Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp685746pxb; Fri, 28 Jan 2022 07:59:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJyl6r4PrMjQ3Aq9I6LVE90YuZx9JYcCASxzoKei1KpVfZFgXKmS+HJXOzQKZIRToVQZrDz+ X-Received: by 2002:a17:902:d482:: with SMTP id c2mr9160086plg.106.1643385581929; Fri, 28 Jan 2022 07:59:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643385581; cv=none; d=google.com; s=arc-20160816; b=WIobMCz+QsSqWheS3DLdlIYoYLCltrCyfmGSsaPFQm49Dz2nzZpwR71AiXXnq5V/AN 7CrgCwZAP32QakotDHy/P+PilFCpANRn+GjZr8uNNlIdIC06ga9Rc6yzS59GXgHBfGZ6 xe6iHPZ2WkvgZGX930EQcY0JvuqeXMeGTcHdc/Y4orX4ZCICQDz+ufpyb3hfW+k3FrW3 lnAI3VCB0FhRIWs/an6g7sqopClozSGExhwxY/Jh8T2va+tqydXLmpTTy76CCSowUyVt 7fpBdrXR4G4dfZgTWRAFUACV4IdDbg9LkDgZ7WOj0vszL5J3mr+EY/fDch7IEU36qmfh bGfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=gjlxARQPFV/db1nuEgTQiFSgXRfFF8hoEvCLyyuQLyk=; b=zY6MxBV/h7QiSoX0KVCsi5cOccEAGjwLqSouu1ctbY0m156fyxevInvSbREgz6GpsD HX6G/J+4hYf6rdQ1kiOOh4mO6H+1WV+ihQX2ADXsqbkgZp+MGXBig4d04jcT12qjKC44 lIQ/k9IscsyNLGwdzg7K1OIwzgtGa1Vf2jkXNP8Sj61QRKjicI+t+qSS1hlipQJkY439 u1GvJlu6mWeXy1mbA8y89y5zSpkC6r+KYBH+KsJ7CdHrwaGyFTMwmF28hraXGYwvVwDf 7SPvJzKBPw/hGQfEdZce7tmRP6A3BrvH0l+KJEn7v3UVb+hs0PwkBQSaKr4tFu2UE3pF tm+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g24si3253394pfu.75.2022.01.28.07.59.12; Fri, 28 Jan 2022 07:59:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245265AbiA0Sqt (ORCPT + 99 others); Thu, 27 Jan 2022 13:46:49 -0500 Received: from frasgout.his.huawei.com ([185.176.79.56]:4536 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238181AbiA0Sqd (ORCPT ); Thu, 27 Jan 2022 13:46:33 -0500 Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Jl8gL2wx5z67M3D; Fri, 28 Jan 2022 02:46:06 +0800 (CST) Received: from roberto-ThinkStation-P620.huawei.com (10.204.63.22) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Thu, 27 Jan 2022 19:46:31 +0100 From: Roberto Sassu To: CC: , , , , , Roberto Sassu Subject: [RFC][PATCH v3a 10/11] evm: Include fsverity formatted digest in the HMAC/digest calculation Date: Thu, 27 Jan 2022 19:46:14 +0100 Message-ID: <20220127184614.2837938-6-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220127184614.2837938-1-roberto.sassu@huawei.com> References: <20220127184614.2837938-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.204.63.22] X-ClientProxiedBy: lhreml754-chm.china.huawei.com (10.201.108.204) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Include the fsverity formatted digest in the HMAC/diget calculation. It can be a substitute of the IMA xattr for binding the EVM HMAC/signature to the file content. This feature is disabled by default, and must be enabled in the kernel configuration. Signed-off-by: Roberto Sassu --- include/linux/evm.h | 4 ++++ security/integrity/evm/Kconfig | 15 +++++++++++++++ security/integrity/evm/evm_crypto.c | 18 ++++++++++++++++++ security/integrity/evm/evm_main.c | 4 ++++ 4 files changed, 41 insertions(+) diff --git a/include/linux/evm.h b/include/linux/evm.h index 3da25393b011..e6637dfb22fe 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -16,7 +16,11 @@ struct integrity_iint_cache; static inline bool evm_protects_fsverity(void) { +#ifdef CONFIG_EVM_ATTR_FSVERITY + return true; +#else return false; +#endif } #ifdef CONFIG_EVM diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index a6e19d23e700..837308dacede 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig @@ -27,6 +27,21 @@ config EVM_ATTR_FSUUID additional info to the calculation, requires existing EVM labeled file systems to be relabeled. +config EVM_ATTR_FSVERITY + bool "Include fsverity formatted digest" + default n + depends on EVM + depends on FS_VERITY + help + Include fsverity formatted digest for HMAC/digest calculation. + + Default value is 'not selected'. + + WARNING: changing the HMAC/digest calculation method or adding + additional info to the calculation, requires existing EVM + labeled file systems to be relabeled, and the signatures to be + replaced. + config EVM_EXTRA_SMACK_XATTRS bool "Additional SMACK xattrs" depends on EVM && SECURITY_SMACK diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 0450d79afdc8..5da427d8b2c7 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -224,6 +225,9 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, int error; int size, user_space_size; bool ima_present = false; + u8 fsverity_fmt_digest[FS_VERITY_MAX_FMT_DIGEST_SIZE]; + ssize_t fsverity_fmt_digest_len; + enum hash_algo fsverity_algo; if (!(inode->i_opflags & IOP_XATTR) || inode->i_sb->s_user_ns != &init_user_ns) @@ -296,6 +300,20 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, dump_security_xattr(xattr->name, xattr_value, xattr_size); } + + if (IS_ENABLED(CONFIG_EVM_ATTR_FSVERITY)) { + fsverity_fmt_digest_len = fsverity_get_formatted_digest(inode, + fsverity_fmt_digest, + &fsverity_algo); + if (fsverity_fmt_digest_len > 0) { + crypto_shash_update(desc, fsverity_fmt_digest, + fsverity_fmt_digest_len); + /* Fsverity formatted digest satisfies this req. */ + ima_present = true; + error = 0; + } + } + hmac_add_misc(desc, inode, type, data->digest); /* Portable EVM signatures must include an IMA hash */ diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 08f907382c61..8943bf4abc62 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -108,6 +108,10 @@ static void __init evm_init_config(void) #ifdef CONFIG_EVM_ATTR_FSUUID evm_hmac_attrs |= EVM_ATTR_FSUUID; #endif + + if (IS_ENABLED(CONFIG_EVM_ATTR_FSVERITY)) + pr_info("Fsverity formatted digest included in calculation\n"); + pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); } -- 2.32.0