Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp3841493rwb; Mon, 5 Sep 2022 20:37:08 -0700 (PDT) X-Google-Smtp-Source: AA6agR7trW3fVbAxJUWlgyAuWWUF/pNYrdZLSmeD9zdibh3pEFlP01p1yIj8XiPyfO9oiEDPQGrH X-Received: by 2002:a17:90a:1c02:b0:1e0:df7:31f2 with SMTP id s2-20020a17090a1c0200b001e00df731f2mr22075261pjs.222.1662435428335; Mon, 05 Sep 2022 20:37:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662435428; cv=none; d=google.com; s=arc-20160816; b=oI30xoumZNvr7+lQIWYhpgu3CSqc1O5c4V+iCPQZ2ftrXAqkdMJVRRQa4zCb4tVzdu 9ymrH+JbNZA14OJ7fh+H3tIz0VmWnQ8dtOZy7CVYXRzi+CclNOVNAu89GIC4ExokBkBe UoWt0QQoHKzYF7t9/ntyYHowC4cx9SFu6kwhUrxFp1Z1YqYpigAUCawGU7sFCKwOSbfH +KMjb19K96FDEdYsLENaCQZ06pLkCgWrGfKoESWEosbAWxehTycIyVyyxTOvUR+2e8D6 E8A6DZ8eZ6knrFnL0kXqU59pSR8sEheNiB6gpRs993rvGwWnH9KGa/SC6HGEelnAhXR2 abkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=4x4iyOx/qVbQuH7nJfiJGEP2eqYxJVCITtuz3ZahOGo=; b=hEDR6zkcgDpQPvWjKAppEWNUZmloc26foYL7sXuujhz+IbAhFpWTp3L9hQVthRKwUa gjO53nixPkSu/zA97FdhnCDKjl/pF737sAmljLK9/odl1fw+4M76bB80edXH9LhM4NgE 1USoQdVQtSWS2DIvlSbHDRDi3Lq9lCBGV19wkTsglKp9UPEJnjF9eYS8OM2/HGxZll1I 7zMh68zhywVM6tZtVoAizRWkCu4VGolPDycGJi0Sz90a70uGL6QgCi6y9HfNtEOJcfAf JsrRklnifEhcyz+nF+MG6AHfecDiHYchGk9gG3XCkQ6cbNEA0zHAuTmKgH82D2yX8Xaq Q+SA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="lQ/KQWX9"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id kb12-20020a17090ae7cc00b001fdd01d3d1bsi13149166pjb.168.2022.09.05.20.36.56; Mon, 05 Sep 2022 20:37:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="lQ/KQWX9"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232657AbiIFC6W (ORCPT + 99 others); Mon, 5 Sep 2022 22:58:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232918AbiIFC6T (ORCPT ); Mon, 5 Sep 2022 22:58:19 -0400 Received: from mail-il1-x141.google.com (mail-il1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 126786BD52; Mon, 5 Sep 2022 19:58:18 -0700 (PDT) Received: by mail-il1-x141.google.com with SMTP id a9so5370588ilh.1; Mon, 05 Sep 2022 19:58:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=4x4iyOx/qVbQuH7nJfiJGEP2eqYxJVCITtuz3ZahOGo=; b=lQ/KQWX997iGCOqIJTfok8gUQHJNcxoGhPRj2dUh5ihpUuZ4UQaxlnEKw2FddVkFDM L/IdKuvxznuxkvNM1jdTwn1NGEG3HSGQXp0ur414xM/qpO/TNHEAamsezhcZPl3ZFu9W Y0Ar8NzKm7Ub+w9ynjfMckiwuGQIncPaQDwOwOWzcU/g8aruy+7Em8nP2bPT1i0jcVUW ktRvXeBUVlAhLVAYIDFgDF12JcMELmYLPzRk39iSSVl5L4JKUqg88iHTQRNjoyb+Ynil nOFjorQUHCnIeXaQ9HaGqDf3P/6U7O/WQ8jhwcsN1Txla+vQB4e83KNW/kGudRAvpmWr uPnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=4x4iyOx/qVbQuH7nJfiJGEP2eqYxJVCITtuz3ZahOGo=; b=dU7cr3i1gemKFcOMq1VWIrpBUC9SWOyjdUyDPfq97zMC2TnYyZbHwrpR1qQ65lfuZL 7eu6ETawISVHfLC0bpCUMaJ6KUuE49PTknHbQGqKPthlEAZAk1ioR6zRLOTG8oCa8jny 0FEE2x923FWucWGB+wjYTyrn1oCB4vvZhvc7a+38wATby+KjZm14B+IamXeOyjFRgLEo tH7WLv+vkSuBW17jfxAVW0UP1qyrgfzK5MlnXBFK3YASZSUzyhyk3Zr8Gbti31beGS6r qhTV+KNuxw+VGd3H3MtWKJyooh/lkoG1MtXNfJwwSF7QzjsUE6FMP2B8zwe06iZxQieQ dXsg== X-Gm-Message-State: ACgBeo36MQp8+H1HzkWapimiA6m1Ge1Nb2nSaNDeFB3i+nnTwvrgXp5r Zm42Wkw9jIxCczI1IrTgLSHpvAbYiT+A1QxWk+I= X-Received: by 2002:a05:6e02:1d0b:b0:2eb:73fc:2235 with SMTP id i11-20020a056e021d0b00b002eb73fc2235mr15057542ila.164.1662433097391; Mon, 05 Sep 2022 19:58:17 -0700 (PDT) MIME-Version: 1.0 References: <20220905143318.1592015-1-roberto.sassu@huaweicloud.com> <20220905143318.1592015-8-roberto.sassu@huaweicloud.com> In-Reply-To: <20220905143318.1592015-8-roberto.sassu@huaweicloud.com> From: Kumar Kartikeya Dwivedi Date: Tue, 6 Sep 2022 04:57:41 +0200 Message-ID: Subject: Re: [PATCH v16 07/12] bpf: Add bpf_verify_pkcs7_signature() kfunc To: Roberto Sassu , joannelkoong@gmail.com Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, mykolal@fb.com, dhowells@redhat.com, jarkko@kernel.org, rostedt@goodmis.org, mingo@redhat.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, shuah@kernel.org, bpf@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, deso@posteo.net, Roberto Sassu Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 5 Sept 2022 at 16:35, Roberto Sassu wrote: > > From: Roberto Sassu > > Add the bpf_verify_pkcs7_signature() kfunc, to give eBPF security modules > the ability to check the validity of a signature against supplied data, by > using user-provided or system-provided keys as trust anchor. > > The new kfunc makes it possible to enforce mandatory policies, as eBPF > programs might be allowed to make security decisions only based on data > sources the system administrator approves. > > The caller should provide the data to be verified and the signature as eBPF > dynamic pointers (to minimize the number of parameters) and a bpf_key > structure containing a reference to the keyring with keys trusted for > signature verification, obtained from bpf_lookup_user_key() or > bpf_lookup_system_key(). > > For bpf_key structures obtained from the former lookup function, > bpf_verify_pkcs7_signature() completes the permission check deferred by > that function by calling key_validate(). key_task_permission() is already > called by the PKCS#7 code. > > Signed-off-by: Roberto Sassu > Acked-by: KP Singh > --- > kernel/trace/bpf_trace.c | 45 ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 45 insertions(+) > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > index 7a7023704ac2..8e2c026b0a58 100644 > --- a/kernel/trace/bpf_trace.c > +++ b/kernel/trace/bpf_trace.c > @@ -1294,12 +1294,57 @@ void bpf_key_put(struct bpf_key *bkey) > kfree(bkey); > } > > +#ifdef CONFIG_SYSTEM_DATA_VERIFICATION > +/** > + * bpf_verify_pkcs7_signature - verify a PKCS#7 signature > + * @data_ptr: data to verify > + * @sig_ptr: signature of the data > + * @trusted_keyring: keyring with keys trusted for signature verification > + * > + * Verify the PKCS#7 signature *sig_ptr* against the supplied *data_ptr* > + * with keys in a keyring referenced by *trusted_keyring*. > + * > + * Return: 0 on success, a negative value on error. > + */ > +int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr, > + struct bpf_dynptr_kern *sig_ptr, > + struct bpf_key *trusted_keyring) > +{ > + int ret; > + > + if (trusted_keyring->has_ref) { > + /* > + * Do the permission check deferred in bpf_lookup_user_key(). > + * See bpf_lookup_user_key() for more details. > + * > + * A call to key_task_permission() here would be redundant, as > + * it is already done by keyring_search() called by > + * find_asymmetric_key(). > + */ > + ret = key_validate(trusted_keyring->key); > + if (ret < 0) > + return ret; > + } > + > + return verify_pkcs7_signature(data_ptr->data, > + bpf_dynptr_get_size(data_ptr), > + sig_ptr->data, > + bpf_dynptr_get_size(sig_ptr), MIssing check for data_ptr->data == NULL before making this call? Same for sig_ptr. > + trusted_keyring->key, > + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, > + NULL); > +} > +#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ > + > __diag_pop(); > > BTF_SET8_START(key_sig_kfunc_set) > BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE) > BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL) > BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE) > +#ifdef CONFIG_SYSTEM_DATA_VERIFICATION > +BTF_ID_FLAGS(func, bpf_verify_pkcs7_signature, KF_SLEEPABLE) > +#endif > BTF_SET8_END(key_sig_kfunc_set) > > static const struct btf_kfunc_id_set bpf_key_sig_kfunc_set = { > -- > 2.25.1 >