From: Paul Moore <paul@paul-moore.com>
To: Fan Wu <wufan@linux.microsoft.com>,
corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, fsverity@lists.linux.dev,
linux-block@vger.kernel.org, dm-devel@lists.linux.dev,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
Fan Wu <wufan@linux.microsoft.com>
Subject: Re: [PATCH v16 13/20] dm verity: consume root hash digest and signature data via LSM hook
Date: Mon, 01 Apr 2024 21:26:43 -0400 [thread overview]
Message-ID: <31cf8af8b467e22d30bbb71a7ed58ced@paul-moore.com> (raw)
In-Reply-To: <1711657047-10526-14-git-send-email-wufan@linux.microsoft.com>
On Mar 28, 2024 Fan Wu <wufan@linux.microsoft.com> wrote:
>
> dm-verity provides a strong guarantee of a block device's integrity. As
> a generic way to check the integrity of a block device, it provides
> those integrity guarantees to its higher layers, including the filesystem
> level.
>
> An LSM that control access to a resource on the system based on the
> available integrity claims can use this transitive property of
> dm-verity, by querying the underlying block_device of a particular
> file.
>
> The digest and signature information need to be stored in the block
> device to fulfill the next requirement of authorization via LSM policy.
> This will enable the LSM to perform revocation of devices that are still
> mounted, prohibiting execution of files that are no longer authorized
> by the LSM in question.
>
> This patch adds two security hook calls in dm-verity to save the
> dm-verity roothash and the roothash signature to the block device's
> LSM blobs. The hook calls are depended on CONFIG_IPE_PROP_DM_VERITY,
> which will be introduced in the next commit.
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> ---
> v2:
> + No Changes
>
> v3:
> + No changes
>
> v4:
> + No changes
>
> v5:
> + No changes
>
> v6:
> + Fix an improper cleanup that can result in
> a leak
>
> v7:
> + Squash patch 08/12, 10/12 to [11/16]
> + Use part0 for block_device, to retrieve the block_device, when
> calling security_bdev_setsecurity
>
> v8:
> + Undo squash of 08/12, 10/12 - separating drivers/md/ from
> security/ & block/
> + Use common-audit function for dmverity_signature.
> + Change implementation for storing the dm-verity digest to use the
> newly introduced dm_verity_digest structure introduced in patch
> 14/20.
> + Create new structure, dm_verity_digest, containing digest algorithm,
> size, and digest itself to pass to the LSM layer. V7 was missing the
> algorithm.
> + Create an associated public header containing this new structure and
> the key values for the LSM hook, specific to dm-verity.
> + Additional information added to commit, discussing the layering of
> the changes and how the information passed will be used.
>
> v9:
> + No changes
>
> v10:
> + No changes
>
> v11:
> + Add an optional field to save signature
> + Move the security hook call to the new finalize hook
>
> v12:
> + No changes
>
> v13:
> + No changes
>
> v14:
> + Correct code format
> + Remove unnecessary header and switch to dm_disk()
>
> v15:
> + Refactor security_bdev_setsecurity() to security_bdev_setintegrity()
> + Remove unnecessary headers
>
> v16:
> + Use kmemdup to duplicate signature
> + clean up lsm blob data in error case
> ---
> drivers/md/dm-verity-target.c | 83 +++++++++++++++++++++++++++++++++++
> drivers/md/dm-verity.h | 6 +++
> include/linux/dm-verity.h | 12 +++++
> include/linux/security.h | 3 +-
> 4 files changed, 103 insertions(+), 1 deletion(-)
> create mode 100644 include/linux/dm-verity.h
>
> diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
> index bb5da66da4c1..e2b0657b09f9 100644
> --- a/drivers/md/dm-verity-target.c
> +++ b/drivers/md/dm-verity-target.c
> @@ -22,6 +22,8 @@
> #include <linux/scatterlist.h>
> #include <linux/string.h>
> #include <linux/jump_label.h>
> +#include <linux/security.h>
> +#include <linux/dm-verity.h>
>
> #define DM_MSG_PREFIX "verity"
>
> @@ -1017,6 +1019,38 @@ static void verity_io_hints(struct dm_target *ti, struct queue_limits *limits)
> blk_limits_io_min(limits, limits->logical_block_size);
> }
>
> +#ifdef CONFIG_IPE_PROP_DM_VERITY
> +
> +static int verity_init_sig(struct dm_verity *v, const void *sig,
> + size_t sig_size)
> +{
> + v->sig_size = sig_size;
> + v->root_digest_sig = kmemdup(sig, v->sig_size, GFP_KERNEL);
> + if (!v->root_digest)
> + return -ENOMEM;
> +
> + return 0;
> +}
> +
> +static void verity_free_sig(struct dm_verity *v)
> +{
> + kfree(v->root_digest_sig);
> +}
> +
> +#else
> +
> +static inline int verity_init_sig(struct dm_verity *v, const void *sig,
> + size_t sig_size)
> +{
> + return 0;
> +}
> +
> +static inline void verity_free_sig(struct dm_verity *v)
> +{
> +}
> +
> +#endif /* CONFIG_IPE_PROP_DM_VERITY */
Please see my comments from the v15 patchset where I talked about using
CONFIG_SECURITY instead of CONFIG_IPE_PROP_DM_VERITY.
> @@ -1584,6 +1626,44 @@ int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, unsigned i
> return 0;
> }
>
> +#ifdef CONFIG_IPE_PROP_DM_VERITY
> +
> +static int verity_finalize(struct dm_target *ti)
> +{
> + struct block_device *bdev;
> + struct dm_verity_digest root_digest;
> + struct dm_verity *v;
> + int r;
> +
> + v = ti->private;
> + bdev = dm_disk(dm_table_get_md(ti->table))->part0;
> + root_digest.digest = v->root_digest;
> + root_digest.digest_len = v->digest_size;
> + root_digest.alg = v->alg_name;
> +
> + r = security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, &root_digest,
> + sizeof(root_digest));
> + if (r)
> + return r;
> +
> + r = security_bdev_setintegrity(bdev,
> + LSM_INT_DMVERITY_SIG,
> + v->root_digest_sig,
> + v->sig_size);
> + if (r)
> + goto bad;
> +
> + return 0;
> +
> +bad:
> +
> + security_bdev_setintegrity(bdev, LSM_INT_DMVERITY_ROOTHASH, NULL, 0);
> +
> + return r;
Nitpicky, but you really don't need to use as much vertical whitespace
here:
err:
security_bdev_setintegrity(...);
return r;
> +}
--
paul-moore.com
next prev parent reply other threads:[~2024-04-02 1:26 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 20:17 [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-03-28 20:17 ` [PATCH v16 01/20] security: add ipe lsm Fan Wu
2024-03-28 20:45 ` Jarkko Sakkinen
2024-03-28 22:11 ` Randy Dunlap
2024-03-30 11:11 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 02/20] ipe: add policy parser Fan Wu
2024-03-28 20:46 ` Jarkko Sakkinen
2024-03-28 20:47 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 03/20] ipe: add evaluation loop Fan Wu
2024-03-28 20:49 ` Jarkko Sakkinen
2024-03-28 20:17 ` [PATCH v16 04/20] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-03-28 20:17 ` [PATCH v16 05/20] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-03-28 20:17 ` [PATCH v16 06/20] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-03-28 20:17 ` [PATCH v16 07/20] security: add new securityfs delete function Fan Wu
2024-03-28 20:17 ` [PATCH v16 08/20] ipe: add userspace interface Fan Wu
2024-03-28 20:17 ` [PATCH v16 09/20] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-03-28 20:17 ` [PATCH v16 10/20] ipe: add permissive toggle Fan Wu
2024-03-28 20:17 ` [PATCH v16 11/20] block|security: add LSM blob to block_device Fan Wu
2024-03-30 11:26 ` kernel test robot
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 12/20] dm: add finalize hook to target_type Fan Wu
2024-03-28 20:17 ` [PATCH v16 13/20] dm verity: consume root hash digest and signature data via LSM hook Fan Wu
2024-04-02 1:26 ` Paul Moore [this message]
2024-03-28 20:17 ` [PATCH v16 14/20] ipe: add support for dm-verity as a trust provider Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 15/20] security: add security_inode_setintegrity() hook Fan Wu
2024-04-02 1:26 ` Paul Moore
2024-03-28 20:17 ` [PATCH v16 16/20] fsverity: consume fsverity built-in signatures via LSM hook Fan Wu
2024-04-03 5:02 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 17/20] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-04-03 5:10 ` Eric Biggers
2024-03-28 20:17 ` [PATCH v16 18/20] scripts: add boot policy generation program Fan Wu
2024-03-28 20:17 ` [PATCH v16 19/20] ipe: kunit test for parser Fan Wu
2024-03-28 20:17 ` [PATCH v16 20/20] documentation: add ipe documentation Fan Wu
2024-03-28 20:36 ` [PATCH v16 00/20] Integrity Policy Enforcement LSM (IPE) Jarkko Sakkinen
2024-03-28 20:38 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31cf8af8b467e22d30bbb71a7ed58ced@paul-moore.com \
--to=paul@paul-moore.com \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@lists.linux.dev \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).