From patchwork Wed Oct 4 22:09:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fan Wu X-Patchwork-Id: 148598 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:254a:b0:403:3b70:6f57 with SMTP id hf10csp432009vqb; Wed, 4 Oct 2023 15:12:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE8wZsxWvOssB1weGvJ9kfsUH54Qv+AXmfnngJrWcvnTa/LQkQ7ored4iCicpiL+G3hlycR X-Received: by 2002:a05:6a20:7292:b0:14d:f41c:435a with SMTP id o18-20020a056a20729200b0014df41c435amr4091722pzk.39.1696457530545; Wed, 04 Oct 2023 15:12:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696457530; cv=none; d=google.com; s=arc-20160816; b=gGups2wcYuEj5eqGV55zCfD9EBUmQ7XqrFqmKfHB5F/kXGC6Kali4Po+rj0oKKRxGW 2jZedcipBTaikXP9DimB5gi+p1o7KmiOF6sX1psnxFSz8v9hiNCZ03S1cBWdtEvqW+P8 UxfIGE5S0THCtF+TCLlC6cUqZ2LuuaSAneLaXF+vd3t0TVPODuGqjEgcUXyZV08MMxZ3 JvxhkNU5pIJE7wG5g21x+91JZjyLGmyDIAQTUPHLBjLehwVFWfQfoCjHvkJ1hV+PRpfD h/700u+kJy69a+rzR2JWc84SplnIszkOPjQdcP+dw5TtvYyu4u8WvikFrIpS/OoWm5dT iCQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature:dkim-filter; bh=1smV+STbYDhmRoQQm0EZubPwxSIgcHdkr8WDnSH0+5o=; fh=WKOxBQCBkKJEYHNk8gUZtM1FdSmLSIlhHGYfTk9Bdmc=; b=iOtTQ23oOa8nTndZA58YVbBClFv5MNxIs3zCT4Sy/2GDfegjN75rGhCBH2k/ggEt5b 7QPN9Edw0pIQeIvz5qTf20S7+swRPeljqPrkn2f+mkMmEyunbBK6xaPunyF1mKMgFEJt M3xZyKNdcgEcU58iSgWUuEjvgJj6Xu/Gdu4BCoZ/jFXI3cYL92ZcGz2gY15mxv7w0mcC pRvPpQWe3nP4+Td2k3QekFafgFFxKATgBlUTD/JGy6JAdxCf13rqBPOvYUPeL+1pPM1U cBO6pIvzABRoZGDlIuA8PoslUx2JwccZMVvyLUNArwlEH0O5JQ6gqm7Oz9niWW12d7Gg 4ImQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=byCOhrEy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id ik30-20020a170902ab1e00b001c77916e87dsi86783plb.591.2023.10.04.15.12.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 15:12:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=byCOhrEy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id A08FD82CAC07; Wed, 4 Oct 2023 15:11:22 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236114AbjJDWLF (ORCPT + 19 others); Wed, 4 Oct 2023 18:11:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234494AbjJDWJ6 (ORCPT ); Wed, 4 Oct 2023 18:09:58 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D4CEED7; Wed, 4 Oct 2023 15:09:54 -0700 (PDT) Received: by linux.microsoft.com (Postfix, from userid 1052) id E1DCC20B74DA; Wed, 4 Oct 2023 15:09:50 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E1DCC20B74DA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1696457390; bh=1smV+STbYDhmRoQQm0EZubPwxSIgcHdkr8WDnSH0+5o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=byCOhrEy+MfjCVrb9QrRK43XlRo3Bi6poEskovbzkThWEcLhLnMbpMoaJtvz9PIQ2 7rVcZJ9TWXhqfABiPyS0XQ8rIk6plTh1FcTpF9NmyEV2yy0wOkM3q71fOgdkPIoFa0 ZqvyzI40phF2PSLWu9lKhjm8pg+ZiVOBqC7J9l8U= From: Fan Wu To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers , Fan Wu Subject: [RFC PATCH v11 13/19] dm verity: consume root hash digest and signature data via LSM hook Date: Wed, 4 Oct 2023 15:09:40 -0700 Message-Id: <1696457386-3010-14-git-send-email-wufan@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1696457386-3010-1-git-send-email-wufan@linux.microsoft.com> References: <1696457386-3010-1-git-send-email-wufan@linux.microsoft.com> X-Spam-Status: No, score=-17.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,SPF_HELO_PASS,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 04 Oct 2023 15:11:22 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778864651784948170 X-GMAIL-MSGID: 1778864651784948170 From: Deven Bowers dm-verity provides a strong guarantee of a block device's integrity. As a generic way to check the integrity of a block device, it provides those integrity guarantees to its higher layers, including the filesystem level. An LSM that control access to a resource on the system based on the available integrity claims can use this transitive property of dm-verity, by querying the underlying block_device of a particular file. The digest and signature information need to be stored in the block device to fulfill the next requirement of authorization via LSM policy. This will enable the LSM to perform revocation of devices that are still mounted, prohibiting execution of files that are no longer authorized by the LSM in question. This patch added two security hook calls in dm-verity to save the dm-verity roothash and the roothash signature to the block device's LSM blobs. Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v2: + No Changes v3: + No changes v4: + No changes v5: + No changes v6: + Fix an improper cleanup that can result in a leak v7: + Squash patch 08/12, 10/12 to [11/16] + Use part0 for block_device, to retrieve the block_device, when calling security_bdev_setsecurity v8: + Undo squash of 08/12, 10/12 - separating drivers/md/ from security/ & block/ + Use common-audit function for dmverity_signature. + Change implementation for storing the dm-verity digest to use the newly introduced dm_verity_digest structure introduced in patch 14/20. + Create new structure, dm_verity_digest, containing digest algorithm, size, and digest itself to pass to the LSM layer. V7 was missing the algorithm. + Create an associated public header containing this new structure and the key values for the LSM hook, specific to dm-verity. + Additional information added to commit, discussing the layering of the changes and how the information passed will be used. v9: + No changes v10: + No changes v11: + Add an optional field to save signature + Move the security hook call to the new finalize hook --- drivers/md/dm-verity-target.c | 71 +++++++++++++++++++++++++++++++++++ drivers/md/dm-verity.h | 6 +++ include/linux/dm-verity.h | 19 ++++++++++ 3 files changed, 96 insertions(+) create mode 100644 include/linux/dm-verity.h diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c index 80673b66c194..db58b53649e3 100644 --- a/drivers/md/dm-verity-target.c +++ b/drivers/md/dm-verity-target.c @@ -13,6 +13,7 @@ * access behavior. */ +#include "dm-core.h" #include "dm-verity.h" #include "dm-verity-fec.h" #include "dm-verity-verify-sig.h" @@ -22,6 +23,9 @@ #include #include #include +#include +#include +#include #define DM_MSG_PREFIX "verity" @@ -952,6 +956,17 @@ static void verity_io_hints(struct dm_target *ti, struct queue_limits *limits) blk_limits_io_min(limits, limits->logical_block_size); } +#ifdef CONFIG_IPE_PROP_DM_VERITY +static void verity_free_sig(struct dm_verity *v) +{ + kfree(v->root_digest_sig); +} +#else +static inline void verity_free_sig(struct dm_verity *v) +{ +} +#endif /* CONFIG_IPE_PROP_DM_VERITY */ + static void verity_dtr(struct dm_target *ti) { struct dm_verity *v = ti->private; @@ -966,6 +981,7 @@ static void verity_dtr(struct dm_target *ti) kfree(v->salt); kfree(v->root_digest); kfree(v->zero_digest); + verity_free_sig(v); if (v->tfm) crypto_free_ahash(v->tfm); @@ -1157,6 +1173,25 @@ static int verity_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v, return r; } +#ifdef CONFIG_IPE_PROP_DM_VERITY +static int verity_init_sig(struct dm_verity *v, const void *sig, + size_t sig_size) +{ + v->sig_size = sig_size; + v->root_digest_sig = kmalloc(v->sig_size, GFP_KERNEL); + if (!v->root_digest) + return -ENOMEM; + + return 0; +} +#else +static inline int verity_init_sig(struct dm_verity *v, const void *sig, + size_t sig_size) +{ + return 0; +} +#endif /* CONFIG_IPE_PROP_DM_VERITY */ + /* * Target parameters: * The current format is version 1. @@ -1365,6 +1400,13 @@ static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv) ti->error = "Root hash verification failed"; goto bad; } + + r = verity_init_sig(v, verify_args.sig, verify_args.sig_size); + if (r < 0) { + ti->error = "Cannot allocate root digest signature"; + goto bad; + } + v->hash_per_block_bits = __fls((1 << v->hash_dev_block_bits) / v->digest_size); @@ -1501,6 +1543,32 @@ int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, unsigned i return 0; } +#ifdef CONFIG_IPE_PROP_DM_VERITY +static int verity_finalize(struct dm_target *ti) +{ + struct block_device *bdev; + struct dm_verity_digest root_digest; + struct dm_verity *v; + int r; + + v = ti->private; + bdev = dm_table_get_md(ti->table)->disk->part0; + root_digest.digest = v->root_digest; + root_digest.digest_len = v->digest_size; + root_digest.algo = v->alg_name; + + r = security_bdev_setsecurity(bdev, DM_VERITY_ROOTHASH_SEC_NAME, &root_digest, + sizeof(root_digest)); + if (r) + return r; + + return security_bdev_setsecurity(bdev, + DM_VERITY_SIGNATURE_SEC_NAME, + v->root_digest_sig, + v->sig_size); +} +#endif /* CONFIG_IPE_PROP_DM_VERITY */ + static struct target_type verity_target = { .name = "verity", .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE, @@ -1513,6 +1581,9 @@ static struct target_type verity_target = { .prepare_ioctl = verity_prepare_ioctl, .iterate_devices = verity_iterate_devices, .io_hints = verity_io_hints, +#ifdef CONFIG_IPE_PROP_DM_VERITY + .finalize = verity_finalize, +#endif /* CONFIG_IPE_PROP_DM_VERITY */ }; module_dm(verity); diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h index 2f555b420367..a093d4a54615 100644 --- a/drivers/md/dm-verity.h +++ b/drivers/md/dm-verity.h @@ -42,6 +42,9 @@ struct dm_verity { u8 *root_digest; /* digest of the root block */ u8 *salt; /* salt: its size is salt_size */ u8 *zero_digest; /* digest for a zero block */ +#ifdef CONFIG_IPE_PROP_DM_VERITY + u8 *root_digest_sig; /* digest signature of the root block */ +#endif /* CONFIG_IPE_PROP_DM_VERITY */ unsigned int salt_size; sector_t data_start; /* data offset in 512-byte sectors */ sector_t hash_start; /* hash start in blocks */ @@ -55,6 +58,9 @@ struct dm_verity { bool hash_failed:1; /* set if hash of any block failed */ bool use_tasklet:1; /* try to verify in tasklet before work-queue */ unsigned int digest_size; /* digest size for the current hash algorithm */ +#ifdef CONFIG_IPE_PROP_DM_VERITY + unsigned int sig_size; /* digest signature size */ +#endif /* CONFIG_IPE_PROP_DM_VERITY */ unsigned int ahash_reqsize;/* the size of temporary space for crypto */ enum verity_mode mode; /* mode for handling verification errors */ unsigned int corrupted_errs;/* Number of errors for corrupted blocks */ diff --git a/include/linux/dm-verity.h b/include/linux/dm-verity.h new file mode 100644 index 000000000000..bb0413d55d72 --- /dev/null +++ b/include/linux/dm-verity.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef _LINUX_DM_VERITY_H +#define _LINUX_DM_VERITY_H + +#include +#include +#include + +struct dm_verity_digest { + const char *algo; + const u8 *digest; + size_t digest_len; +}; + +#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-signature" +#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-roothash" + +#endif /* _LINUX_DM_VERITY_H */