Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1020490pxb;
        Wed, 6 Apr 2022 06:55:06 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxxuzOcWYZg3bwmnb3BY78YMJ7XYIY2tD+ksQx/DfawUCbxny1FcjNoopG+SZc0KXHntPBE
X-Received: by 2002:a17:90b:164f:b0:1c7:8d27:91fc with SMTP id il15-20020a17090b164f00b001c78d2791fcmr10161176pjb.228.1649253306745;
        Wed, 06 Apr 2022 06:55:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649253306; cv=none;
        d=google.com; s=arc-20160816;
        b=mRvsVvWBdx0piJKg/vdt2oOc949iDdW+kYEwBORl+WhtXKf1XEok1bVt5fSyc0LZR4
         usasSkMHwZO/aQTqQbDve+JmAIMVU2Lzup7CzH8DaBt+g0VUF9/XQEwxYr4kMMDSEPNY
         JKF/sDYVMXX02ScybDskDEMl/bepSpKRo132Rc5xFupoNoa3Hfp/EF7fuEBWEQzaqkf3
         733C7iOkv5CwbQ2hqGjmz6lQPhboBBq1TgMXoaqJexA2dpPVrwrkE9qoXYY0VL+Hy5fg
         BskRTnLGs03bPTXzlTp8yRMjiH6X5/Ua9S5mba3pXx8RRktaYi63UNdP989W6hGPgITJ
         ZS+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=LqAMS2lwHzlmcvC87XsLJ/v9WzrNw6BIz697nNsOigw=;
        b=GHs2SMDI37wzw/TJf4U0Q8/lTV+KPzltxQC+UMgExgYEH1kdCkaVwyQ0ofz5Em7YH8
         PUqO/s1rvPAM4m8BHmykqrMQ5nBDI+AybvZ4++lwjpIrLNdL/gfdnR+zwgUStAZPXVWB
         NXrgbDJxx8UM5nyEsMNmgCjkATFMIg8dGAuo5G+Q9qB5oxK+jaP+wI6KzP2O03MzDcNO
         i0gHsEbtsFbKIr2AYRYrC3YxM3HDrOkVZDU8KgoWUccEcXMHvJncblidt93DzyxghlSt
         eMB2lXpjKOe9n8CMrmPWnDvbtWqDzgKuKkqH7R782nx79Vv7oQHyHGCAkI4L4wKPg48a
         CRRw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="jDpzZ/qW";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id y18-20020a170902b49200b0015492827ec0si14811762plr.302.2022.04.06.06.55.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 06:55:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="jDpzZ/qW";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5E903CFB9B;
	Wed,  6 Apr 2022 04:48:54 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345558AbiDFCZZ (ORCPT <rfc822;02joepater06@gmail.com>
        + 99 others); Tue, 5 Apr 2022 22:25:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41588 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344753AbiDEVIr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 17:08:47 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 058785D5FF;
        Tue,  5 Apr 2022 13:31:47 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id B4D32B81FCB;
        Tue,  5 Apr 2022 20:31:45 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 70C26C385A0;
        Tue,  5 Apr 2022 20:31:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1649190704;
        bh=hVvEkc+QO11ZHsYNIQDJIVc5jdlWet/kgSfgUtvbG/A=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=jDpzZ/qW2fXYwFXtD8rfvPxLC+cmucdfq4k8q3Q/I1fZo1wrFvjpHT0dJgdgTXY2V
         /l74OHoZD0DmfyAw2zWm4AbqNBMr7NkZlonch0Y2jF6dNJiESmV2TaXEs3bOpvdqPb
         Btza7b5cdyfJujw+5H54+Mib4qI9nSSms2DVulBQPj3kw2JlckVyGGzHHDKKfM48nr
         3NZH4wSnHyxKGKXNjkIUyxa0sUF1NR0uYis2f+AymQVbn5lsguCWXKImCPzC338loS
         uM43snSY7JCMLQx53XPF5OLgULkGlybnsho4awM+fAuN7GffFU1mT1O+cSENJzTQEK
         C8ao2ZdEm0eBQ==
Date:   Tue, 5 Apr 2022 20:31:43 +0000
From:   Eric Biggers <ebiggers@kernel.org>
To:     Mimi Zohar <zohar@linux.ibm.com>
Cc:     linux-integrity@vger.kernel.org,
        Stefan Berger <stefanb@linux.ibm.com>,
        linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 4/5] ima: support fs-verity file digest based version
 3 signatures
Message-ID: <YkynLz5ZuI3pnBk9@gmail.com>
References: <20220325223824.310119-1-zohar@linux.ibm.com>
 <20220325223824.310119-5-zohar@linux.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220325223824.310119-5-zohar@linux.ibm.com>
X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> The IMA policy defines "which" files are to be measured, verified, and/or
> audited.  For those files being verified, the policy rules indicate "how"
> the file should be verified.  For example to require a file be signed,
> the appraise policy rule must include the 'appraise_type' option.
> 
> 	appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
>            where 'imasig' is the original or v2 signature (default),
>            where 'modsig' is an appended signature,
>            where 'sigv3' is the signature v3 format.
> 
> The policy rule must also indicate the type of signature, if not the IMA
> default, by specifying the digest type:
> 
> 	digest_type:= [verity]

I don't understand the above paragraph.  Should it say "type of digest" instead
of "type of signature"?  And what does specifying the digest type do, exactly?

> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 2e0c501ce9c8..acd17183ad8c 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -47,7 +47,11 @@ Description:
>  			fgroup:= decimal value
>  		  lsm:  are LSM specific
>  		  option:
> -			appraise_type:= [imasig] [imasig|modsig]
> +			appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
> +			    where 'imasig' is the original or v2 signature,
> +			    where 'modsig' is an appended signature,
> +			    where 'sigv3' is the IMA v3 signature.
> +

The documentation should explain the differences between the different signature
types, especially when a user would need to choose one or another.

> +
> +		Example of 'measure' and 'appraise' rules requiring fs-verity
> +		signatures (version 3) stored in security.ima xattr.
> +
> +		The 'measure' rule specifies the 'ima-sigv2' template option,
> +		which includes the indication of type of digest and the file
> +		signature in the measurement list.
> +
> +			measure func=BPRM_CHECK digest_type=verity \
> +				template=ima-sigv2

This says it requires version 3 signatures, however it then uses "ima-sigv2".

> @@ -183,13 +185,18 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
>  		return ima_hash_algo;
>  
>  	switch (xattr_value->type) {
> +	case IMA_VERITY_DIGSIG:
> +		sig = (typeof(sig))xattr_value;
> +		if (sig->version != 3 || xattr_len <= sizeof(*sig) ||
> +		    sig->hash_algo >= HASH_ALGO__LAST)
> +			return ima_hash_algo;
> +		return sig->hash_algo;

It looks like this is falling back to SHA-1 if the xattr is invalid:

	int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;

How about falling back to a more secure hash algorithm, or returning an error?

> +/*
> + * calc_file_id_hash - calculate the hash of the ima_file_id struct data
> + * @type: xattr type [enum evm_ima_xattr_type]
> + * @algo: hash algorithm [enum hash_algo]
> + * @digest: pointer to the digest to be hashed
> + * @hash: (out) pointer to the hash
> + *
> + * IMA signature version 3 disambiguates the data that is signed by
> + * indirectly signing the hash of the ima_file_id structure data.
> + *
> + * Signing the ima_file_id struct is currently only supported for
> + * IMA_VERITY_DIGSIG type xattrs.
> + *
> + * Return 0 on success, error code otherwise.
> + */
> +static int calc_file_id_hash(enum evm_ima_xattr_type type,
> +			     enum hash_algo algo, const u8 *digest,
> +			     struct ima_digest_data *hash)
> +{
> +	struct ima_file_id file_id = {
> +		.hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
> +	uint unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];

'uint' is unusual in kernel code; please use 'unsigned int' instead.

> @@ -1735,14 +1745,24 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  			break;
>  		case Opt_appraise_type:
>  			ima_log_string(ab, "appraise_type", args[0].from);
> -			if ((strcmp(args[0].from, "imasig")) == 0)
> +			if ((strcmp(args[0].from, "imasig")) == 0) {
>  				entry->flags |= IMA_DIGSIG_REQUIRED;
> -			else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
> -				 strcmp(args[0].from, "imasig|modsig") == 0)
> +			} else if (strcmp(args[0].from, "sigv3") == 0) {
> +				/*
> +				 * Only fsverity supports sigv3 for now.
> +				 * No need to define a new flag.
> +				 */
> +				if (entry->flags & IMA_VERITY_REQUIRED)
> +					entry->flags |= IMA_DIGSIG_REQUIRED;
> +				else
> +					result = -EINVAL;
> +			} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
> +				 strcmp(args[0].from, "imasig|modsig") == 0) {
>  				entry->flags |= IMA_DIGSIG_REQUIRED |
>  						IMA_MODSIG_ALLOWED;
> -			else
> +			} else {
>  				result = -EINVAL;
> +			}

This appears to be assuming that the appraise_type option is given after
digest_type rather than befoore, as digest_type is what sets the
IMA_VERITY_REQUIRED flag.  Is this intentional?  Does the order of options
matter in IMA rules, and if so where are the ordering requirements documented?

Also, it looks like this is allowing appraise_type=imasig or
appraise_type=imasig|modsig in combination with digest_type=verity.  Is that
intentional?  What is the use case for these combinations?

>  /*
> - * signature format v2 - for using with asymmetric keys
> + * signature header format v2 - for using with asymmetric keys
> + *
> + * signature format:
> + * version 2: regular file data hash based signature
> + * version 3: struct ima_file_id data based signature
>   */
>  struct signature_v2_hdr {

Is this struct also used with version 3, despite having v2 in its name?
The comment is not clear.

- Eric