Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp1469936iol; Fri, 10 Jun 2022 08:08:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOytK2a7DJ4hltR73mRW+5X3JwVtAI/pGmxM3sTXFqR/34huu+YQslo3TjRGOCkcmR1Cqg X-Received: by 2002:a17:906:58c9:b0:6fd:f4fe:800a with SMTP id e9-20020a17090658c900b006fdf4fe800amr41773018ejs.285.1654873685093; Fri, 10 Jun 2022 08:08:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654873685; cv=none; d=google.com; s=arc-20160816; b=WWEzBLh0RG+Q+D9QAovHdSGFZM/fPsytjI1hLDTg60Ai3fuj011jD8ujEGN98GkQGG jvf5nugeTix4jllNlsQtXD29gdDkcZw9OZCYaLtXj/5hui5/OT4Ch4pYcPzcvUPqCB1b tMG2Gee4BJuc/4mdbo9Sx/bUX8cUb6YtEhrf8dfsIT96eA2iZKnaUJtj7ktQezGK2lEp 2yR8SHhJYn2+adYWz7hYouGgTu4mKh5BUbDptESNfGGnvsWJMA0HSTH/Mu9DRCHFS3UL 6SG0wIfP81DpGw3CYxUl5feWGQiAONVktIab5R4rqUI1OnhUDngrViXj22kLrD7o+plB Fc7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=MYj3rI41hilq7y6NX/sdsSCqO/VnV60YrjULS7A4WP4=; b=UxlSJrshDouWFlqCdEGr32eatWnLEaJEF3lJBmAEnfjGBCBLU/B/Z44XhyCKbOZALJ oPyA9nY2n1CRIGqFdxewMIAMC3XkCAcdV+m7+W11lV4bW5rzMxepbiJbW1tuDa52LlVC Tk8sT5NHgNFU3un/OL+OQf20XDxOF+I/Rh81AgpPZFsbUM6r2lU+t/IvHy10H+osMkuP ykTHWlWJviTe71M5rh38JjlnjgcfrldXcCkk8rrNTKpQ9fXLNtiAtNdA7QyLTBQFFXUL FZktIDK4KEV1iaEUmXmWtSzY8BKqu7RCIe1Ap32DkAbXdBVbiEHnVCziIexbW6wjwHb6 39XA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q32-20020a05640224a000b004316c7b2879si7455258eda.237.2022.06.10.08.07.37; Fri, 10 Jun 2022 08:08:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349135AbiFJOBh (ORCPT + 99 others); Fri, 10 Jun 2022 10:01:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349985AbiFJN7i (ORCPT ); Fri, 10 Jun 2022 09:59:38 -0400 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6FDF1F5E24; Fri, 10 Jun 2022 06:59:32 -0700 (PDT) Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4LKMtf5cfmz67NMW; Fri, 10 Jun 2022 21:55:54 +0800 (CST) Received: from roberto-ThinkStation-P620.huawei.com (10.204.63.22) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Fri, 10 Jun 2022 15:59:29 +0200 From: Roberto Sassu To: , , , CC: , , , , Roberto Sassu Subject: [PATCH v3 0/2] bpf: Add bpf_verify_signature() helper Date: Fri, 10 Jun 2022 15:59:14 +0200 Message-ID: <20220610135916.1285509-1-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.204.63.22] X-ClientProxiedBy: lhreml753-chm.china.huawei.com (10.201.108.203) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org One of the desirable features in security is the ability to restrict import of data to a given system based on data authenticity. If data import can be restricted, it would be possible to enforce a system-wide policy based on the signing keys the system owner trusts. This feature is widely used in the kernel. For example, if the restriction is enabled, kernel modules can be plugged in only if they are signed with a key whose public part is in the primary or secondary keyring. For eBPF, it can be useful as well. For example, it might be useful to authenticate data an eBPF program makes security decisions on. After a discussion in the eBPF mailing list, it was decided that the stated goal should be accomplished by introducing a new helper: bpf_verify_signature(). Its job is simply to call the signature verification function corresponding to the passed signature type, with the keyring selected through the passed keyring identifier. Since verify_pkcs7_signature() is doing crypto operations, it must be called by a sleepable program. This restricts the set of functions that can call the associated helper (for example, lsm.s/bpf is suitable, fexit/array_map_update_elem is not). The added test checks the ability of an eBPF program to verify module-style appended signatures, as produced by the kernel tool sign-file, currently used to sign kernel modules. The patch set is organized as follows. Patch 1 introduces the new helper. Patch 2 adds the test for the new helper. Changelog v1: - Don't define new map flag but introduce simple wrapper of verify_pkcs7_signature() (suggested by Alexei and KP) v2: - Rename bpf_verify_pkcs7_signature() to a more generic bpf_verify_signature() and pass the signature type (suggested by KP) - Move the helper and prototype declaration under #ifdef so that user space can probe for support for the helper (suggested by Daniel) - Describe better the keyring types (suggested by Daniel) - Include linux/bpf.h instead of vmlinux.h to avoid implicit or redeclaration - Make the test selfcontained (suggested by Alexei) Roberto Sassu (2): bpf: Add bpf_verify_signature() helper selftests/bpf: Add test for bpf_verify_signature() helper include/uapi/linux/bpf.h | 17 ++ kernel/bpf/bpf_lsm.c | 46 ++++ tools/include/uapi/linux/bpf.h | 17 ++ tools/testing/selftests/bpf/Makefile | 11 +- tools/testing/selftests/bpf/config | 1 + .../selftests/bpf/prog_tests/verify_sig.c | 200 ++++++++++++++++++ .../selftests/bpf/progs/test_verify_sig.c | 160 ++++++++++++++ .../testing/selftests/bpf/verify_sig_setup.sh | 100 +++++++++ 8 files changed, 549 insertions(+), 3 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/verify_sig.c create mode 100644 tools/testing/selftests/bpf/progs/test_verify_sig.c create mode 100755 tools/testing/selftests/bpf/verify_sig_setup.sh -- 2.25.1