Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2601382iof; Wed, 8 Jun 2022 08:17:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyx312cyBDcIth4qJByX2GexDEfvKKz+mVLVTIiL0x28YW6j88a2lh086HeUAIi+7iLXeRO X-Received: by 2002:a05:6a00:213c:b0:51b:daec:a612 with SMTP id n28-20020a056a00213c00b0051bdaeca612mr29946850pfj.61.1654701427305; Wed, 08 Jun 2022 08:17:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654701427; cv=none; d=google.com; s=arc-20160816; b=agEE6Zd11IwFxwZYCkeYi/sl2+7T/ukoPUr4M6fq+jsuFV8/z0WdzsgzNseWysRc6o dKwg36Tm90f0AjFTWr/IQeKdgtV1z5bXot6eWUKKrvO7rQBdHNi8iedacyiayS94h17J HWvtcoZLuwPqW+13gnobWdYfEL+5j8eq/Ie2eQUhpvt0g9QK4fjo5fVNhPEZZwVyL00n nJn8IDhp/EqCVdRigcc+5PeBt2ombfYz82SMIsq4f3oMLm02Q9G01vxj7+GNqP3okc00 +hhb9VL8XFaIweZJQLueXfySmJZoKXgVcU913ss7XYJWM8PUzP6jdVGnkcCtcyrZzc/m d0EA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=uDWBOekW4NfIGncOQ17pIai2CHZuMCini7heNn8w+M4=; b=ZuvDoaW2Kjj1J7Sda8TxQYpLk12Z+Oa60i7EzxvOfwQCLbi9rNeKxAyADxQubSMsoI j93U/ki0e0BNT2RdzxlMkI7VNCenz6DD4l8AlK26l68kFa7GYlMYdmibrH94JWd33jNl o7P1/GjJcv1P3Ek1CiohZz6+uSIgK4D1Mh6+zXQOwrADW823NAXHtFY0Y1IhLLSo6cPD 6Q4GqbZ3ag9ttHqhSxJTH+oaOGp0cvmWWno9257DttY0NjlwwaFD3eWmb29iqIqWpe62 bskPEg3fX3GTIVOm5SsPxAL33/Uz/kI8VouDdyPzdV9pIXRCGtuGqUI+Jl4Ocuykdabe FFJQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id c22-20020a170902849600b00163f3eaa7c7si6193254plo.1.2022.06.08.08.17.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 08:17:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id ED29D1567A4; Wed, 8 Jun 2022 07:46:37 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241987AbiFHOot (ORCPT + 99 others); Wed, 8 Jun 2022 10:44:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241911AbiFHOoZ (ORCPT ); Wed, 8 Jun 2022 10:44:25 -0400 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 028F62AC6C; Wed, 8 Jun 2022 07:43:29 -0700 (PDT) Received: from sslproxy05.your-server.de ([78.46.172.2]) by www62.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1nywtt-000AFv-88; Wed, 08 Jun 2022 16:43:13 +0200 Received: from [85.1.206.226] (helo=linux.home) by sslproxy05.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nywts-000K4B-W3; Wed, 08 Jun 2022 16:43:13 +0200 Subject: Re: [PATCH v2 1/3] bpf: Add bpf_verify_pkcs7_signature() helper To: Roberto Sassu , ast@kernel.org, andrii@kernel.org, kpsingh@kernel.org Cc: bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, john.fastabend@gmail.com References: <20220608111221.373833-1-roberto.sassu@huawei.com> <20220608111221.373833-2-roberto.sassu@huawei.com> From: Daniel Borkmann Message-ID: <1456514b-ec2e-6a79-438a-33ad1ffc509d@iogearbox.net> Date: Wed, 8 Jun 2022 16:43:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20220608111221.373833-2-roberto.sassu@huawei.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.6/26566/Wed Jun 8 10:05:45 2022) X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/8/22 1:12 PM, Roberto Sassu wrote: > Add the bpf_verify_pkcs7_signature() helper, to give the ability to eBPF > security modules to check the validity of a PKCS#7 signature against > supplied data. > > Use the 'keyring' parameter to select the keyring containing the > verification key: 0 for the primary keyring, 1 for the primary and > secondary keyrings, 2 for the platform keyring. > > Signed-off-by: Roberto Sassu > --- > include/uapi/linux/bpf.h | 8 ++++++++ > kernel/bpf/bpf_lsm.c | 32 ++++++++++++++++++++++++++++++++ > tools/include/uapi/linux/bpf.h | 8 ++++++++ > 3 files changed, 48 insertions(+) > > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index f4009dbdf62d..40d0fc0d9493 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -5249,6 +5249,13 @@ union bpf_attr { > * Pointer to the underlying dynptr data, NULL if the dynptr is > * read-only, if the dynptr is invalid, or if the offset and length > * is out of bounds. > + * > + * long bpf_verify_pkcs7_signature(u8 *data, u32 datalen, u8 *sig, u32 siglen, u64 keyring) > + * Description > + * Verify the PKCS#7 *sig* with length *siglen*, on *data* with > + * length *datalen*, with key in *keyring*. Could you also add a description for users about the keyring argument and guidance on when they should use which in their programs? Above is a bit too terse, imho. > + * Return > + * 0 on success, a negative value on error. > */ > #define __BPF_FUNC_MAPPER(FN) \ > FN(unspec), \ > @@ -5455,6 +5462,7 @@ union bpf_attr { > FN(dynptr_read), \ > FN(dynptr_write), \ > FN(dynptr_data), \ > + FN(verify_pkcs7_signature), \ > /* */ > > /* integer value in 'imm' field of BPF_CALL instruction selects which helper > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index c1351df9f7ee..1cda43cb541a 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -16,6 +16,7 @@ > #include > #include > #include > +#include > > /* For every LSM hook that allows attachment of BPF programs, declare a nop > * function where a BPF program can be attached. > @@ -132,6 +133,35 @@ static const struct bpf_func_proto bpf_get_attach_cookie_proto = { > .arg1_type = ARG_PTR_TO_CTX, > }; > > +BPF_CALL_5(bpf_verify_pkcs7_signature, u8 *, data, u32, datalen, u8 *, sig, > + u32, siglen, u64, keyring) > +{ > + int ret = -EOPNOTSUPP; > + > +#ifdef CONFIG_SYSTEM_DATA_VERIFICATION > + if (keyring > (unsigned long)VERIFY_USE_PLATFORM_KEYRING) > + return -EINVAL; > + > + ret = verify_pkcs7_signature(data, datalen, sig, siglen, > + (struct key *)keyring, > + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, > + NULL); > +#endif > + return ret; > +} Looks great! One small nit, I would move all of the BPF_CALL and _proto under the #ifdef CONFIG_SYSTEM_DATA_VERIFICATION ... > +static const struct bpf_func_proto bpf_verify_pkcs7_signature_proto = { > + .func = bpf_verify_pkcs7_signature, > + .gpl_only = false, > + .ret_type = RET_INTEGER, > + .arg1_type = ARG_PTR_TO_MEM, > + .arg2_type = ARG_CONST_SIZE_OR_ZERO, > + .arg3_type = ARG_PTR_TO_MEM, > + .arg4_type = ARG_CONST_SIZE_OR_ZERO, > + .arg5_type = ARG_ANYTHING, > + .allowed = bpf_ima_inode_hash_allowed, > +}; > + > static const struct bpf_func_proto * > bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) > { > @@ -158,6 +188,8 @@ bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) > return prog->aux->sleepable ? &bpf_ima_file_hash_proto : NULL; > case BPF_FUNC_get_attach_cookie: > return bpf_prog_has_trampoline(prog) ? &bpf_get_attach_cookie_proto : NULL; > + case BPF_FUNC_verify_pkcs7_signature: > + return prog->aux->sleepable ? &bpf_verify_pkcs7_signature_proto : NULL; ... same here: #ifdef CONFIG_SYSTEM_DATA_VERIFICATION case BPF_FUNC_verify_pkcs7_signature: return prog->aux->sleepable ? &bpf_verify_pkcs7_signature_proto : NULL; #endif So that bpftool or other feature probes can check for its availability. Otherwise, apps have a hard time checking whether bpf_verify_pkcs7_signature() helper is available for use or not. > default: > return tracing_prog_func_proto(func_id, prog); > } > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h > index f4009dbdf62d..40d0fc0d9493 100644 > --- a/tools/include/uapi/linux/bpf.h > +++ b/tools/include/uapi/linux/bpf.h > @@ -5249,6 +5249,13 @@ union bpf_attr { > * Pointer to the underlying dynptr data, NULL if the dynptr is > * read-only, if the dynptr is invalid, or if the offset and length > * is out of bounds. > + * > + * long bpf_verify_pkcs7_signature(u8 *data, u32 datalen, u8 *sig, u32 siglen, u64 keyring) > + * Description > + * Verify the PKCS#7 *sig* with length *siglen*, on *data* with > + * length *datalen*, with key in *keyring*. > + * Return > + * 0 on success, a negative value on error. > */ > #define __BPF_FUNC_MAPPER(FN) \ > FN(unspec), \ > @@ -5455,6 +5462,7 @@ union bpf_attr { > FN(dynptr_read), \ > FN(dynptr_write), \ > FN(dynptr_data), \ > + FN(verify_pkcs7_signature), \ > /* */ > > /* integer value in 'imm' field of BPF_CALL instruction selects which helper >