Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4564060ybi; Mon, 3 Jun 2019 13:11:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqxXcJHNjEtfzP65/ksaAEG+YiguXpKq91TPJZuYVsW4MEB1UFP18m0KTdTHFeP4O0hszXKP X-Received: by 2002:aa7:8d10:: with SMTP id j16mr19634441pfe.204.1559592686349; Mon, 03 Jun 2019 13:11:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559592686; cv=none; d=google.com; s=arc-20160816; b=InkRRhAMPjVTgBtHpm7tzoBTMRQRU7ZfPEwTQUFQoWTHv2Ipu85NFkRokbQFkglGYl aN1s4DkgU5goMBp/x/E4CY/2R0jipeYLtfu1x7m11sWf0S7z445RHW+tCXQL0gXE5KIS 07wdMmiNo54U046Pg3h+PN6cXZo843OYPE20ydo2NlALKGWX+3rzsluS9Ij2gmh5hgr+ 1sSXWzP7fze3APNf+uOtcVLvlhCwZxOq0SOs73LIeqhVWdbKSK2nsPXh34sCqEvoSQLF 7waWa7oQYdM5ltXoBjl9DlOiMRmd4VFJZZJB9CQrHnExVan05fzfbaQp4IC24IiMnI4L NVSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=fvySJcCpw+3onIFqoDM3bhcKIK4tOx8IX8+gP+mw3XY=; b=aEFEUWsRulrvJcCULFx4mkh6dpNMXVg1FYbPbfmuvxxR4fsR9mu2VybtzjPfcKYd6P o1G7itUXS9KRWiavOY28LtmcU5ZDGnzLy5wn4gD3t4tXnDmZYOg5iizBolOOvOq+o2Ct 3rgKUZwsW7lEMshgl/3+zcEMBMcF12bsccNyem+QyqX7xA11XlB63KaSCqcPmBlH6AL+ HbvxskX0e3YSib+So1K7rPM4C2q5tQtL63VTYdYZZgYCkIiB48bxukOpDMxrBDhYtZYS iRAoUSHrLTf7yiLJBsOT0Q9HJLZ5XWMQF0j5I/pUhYUM28VwH2uhozf4O/RRToOsYpKR xbOg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a10si2245654pjh.84.2019.06.03.13.11.09; Mon, 03 Jun 2019 13:11:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726787AbfFCUIq (ORCPT + 99 others); Mon, 3 Jun 2019 16:08:46 -0400 Received: from linux.microsoft.com ([13.77.154.182]:55892 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726211AbfFCUIq (ORCPT ); Mon, 3 Jun 2019 16:08:46 -0400 Received: by linux.microsoft.com (Postfix, from userid 1029) id C311D20B7192; Mon, 3 Jun 2019 13:08:45 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by linux.microsoft.com (Postfix) with ESMTP id C005A300544F; Mon, 3 Jun 2019 13:08:45 -0700 (PDT) Date: Mon, 3 Jun 2019 13:08:45 -0700 (PDT) From: jaskarankhurana@linux.microsoft.com X-X-Sender: jaskarankhurana@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net To: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, gmazyland@gmail.com cc: agk@redhat.com, snitzer@redhat.com, dm-deval@redhat.com, jmorris@namei.org, scottsh@microsoft.com Subject: Re:[RFC 1/1] Add dm verity root hash pkcs7 sig validation. In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 21 May 2019, Milan Broz wrote: > On 20/05/2019 23:54, Jaskaran Khurana wrote: >> Adds in-kernel pkcs7 signature checking for the roothash of >> the dm-verity hash tree. >> >> >> Adds DM_VERITY_VERIFY_ROOTHASH_SIG_FORCE: roothash signature *must* be >> specified for all dm verity volumes and verification must succeed prior >> to creation of device mapper block device. > > I am not sure this is a good idea. If I understand it correctly, this will > block creating another dm-verity mappings without PKCS7 signature, and these > are used in many other environments and applications that could possibly > run on that system later. > > (But I have no idea how to solve it better though :-) > > ... > >> + /* Root hash signature is a optional parameter*/ >> + r = verity_verify_root_hash(root_hash_digest_to_validate, >> + strlen(root_hash_digest_to_validate), >> + verify_args.sig, >> + verify_args.sig_size); >> + if (r < 0) { >> + ti->error = "Root hash verification failed"; >> + goto bad; >> + } > > You are sending the PKCS7 signature as a (quite large) binary blob inside the mapping table. > > I am not sure if it is possible here (I guess so), but why not put this it kernel keyring > and then just reference it from mapping table? > (We use kernel keyring in libcryptsetup already for dm-crypt.) > > It will also solve an issue in userspace patch, when you are reading the signature > file too late (devices can be suspended in that moment, so I would prefer to download > sig file to keyring in advance, and then just reference it in mapping table). > > (I guess you will send merge request for veritysetup userspace part later.) I have made the changes for passing the signature bytes using the keyring and I had sent an updated patch for the same last week. I have given a link to the veritysetup changes which I used to test this in the patch and I will cleanup and send those for review next. Please take a look and provide code review feedback for the kernel changes. > > Milan > Regards, Jaskaran