like to implement a UMD similar to > > > bpfilter, they would have to duplicate the code. Instead, make an UMD > > > management library and API from the existing bpfilter and sockopt code, > > > and move it to common kernel code. > > > > > > Also, define the software architecture and the main components of the > > > library: the UMD Manager, running in the kernel, acting as the frontend > > > interface to any user or kernel-originated request; the UMD Loader, also > > > running in the kernel, responsible to load the UMD Handler; the UMD > > > Handler, running in user space, responsible to handle requests from the UMD > > > Manager and to send to it the response. > > > > That doesn't look like a generic interface for UMD. > > What would make it more generic? I made the API message format- > independent. It has the capability of starting the user space process > as required, when there is a communication. > > > It was a quick hack to get bpfilter off the ground, but certainly > > not a generic one. > > True, it is not generic in the sense that it can accomodate any > possible use case. The main goal is to move something that was running > in the kernel to user space, with the same isolation guarantees as if > the code was executed in the kernel. They are not the same guarantees. UMD is exactly equivalent to root process running in user space. Meaning it can be killed, ptraced, priority inverted, etc > > > I have two use cases, but for sake of brevity I will propose one. > > > > > > I would like to add support for PGP keys and signatures in the kernel, so > > > that I can extend secure boot to applications, and allow/deny code > > > execution based on the signed file digests included in RPM headers. > > > > > > While I proposed a patch set a while ago (based on a previous work of David > > > Howells), the main objection was that the PGP packet parser should not run > > > in the kernel. > > > > > > That makes a perfect example for using a UMD. If the PGP parser is moved to > > > user space (UMD Handler), and the kernel (UMD Manager) just instantiates > > > the key and verifies the signature on already parsed data, this would > > > address the concern. > > > > I don't think PGP parser belongs to UMD either. > > Please do it as a normal user space process and define a proper > > protocol for communication between kernel and user space. > > UMD is better in the sense that it establishes a bidirectional pipe > between the kernel and the user space process. With that, there is no > need to further restrict the access to a sysfs file, for example. If a simple pipe is good enough then you can have a kernel module that creates it and interacts with the user space process. Out-of-tree bpftiler can do that, so can you. PGP is not suitable for kernel git repo either as kernel code or as UMD.
On Wed, 2023-03-22 at 15:27 -0700, Alexei Starovoitov wrote: > On Wed, Mar 22, 2023 at 5:08 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > On Tue, 2023-03-21 at 19:23 -0700, Alexei Starovoitov wrote: > > > On Fri, Mar 17, 2023 at 7:53 AM Roberto Sassu > > > <roberto.sassu@huaweicloud.com> wrote: > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > A User Mode Driver (UMD) is a specialization of a User Mode Helper (UMH), > > > > which runs a user space process from a binary blob, and creates a > > > > bidirectional pipe, so that the kernel can make a request to that process, > > > > and the latter provides its response. It is currently used by bpfilter, > > > > although it does not seem to do any useful work. > > > > > > FYI the new home for bpfilter is here: > > > https://github.com/facebook/bpfilter > > > > Thanks. I just ensured that it worked, by doing: > > > > getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen); > > > > and accepting IPT_SO_GET_INFO in main.c. > > > > > > The problem is, if other users would like to implement a UMD similar to > > > > bpfilter, they would have to duplicate the code. Instead, make an UMD > > > > management library and API from the existing bpfilter and sockopt code, > > > > and move it to common kernel code. > > > > > > > > Also, define the software architecture and the main components of the > > > > library: the UMD Manager, running in the kernel, acting as the frontend > > > > interface to any user or kernel-originated request; the UMD Loader, also > > > > running in the kernel, responsible to load the UMD Handler; the UMD > > > > Handler, running in user space, responsible to handle requests from the UMD > > > > Manager and to send to it the response. > > > > > > That doesn't look like a generic interface for UMD. > > > > What would make it more generic? I made the API message format- > > independent. It has the capability of starting the user space process > > as required, when there is a communication. > > > > > It was a quick hack to get bpfilter off the ground, but certainly > > > not a generic one. > > > > True, it is not generic in the sense that it can accomodate any > > possible use case. The main goal is to move something that was running > > in the kernel to user space, with the same isolation guarantees as if > > the code was executed in the kernel. > > They are not the same guarantees. > UMD is exactly equivalent to root process running in user space. > Meaning it can be killed, ptraced, priority inverted, etc That is the starting point. I suppose you can remove any privilege from the UMD process, it just needs to read/write from/to a pipe (and in my case to use socket() with AF_ALG to interact with the Crypto API). Also, as I mentioned, you can enforce a very strict seccomp profile, which forces the UMD process to use a very limited number of system calls. For the interactions of the rest of the system to the UMD process, you could deny with an LSM all the operations that you mentioned. The rest of the system would not be affected, only operations which have the UMD process as target are denied. > > > > I have two use cases, but for sake of brevity I will propose one. > > > > > > > > I would like to add support for PGP keys and signatures in the kernel, so > > > > that I can extend secure boot to applications, and allow/deny code > > > > execution based on the signed file digests included in RPM headers. > > > > > > > > While I proposed a patch set a while ago (based on a previous work of David > > > > Howells), the main objection was that the PGP packet parser should not run > > > > in the kernel. > > > > > > > > That makes a perfect example for using a UMD. If the PGP parser is moved to > > > > user space (UMD Handler), and the kernel (UMD Manager) just instantiates > > > > the key and verifies the signature on already parsed data, this would > > > > address the concern. > > > > > > I don't think PGP parser belongs to UMD either. > > > Please do it as a normal user space process and define a proper > > > protocol for communication between kernel and user space. > > > > UMD is better in the sense that it establishes a bidirectional pipe > > between the kernel and the user space process. With that, there is no > > need to further restrict the access to a sysfs file, for example. > > If a simple pipe is good enough then you can have a kernel module > that creates it and interacts with the user space process. Few points I forgot to mention. With the UMD approach, the binary blob is embedded in the kernel module, which means that no external dependencies are needed for integrity verification. The binary is statically compiled, and the kernel write-protects it at run-time. Second, since DIGLIM would check the integrity of any executable, including init, the PGP signature verification needs to occur before. So, the PGP UMD should be already started by then. That is not going to be a problem, since the binary is copied to a private tmpfs mount. > Out-of-tree bpftiler can do that, so can you. As far as I can see, the out-of-tree bpfilter works exactly in the same way as the in-tree counterpart. The binary blob is embedded in the kernel module. > PGP is not suitable for kernel git repo either as kernel code or as UMD. Well, the asymmetric key type can be extended with new parsers, so this possibility was already taken into account. The objection that the PGP parser should not run in kernel space is fair, but I think the UMD approach fully addresses that. Also, I agree with you that we should not just take any code and pretend that it is part of the kernel. However, in this particular case, the purpose of the PGP UMD would be simply to extract very few information from the PGP packets. The asymmetric key type and the signature verification infrastructure already take care of the rest. PGP keys and signatures would act as an additional system trust anchor for verifying critical system data (for DIGLIM, which executables are allowed to run), similarly to how X.509 certificates are used for verifying kernel modules. RPM headers, executables digests are taken from, are signed with PGP, so there is no other way than adding this functionality. And unfortunately, especially for features impacting the entire system, out-of-tree drivers are not really an option: https://docs.fedoraproject.org/en-US/quick-docs/kernel/overview/#_out_of_tree_drivers Thanks Roberto
On Thu, Mar 23, 2023 at 6:37 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > On Wed, 2023-03-22 at 15:27 -0700, Alexei Starovoitov wrote: > > On Wed, Mar 22, 2023 at 5:08 AM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > On Tue, 2023-03-21 at 19:23 -0700, Alexei Starovoitov wrote: > > > > On Fri, Mar 17, 2023 at 7:53 AM Roberto Sassu > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > > A User Mode Driver (UMD) is a specialization of a User Mode Helper (UMH), > > > > > which runs a user space process from a binary blob, and creates a > > > > > bidirectional pipe, so that the kernel can make a request to that process, > > > > > and the latter provides its response. It is currently used by bpfilter, > > > > > although it does not seem to do any useful work. > > > > > > > > FYI the new home for bpfilter is here: > > > > https://github.com/facebook/bpfilter > > > > > > Thanks. I just ensured that it worked, by doing: > > > > > > getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen); > > > > > > and accepting IPT_SO_GET_INFO in main.c. > > > > > > > > The problem is, if other users would like to implement a UMD similar to > > > > > bpfilter, they would have to duplicate the code. Instead, make an UMD > > > > > management library and API from the existing bpfilter and sockopt code, > > > > > and move it to common kernel code. > > > > > > > > > > Also, define the software architecture and the main components of the > > > > > library: the UMD Manager, running in the kernel, acting as the frontend > > > > > interface to any user or kernel-originated request; the UMD Loader, also > > > > > running in the kernel, responsible to load the UMD Handler; the UMD > > > > > Handler, running in user space, responsible to handle requests from the UMD > > > > > Manager and to send to it the response. > > > > > > > > That doesn't look like a generic interface for UMD. > > > > > > What would make it more generic? I made the API message format- > > > independent. It has the capability of starting the user space process > > > as required, when there is a communication. > > > > > > > It was a quick hack to get bpfilter off the ground, but certainly > > > > not a generic one. > > > > > > True, it is not generic in the sense that it can accomodate any > > > possible use case. The main goal is to move something that was running > > > in the kernel to user space, with the same isolation guarantees as if > > > the code was executed in the kernel. > > > > They are not the same guarantees. > > UMD is exactly equivalent to root process running in user space. > > Meaning it can be killed, ptraced, priority inverted, etc > > That is the starting point. > > I suppose you can remove any privilege from the UMD process, it just > needs to read/write from/to a pipe (and in my case to use socket() with > AF_ALG to interact with the Crypto API). > > Also, as I mentioned, you can enforce a very strict seccomp profile, > which forces the UMD process to use a very limited number of system > calls. > > For the interactions of the rest of the system to the UMD process, you > could deny with an LSM all the operations that you mentioned. The rest > of the system would not be affected, only operations which have the UMD > process as target are denied. > > > > > > I have two use cases, but for sake of brevity I will propose one. > > > > > > > > > > I would like to add support for PGP keys and signatures in the kernel, so > > > > > that I can extend secure boot to applications, and allow/deny code > > > > > execution based on the signed file digests included in RPM headers. > > > > > > > > > > While I proposed a patch set a while ago (based on a previous work of David > > > > > Howells), the main objection was that the PGP packet parser should not run > > > > > in the kernel. > > > > > > > > > > That makes a perfect example for using a UMD. If the PGP parser is moved to > > > > > user space (UMD Handler), and the kernel (UMD Manager) just instantiates > > > > > the key and verifies the signature on already parsed data, this would > > > > > address the concern. > > > > > > > > I don't think PGP parser belongs to UMD either. > > > > Please do it as a normal user space process and define a proper > > > > protocol for communication between kernel and user space. > > > > > > UMD is better in the sense that it establishes a bidirectional pipe > > > between the kernel and the user space process. With that, there is no > > > need to further restrict the access to a sysfs file, for example. > > > > If a simple pipe is good enough then you can have a kernel module > > that creates it and interacts with the user space process. > > Few points I forgot to mention. > > With the UMD approach, the binary blob is embedded in the kernel > module, which means that no external dependencies are needed for > integrity verification. The binary is statically compiled, and the > kernel write-protects it at run-time. > > Second, since DIGLIM would check the integrity of any executable, > including init, the PGP signature verification needs to occur before. > So, the PGP UMD should be already started by then. That is not going to > be a problem, since the binary is copied to a private tmpfs mount. > > > Out-of-tree bpftiler can do that, so can you. > > As far as I can see, the out-of-tree bpfilter works exactly in the same > way as the in-tree counterpart. The binary blob is embedded in the > kernel module. > > > PGP is not suitable for kernel git repo either as kernel code or as UMD. > > Well, the asymmetric key type can be extended with new parsers, so this > possibility was already taken into account. The objection that the PGP > parser should not run in kernel space is fair, but I think the UMD > approach fully addresses that. > > Also, I agree with you that we should not just take any code and > pretend that it is part of the kernel. However, in this particular > case, the purpose of the PGP UMD would be simply to extract very few > information from the PGP packets. The asymmetric key type and the > signature verification infrastructure already take care of the rest. > > PGP keys and signatures would act as an additional system trust anchor > for verifying critical system data (for DIGLIM, which executables are > allowed to run), similarly to how X.509 certificates are used for > verifying kernel modules. RPM headers, executables digests are taken > from, are signed with PGP, so there is no other way than adding this > functionality. > > And unfortunately, especially for features impacting the entire system, > out-of-tree drivers are not really an option: I think you have to start out of tree and prove that the PGP thing is worth considering at all. Only then we can talk about merits of UMD and generalization of pipe interface if it's applicable. DIGLIM and everything else you mentioned above doesn't add weight to the decision. PGP work should be acceptable on its own. Out-of-tree is a method to prove that it works and later argue for inclusion as in-tree either as kernel module or UMD. Generalization of current bpfilter is out of scope here.
On Fri, 2023-03-24 at 19:54 -0700, Alexei Starovoitov wrote: > On Thu, Mar 23, 2023 at 6:37 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > On Wed, 2023-03-22 at 15:27 -0700, Alexei Starovoitov wrote: > > > On Wed, Mar 22, 2023 at 5:08 AM Roberto Sassu > > > <roberto.sassu@huaweicloud.com> wrote: > > > > On Tue, 2023-03-21 at 19:23 -0700, Alexei Starovoitov wrote: > > > > > On Fri, Mar 17, 2023 at 7:53 AM Roberto Sassu > > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > > > > A User Mode Driver (UMD) is a specialization of a User Mode Helper (UMH), > > > > > > which runs a user space process from a binary blob, and creates a > > > > > > bidirectional pipe, so that the kernel can make a request to that process, > > > > > > and the latter provides its response. It is currently used by bpfilter, > > > > > > although it does not seem to do any useful work. > > > > > > > > > > FYI the new home for bpfilter is here: > > > > > https://github.com/facebook/bpfilter > > > > > > > > Thanks. I just ensured that it worked, by doing: > > > > > > > > getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen); > > > > > > > > and accepting IPT_SO_GET_INFO in main.c. > > > > > > > > > > The problem is, if other users would like to implement a UMD similar to > > > > > > bpfilter, they would have to duplicate the code. Instead, make an UMD > > > > > > management library and API from the existing bpfilter and sockopt code, > > > > > > and move it to common kernel code. > > > > > > > > > > > > Also, define the software architecture and the main components of the > > > > > > library: the UMD Manager, running in the kernel, acting as the frontend > > > > > > interface to any user or kernel-originated request; the UMD Loader, also > > > > > > running in the kernel, responsible to load the UMD Handler; the UMD > > > > > > Handler, running in user space, responsible to handle requests from the UMD > > > > > > Manager and to send to it the response. > > > > > > > > > > That doesn't look like a generic interface for UMD. > > > > > > > > What would make it more generic? I made the API message format- > > > > independent. It has the capability of starting the user space process > > > > as required, when there is a communication. > > > > > > > > > It was a quick hack to get bpfilter off the ground, but certainly > > > > > not a generic one. > > > > > > > > True, it is not generic in the sense that it can accomodate any > > > > possible use case. The main goal is to move something that was running > > > > in the kernel to user space, with the same isolation guarantees as if > > > > the code was executed in the kernel. > > > > > > They are not the same guarantees. > > > UMD is exactly equivalent to root process running in user space. > > > Meaning it can be killed, ptraced, priority inverted, etc > > > > That is the starting point. > > > > I suppose you can remove any privilege from the UMD process, it just > > needs to read/write from/to a pipe (and in my case to use socket() with > > AF_ALG to interact with the Crypto API). > > > > Also, as I mentioned, you can enforce a very strict seccomp profile, > > which forces the UMD process to use a very limited number of system > > calls. > > > > For the interactions of the rest of the system to the UMD process, you > > could deny with an LSM all the operations that you mentioned. The rest > > of the system would not be affected, only operations which have the UMD > > process as target are denied. > > > > > > > > I have two use cases, but for sake of brevity I will propose one. > > > > > > > > > > > > I would like to add support for PGP keys and signatures in the kernel, so > > > > > > that I can extend secure boot to applications, and allow/deny code > > > > > > execution based on the signed file digests included in RPM headers. > > > > > > > > > > > > While I proposed a patch set a while ago (based on a previous work of David > > > > > > Howells), the main objection was that the PGP packet parser should not run > > > > > > in the kernel. > > > > > > > > > > > > That makes a perfect example for using a UMD. If the PGP parser is moved to > > > > > > user space (UMD Handler), and the kernel (UMD Manager) just instantiates > > > > > > the key and verifies the signature on already parsed data, this would > > > > > > address the concern. > > > > > > > > > > I don't think PGP parser belongs to UMD either. > > > > > Please do it as a normal user space process and define a proper > > > > > protocol for communication between kernel and user space. > > > > > > > > UMD is better in the sense that it establishes a bidirectional pipe > > > > between the kernel and the user space process. With that, there is no > > > > need to further restrict the access to a sysfs file, for example. > > > > > > If a simple pipe is good enough then you can have a kernel module > > > that creates it and interacts with the user space process. > > > > Few points I forgot to mention. > > > > With the UMD approach, the binary blob is embedded in the kernel > > module, which means that no external dependencies are needed for > > integrity verification. The binary is statically compiled, and the > > kernel write-protects it at run-time. > > > > Second, since DIGLIM would check the integrity of any executable, > > including init, the PGP signature verification needs to occur before. > > So, the PGP UMD should be already started by then. That is not going to > > be a problem, since the binary is copied to a private tmpfs mount. > > > > > Out-of-tree bpftiler can do that, so can you. > > > > As far as I can see, the out-of-tree bpfilter works exactly in the same > > way as the in-tree counterpart. The binary blob is embedded in the > > kernel module. > > > > > PGP is not suitable for kernel git repo either as kernel code or as UMD. > > > > Well, the asymmetric key type can be extended with new parsers, so this > > possibility was already taken into account. The objection that the PGP > > parser should not run in kernel space is fair, but I think the UMD > > approach fully addresses that. > > > > Also, I agree with you that we should not just take any code and > > pretend that it is part of the kernel. However, in this particular > > case, the purpose of the PGP UMD would be simply to extract very few > > information from the PGP packets. The asymmetric key type and the > > signature verification infrastructure already take care of the rest. > > > > PGP keys and signatures would act as an additional system trust anchor > > for verifying critical system data (for DIGLIM, which executables are > > allowed to run), similarly to how X.509 certificates are used for > > verifying kernel modules. RPM headers, executables digests are taken > > from, are signed with PGP, so there is no other way than adding this > > functionality. > > > > And unfortunately, especially for features impacting the entire system, > > out-of-tree drivers are not really an option: > > I think you have to start out of tree and prove that the PGP thing > is worth considering at all. > Only then we can talk about merits of UMD and generalization > of pipe interface if it's applicable. Ok. This is my plan: 1) send the kernel part necessary to support PGP keys and signatures 2) evaluate/discuss if something else can be moved to user space 3) propose the implementation of the PGP UMD 4) assess the robustness of the solution, and compare to different designs Thanks Roberto > DIGLIM and everything else you mentioned above doesn't add weight > to the decision. PGP work should be acceptable on its own. > Out-of-tree is a method to prove that it works and later argue > for inclusion as in-tree either as kernel module or UMD. > Generalization of current bpfilter is out of scope here.