Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp509437imn; Thu, 28 Jul 2022 07:26:57 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uVMVMDb3hRHdeAjL1Afv8V9k/PV/gqOLHmn9GyoKWGkilzUvAqGEN6LuacdXf1PmcGaH31 X-Received: by 2002:a65:4cc7:0:b0:41a:4df2:4839 with SMTP id n7-20020a654cc7000000b0041a4df24839mr24124164pgt.37.1659018417599; Thu, 28 Jul 2022 07:26:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1659018417; cv=pass; d=google.com; s=arc-20160816; b=zTDQKKJeN4owxR2oi/16itTpzvkV1knvdRaQ4YSpTpEUfs5Tf3PXXTi4yjz+Dz3QmU 9FC5aeMKwyel9KQhoAfYcTv/euQDYtlJVjxEX9ymh5PRNOGBwvM9WsZker6AB3Mafmk0 utP3BXv65gHuUnxNVYxGA8rPSr0zXwDAZpE7kZ6JHABI8DXXZslTPKJFyNjnpL8FTmOu SN1nEFnJNYGXNBxDD+tqJtdbs2HBZ19lsFLsobhH6KggmLNQeFVypovKqOwPslBfw3Pl CrQN0hXKG9rNjyhwdTWe1bSUn6HvElv0ewI4cDfbrzOQ81dhsiCE1JJWQAJ8bLivf2oM /XlA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-id:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature; bh=TUNw5zJBo+D+6S6jCo//5BOxwe3AcSs5i68gEHBonwk=; b=j7+Xjpvr0rI4Mn7y2OCCVBxO/4ubzBGaVzEI12CMbCUKwsEFwANNmcr6JRoQCqO2d4 Trzll8GKkgNnXGPUCAu8w9qsPDIoBIbrBphq+BbfL4JaWXcLyCz6kQ7LBMhvgz3jfvi2 r6BAVH0JjpRMXqPp2ulbVsLsH81N271mPIkOKjPoMfRUslovVHjCM6dTIbyRoImXAO1r HJhdqZwSfR71s8k78PyShfyzx2Hq0aTEEtg3mCiXI/JUQtNwOa/E8xhma3EZVO9yIvBG e2g5K6dzodbxbEO99nW3ovRwhJnmw8SaFveetfgVafMzJgXHZKUdAjTZMybaj035Iurx xH8g== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@fb.com header.s=facebook header.b=kp374D4P; arc=pass (i=1 spf=pass spfdomain=fb.com dkim=pass dkdomain=fb.com dmarc=pass fromdomain=fb.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fb.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m7-20020a1709026bc700b0016d0d114d30si1037680plt.360.2022.07.28.07.26.41; Thu, 28 Jul 2022 07:26:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@fb.com header.s=facebook header.b=kp374D4P; arc=pass (i=1 spf=pass spfdomain=fb.com dkim=pass dkdomain=fb.com dmarc=pass fromdomain=fb.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fb.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229969AbiG1OJL (ORCPT + 99 others); Thu, 28 Jul 2022 10:09:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229632AbiG1OJJ (ORCPT ); Thu, 28 Jul 2022 10:09:09 -0400 Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15A10B4AD; Thu, 28 Jul 2022 07:09:07 -0700 (PDT) Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26SBfNSR026048; Thu, 28 Jul 2022 07:09:07 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : mime-version; s=facebook; bh=TUNw5zJBo+D+6S6jCo//5BOxwe3AcSs5i68gEHBonwk=; b=kp374D4Pvhyfa1pzd+gA7ryA4Uu6zrahHIzeyEq9wRpZ++k/ClVhWPDpCAA6maD0YarO 6zugnMxbdksxmq6LGAre5azuZomA38LIOWWbvQXQLC7vWw8tmxBQ9e3ddgdsRCBaWfKo +4LLM3FlwVLdGYMqPwcKZLeqhHP9rC30Un0= Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2176.outbound.protection.outlook.com [104.47.55.176]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3hkst10u9j-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Jul 2022 07:09:07 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oAdpoif116G927S6ossoMq0c9c1ko6KjocHhUMMnTkUyxvz4bgWOTCqv0GxHTRtW3aE8CNDMChD+PkUby7aCAKqD0qavk/Zs9gpbmv/0XI7tw7wvG6uW+Bmj34trKA/R9OxAh5xZ62ciTAnBUGjyUxBOeLF502nezeJsdc0wwp00CyZI0YZFDTBtuVHYU+sw4z7asjFvdZk9ZvdZwcqW+HPV6Ht0OVUfgGAwYGYUd40+8WDJEQTdGFZ1FkgnyOAgkPwd1t4jNOvHHznKNB/xFsWrcJkHcquAxYouADdaKw9VvVnCj8iSmAH6mI17rCs8R9CzTjb9BspZSVdEeUn3ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TUNw5zJBo+D+6S6jCo//5BOxwe3AcSs5i68gEHBonwk=; b=JUDfo/X0JNqrtmGZ5Zv1acVZNYBoT0SZGwYIzUEXQZ0hLMh+KMDk+hujI6/IBEohu6unBiOfH+MwPdHfWaJr560I2L7JZHkAA2L5hXFhaqnV9dIxONp9ePi9j7XADonKe3H11Jnh1YTu03wjS5qXE+NT1IBgI390JyHx7O3CtOgoAkTyRjU8p3SLFzF01Umk6HO/LnXLFKdz1MPJfD9mJlzm8yqJ8RbpYF3oxTP+k1qcpIqFMSZ19qpe5+RlMSiBbHadbDcorBeBokJPZYSibHRcYJ1Cr9yNARpo8GDYuZfjfsSauRtRZAkQ6pOcl2n3AjUQvNlHA2iahZ+gdSSQqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fb.com; dmarc=pass action=none header.from=fb.com; dkim=pass header.d=fb.com; arc=none Received: from SJ0PR15MB4552.namprd15.prod.outlook.com (2603:10b6:a03:379::12) by MN2PR15MB4256.namprd15.prod.outlook.com (2603:10b6:208:fe::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.25; Thu, 28 Jul 2022 14:08:53 +0000 Received: from SJ0PR15MB4552.namprd15.prod.outlook.com ([fe80::81f9:c21c:c5bf:e174]) by SJ0PR15MB4552.namprd15.prod.outlook.com ([fe80::81f9:c21c:c5bf:e174%8]) with mapi id 15.20.5458.025; Thu, 28 Jul 2022 14:08:53 +0000 From: Jonathan McDowell To: "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" CC: Alexander Viro , Mimi Zohar , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , Matthew Garrett , Dmitrii Potoskuev Subject: [RFC PATCH v2 0/7] ima: Support measurement of kexec initramfs components Thread-Topic: [RFC PATCH v2 0/7] ima: Support measurement of kexec initramfs components Thread-Index: AQHYoouRiq7n37hqNE+boJLrxD1VXA== Date: Thu, 28 Jul 2022 14:08:53 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 82f52c7f-b3fb-4683-e8af-08da70a2b3ed x-ms-traffictypediagnostic: MN2PR15MB4256:EE_ x-fb-source: Internal x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: f4UC9fky+tmQZ4KhEtHN9d0leTzBCm2LQmbHjgLjySfepccnjjxmNN/FRpQ0qtJPl25jg2OSlJpEs5EXMxXazugb8iUfndf4GfG49ZhaEj21ObSqOb/J6GkXVWrdxymqIXQvbVuTgb91GyTLS3W52RT+u+IYL7A6xXtecfWDOb5L6tvV4FimJmQJlJJ2JNighQzJTO0kWyAYU1iDRglBHaew3o+No7a7MT1VGalMRnIEKQm72neDZ2bPi+hHZHBxZNAOBOoqCR95B+vWUi7tDAjPswLiTCBAAlNVSJDCg/mYtziUZ4sMRkno+TMnNJC7sAQOeshexcFEJXbCO6ZPuHH10ymwNXjoRFCznfLRUX6jdpUBw/fIqS134CwZy6SOyzvHFNKMp3osqZetSLbk4JNtLcEsrrtSOKyQlRatRK4YmG7gjMjiYlrAfEhzn56Ho/YQ2NJVT/zBkxYg6i40VAtdgJ8KoKW+OCCP3SWzGBPviBB/2AGbc7nNOqrV9tAIzpR/63b99hWb+tQo7FRipEFgoowIqBtCpWQXQMHcau4sNnvsOKDjtPc4RbIf/4yhZ441qCTwG/PgjP4nbH0VG3fcNTJIVVFInt//Bjj4NeSUyIr4k/4wB/HuTPHsvTLHmlGPGIXV+uuXSOYUpPGMXANT2kgs7RxC0ABWA2rFgF6/Jogh2rkn/nukE/1wFln/RePEVNnOx9dLoW1YkCcWRCkc1sAWNUuZyrahKK7wGnIXZe2JSvfMeROTwAUYe+IhlzIBFRhZUvitKpDAQ4AEmzJ+t1tx0NaEjS7ayW7MzqU= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ0PR15MB4552.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(376002)(366004)(136003)(39860400002)(396003)(7416002)(2616005)(2906002)(478600001)(122000001)(41300700001)(6506007)(86362001)(316002)(36756003)(186003)(5660300002)(38070700005)(38100700002)(66476007)(4326008)(83380400001)(6486002)(6512007)(91956017)(110136005)(54906003)(26005)(71200400001)(76116006)(66946007)(8676002)(8936002)(64756008)(66556008)(66446008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?sIJAcPQbD7VBcVaJ9hMKFJhvdpD/aqdB8zAvrJK0u/N8xySZ2dd2RjtfOz23?= =?us-ascii?Q?6cDRY+ezoosEADUFyB/8I+klZuks1/xXz+ICy/LhZK+WXV5WlefrVnhWZCqm?= =?us-ascii?Q?PEVsgbflzpyWLaKUh3AAYafLOSTqaRLF2XTsryasmnfzBrFUXr9jO2t1DSvr?= =?us-ascii?Q?xUr67alXSXj3seLHdmKazQBgKVh4SRjFqy+pvfpiPeNsRcXXNXV2ci6yo0wZ?= =?us-ascii?Q?OvdulSYYy/7FKGQ6PV5M7l571sap+ById9hgGSbS8ck8q0GJdFXgcU1ASYUL?= =?us-ascii?Q?s3nDbiCdRRaIjELrw4RyhZizf73uxJUCP1YFGKbRIMeld4a8/XWwWb1tvSmA?= =?us-ascii?Q?YOvme4GR4czwZCen/WXLJuDjhDJuqCHYqFkFaWwyNeopMtTtB1sM6FK1Ndw+?= =?us-ascii?Q?9xA7fE6rtoEvJG/s7ZD/WNhjgrLc+bwzgVxck5RHnHDhXyVG0Hb+cu886eQV?= =?us-ascii?Q?2HIi+5eqlOpDdDXYamWS42OfgS3VDmFe8tqZi3zOSPmmDw9DRS4tWiXcsNkm?= =?us-ascii?Q?S6j6Dfcr64Y7iugVBacmBOg5PmCGlyFlWGeuDFK3hJjT5bFMXpSHTUnbAKGP?= =?us-ascii?Q?95QwT+3Ndm/ewrrlHlRcHpAaiK30byOGH6AsYhSMAd9SvJQc1EWPZX3oxyzU?= =?us-ascii?Q?7nqnJy565Zn8m09kB+nfrx8BAFo+WyPP41YWN1ey78sKlWakQENFY/NmbgEn?= =?us-ascii?Q?2Tw8W3bHeLl5sSV0W+2Qn9v8vR0a9NJSknuazdeaknB5USziDA620YQLD/xR?= =?us-ascii?Q?OEWT5AQ4jNPmMiPAIUwa0b3blfWmvEULBBW+GHSI5lBr+hwllJcS+88+ui8F?= =?us-ascii?Q?Tsn9kAySyJtuQgYhdbC86y3lk423oavabeqxq0lKsCJRMddVwc82UIXsL0fT?= =?us-ascii?Q?Ov9p+R2ccZehcvM5tmvu8BKfyEdI2alvC87Mp+RitVBaq2UOPqh4sgTpW+cA?= =?us-ascii?Q?XS7eyoMTR2JmQC9LL0xHVWHKpPXYpGpdG00QpyZ4tQUIlbvaFJlgB+WRFIo/?= =?us-ascii?Q?Ob66fnuGLms68q3ME22uXQnmbrgMnlioF89YtFQBUyhpZf/IgmTapjdGpBzg?= =?us-ascii?Q?rwrRIEtSbgEAEYSn4xc3BUWvum1R8w4wSMXtHjixyNVTFGoThD84HyFZ0pWr?= =?us-ascii?Q?7IzgxzI9oddX6zGqIh/RhI9dHq+5LXWiGcXVU2SzJE3hx0v/rkYxyAzjWjCe?= =?us-ascii?Q?gJVdrOfT9sw5qvOXZMpjNrYd4C3ntAHpb+Ou+8FHPhKLzacf5GTPaSkMQB9x?= =?us-ascii?Q?wYUsdzsS5QbUPUmmcWMTw8DOOZsXTPJGZpH66ioteY048GxHXvY7kWiGCSmg?= =?us-ascii?Q?cbKAF+MtR3F3BQqPITQapegydSL9RS6C+HdPpvOKqnNSOYrBUZybAz39ylei?= =?us-ascii?Q?lDiEEU5kZG3qdRW5mNgxC4Wxdh0V4ZF+i3AG/b7770Pm0nNyjBNnGSq3mKHd?= =?us-ascii?Q?6PmC+YNSRewpM49nYXIysc8NmIVZHHWniupPn4oHX/UA6+DaQPXolmzdSwh/?= =?us-ascii?Q?6uJ7Yuqs57fVRUcgyqaaPSyrJloM7rNWTo3zEnSsNIoxJPU7oPBHbZsI3J3H?= =?us-ascii?Q?9P+Nebisd0kiziy+LkMBWIEuAJLk3QSGMnH9RXUq?= Content-Type: text/plain; charset="us-ascii" Content-ID: MIME-Version: 1.0 X-OriginatorOrg: fb.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ0PR15MB4552.namprd15.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 82f52c7f-b3fb-4683-e8af-08da70a2b3ed X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2022 14:08:53.1603 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ouEdU8IIEw+XmQrz6ZbktwzlmBUykkCEicXu1JneIMCQwQrBkMnVCf+2bCXyZxHI X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR15MB4256 X-Proofpoint-GUID: z8w3XXy1vMl9fWHlSjhZwvZdhhVNl7J1 X-Proofpoint-ORIG-GUID: z8w3XXy1vMl9fWHlSjhZwvZdhhVNl7J1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-28_05,2022-07-28_02,2022-06-22_01 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patchset is not yet complete, but it's already moving around a bunch of stuff so I am sending it out to get either some agreement that it's a vaguely sane approach, or some pointers about how I should be doing this instead. I've not had a lot of feedback from v1 but the kernel test robot threw up a couple of compile failures and a boot failure so this is a revised patch set with those fixed. It aims to add an option to IMA to measure the individual components that make up an initramfs that is being used for kexec, rather than the entire initramfs blob. For example in the situation where the initramfs blob contains some uncompressed early firmware and then a compressed filesystem there will be 2 measurements folded into the TPM, and logged into the IMA log. Why is this useful? Consider the situation where images have been split out to a set of firmware, an initial userspace image that does the usual piece of finding the right root device and switching into it, and an image that contains the necessary kernel modules. For a given machine the firmware + userspace images are unlikely to change often, while the kernel modules change with each upgrade. If we measure the concatenated image as a single blob then it is necessary to calculate all the permutations of images that result, which means building and hashing the combinations. By measuring each piece individually a hash can be calculated for each component up front allowing for easier analysis of whether the running state is an expected one. The KEXEC_FILE_LOAD syscall only allows a single initramfs image to be passed in; one option would be to add a new syscall that supports multiple initramfs fds and read each in kimage_file_prepare_segments(). Instead I've taken a more complicated approach that doesn't involve a new syscall or altering the kexec userspace, building on top of the way the boot process parses the initramfs and using that same technique within the IMA measurement for the READING_KEXEC_INITRAMFS path. To that end I've pulled the cpio handling code out of init/initramfs.c and into lib/ and made it usable outside of __init when required. That's involved having to pull some of the init_syscall file handling routines into the cpio code (and cleaning them up when the cpio code is the only user). I think there's the potential for a bit more code clean up here, but I've tried to keep it limited to providing the functionality I need and making checkpatch happy for the moment. Patch 1 pulls the code out to lib/ and moves the global static variables that hold the state into a single context structure. Patch 2 does some minimal error path improvements so we're not just passing a string around to indicate there's been an error. Patch 3 is where I pull the file handling routines into the cpio code. It didn't seem worth moving this to somewhere other code could continue to use them when only the cpio code was doing so, but it did involve a few extra exported functions from fs/ Patch 4 actually allows the use of the cpio code outside of __init when CONFIG_CPIO is selected. Patch 5 is a hack so I can use the generic decompress + gzip outside of __init. If this overall approach is acceptable then I'll do some work to make this generically available in the same manner as the cpio code before actually submitting for inclusion. Patch 6 is the actual piece I'm interested in; doing individual measurements for each component within IMA. v2: Fix printf format string in populate_initrd_image (kernel test robot, i386 build) Include in cpio.h (kernel test robot, uml build) Fix EEXIST checking for device nodes (kernel test robot, boot attempt) Jonathan McDowell (7): initramfs: Move cpio handling routines into lib/ lib/cpio: Improve error handling lib/cpio: use non __init filesystem related functions lib/cpio: Allow use outside of initramfs creation lib/cpio: Add a parse-only option that doesn't extract any files HACK: Allow the use of generic decompress with gzip outside __init ima: Support measurement of kexec initramfs components fs/init.c | 101 ----- fs/internal.h | 4 - include/linux/cpio.h | 92 +++++ include/linux/fs.h | 4 + include/linux/init_syscalls.h | 6 - init/initramfs.c | 524 +++---------------------- lib/Kconfig | 3 + lib/Makefile | 2 +- lib/cpio.c | 609 ++++++++++++++++++++++++++++++ lib/decompress.c | 4 +- lib/decompress_inflate.c | 4 + security/integrity/ima/Kconfig | 16 + security/integrity/ima/ima_main.c | 191 +++++++++- 13 files changed, 965 insertions(+), 595 deletions(-) create mode 100644 include/linux/cpio.h create mode 100644 lib/cpio.c -- 2.30.2