Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp5090536rwb; Tue, 6 Sep 2022 18:47:42 -0700 (PDT) X-Google-Smtp-Source: AA6agR5WGC+e964iPvccTwJqZ06s7BKsO9onL3ehN57sJRs6Gm/csd5R6JaQFPEoNfEczpeZom6I X-Received: by 2002:a17:90b:1b42:b0:200:71bd:3e91 with SMTP id nv2-20020a17090b1b4200b0020071bd3e91mr1352924pjb.200.1662515262062; Tue, 06 Sep 2022 18:47:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662515262; cv=none; d=google.com; s=arc-20160816; b=1AtC60bKLCQmikCM2WeUI0CgrWmu7wef6W0bEpCUtkWv2/ZxqD+VHgyLQNcrkswlPs j6/Ef2MrpOaXvK+LyqmIIedn1IhWWIDgMHQfaLY87PWJ3I864Vk18XaC3iMdWmgeWJnb d5hTzlmHvm4mHs4RWieG6cGFU+UJQ0zs7xCN917HrTItDR8NeCZkUMeGvRHxQe4a9wMp kXyZgOJ6Q73TntSpxvgvQCjCmmXOQtYgYmyFD9BDMxWm0JirqD4kkp6YGDd8jvVnclNj GMlI464OQI5vSgKFIKQU/N+6/anSOUxBYYqgPBo3K2ItXKpph0Bl/7etNYdnHsVSjDjh NMUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=M21ssd+SCSSsGeh27JWFSofpx9BWcRpnZarG7AT/Oog=; b=n8kwhIPVQQfHoopdUi4o1sp7Fc39i9xfRgelCCMWCNd0TKR9OMAZtS/K9bXtxe3Jgj Zt42RnMxSiC6a7w3KRbAvwfg3inZ1ILsgiBmHdrbpzgWNnb9gtDnnT3lw6RHeV+rx5+G 0V0lQOIQdQqO6sAfCM5F8s2bL9UUvnvTYeBELdEpXiEE+XV0DjveD48U3yg06vLIdSx9 RC5GfREbcUehaKjMSH3UHtXIxmohkJ7WmcdsxfIccdDX1BDi0Z7EWNHqYJ9ZtIBFml4N LkYyGbeAm8wNRD8G8TBGN2JYQFXL+cQGoX4mjjjgMv9e7CvuDKd3sWPbA4iUG2kybByu ye5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KIp7sG71; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 126-20020a630184000000b0043057408cf6si15847306pgb.691.2022.09.06.18.47.30; Tue, 06 Sep 2022 18:47:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KIp7sG71; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229713AbiIGBSW (ORCPT + 99 others); Tue, 6 Sep 2022 21:18:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229449AbiIGBSU (ORCPT ); Tue, 6 Sep 2022 21:18:20 -0400 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82891861C9 for ; Tue, 6 Sep 2022 18:18:17 -0700 (PDT) Received: by mail-pj1-x1030.google.com with SMTP id fv3so6912459pjb.0 for ; Tue, 06 Sep 2022 18:18:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=M21ssd+SCSSsGeh27JWFSofpx9BWcRpnZarG7AT/Oog=; b=KIp7sG710pR+n2lsiIIsKkJbaVjzrITBiMhGQFivaAzcpPBgTP91QkTJBvPLwVVvYK 80W5WL97zPXhfm+AVq+PNCg6UvQCpg07CANHcX/eN0Uy5SzJW81AB/RMeq30HnAsQotU GDD/anS4eAQvEBJ+BXMo5D7dv6umuSzac9DNU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=M21ssd+SCSSsGeh27JWFSofpx9BWcRpnZarG7AT/Oog=; b=yBaiLREq61xtAyK6R73TXMCat6lGbxOq3htJo4efw/i3H1v3ZOs2BlFEnHE8SSByGg Ae3MxY9ZHqvS3zN2mmPUEqUskiy8npXz/+Pv5yI6gxHb3QVYFFrSVtE1gSoG+V57YGOj GFGfLwav0/ET6EMPqhggD8dTgQ3yxEezJvdkB6NRxTMC8neh3+4Mu1ltzHhPScMl01dQ OPyGRGDKt9lM0zZzRjTUY4YjVMFnEkF7YmvJqh8rHnkYptbbhj+HgIuGfoetDkNdWrCE gQyn3jRhbsWKBHEEcKS3yVyLK0ZQpiPjSJUUSq1OmbgbUYzxtVbJJ+a5Rm1TGBkXr3fr DVYw== X-Gm-Message-State: ACgBeo2JU/OvYc0QVwfV3uJWQqtwR6SEt1bV9Y1zLTEH4fbM7uzSZtyy Eq1gJd4jhSkl7C+EvaohwCkKZw== X-Received: by 2002:a17:90b:3e81:b0:1fd:8357:cbc8 with SMTP id rj1-20020a17090b3e8100b001fd8357cbc8mr1327020pjb.48.1662513497037; Tue, 06 Sep 2022 18:18:17 -0700 (PDT) Received: from localhost ([2620:15c:11a:202:acea:5f9a:4de:10c7]) by smtp.gmail.com with UTF8SMTPSA id d13-20020a170902654d00b0017689960d10sm8321906pln.156.2022.09.06.18.18.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 06 Sep 2022 18:18:16 -0700 (PDT) From: Matthias Kaehlcke To: Kees Cook , James Morris , "Serge E . Hallyn" Cc: Douglas Anderson , linux-kernel@vger.kernel.org, Sarthak Kukreti , linux-security-module@vger.kernel.org, Matthias Kaehlcke , Paul Moore Subject: [PATCH] LoadPin: Require file with verity root digests to have a header Date: Tue, 6 Sep 2022 18:18:12 -0700 Message-Id: <20220906181725.1.I3f51d1bb0014e5a5951be4ad3c5ad7c7ca1dfc32@changeid> X-Mailer: git-send-email 2.37.2.789.g6183377224-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org LoadPin expects the file with trusted verity root digests to be an ASCII file with one digest (hex value) per line. A pinned root could contain files that meet these format requirements, even though the hex values don't represent trusted root digests. Add a new requirement to the file format which consists in the first line containing a fixed string. This prevents attackers from feeding files with an otherwise valid format to LoadPin. Suggested-by: Sarthak Kukreti Signed-off-by: Matthias Kaehlcke --- It could be argued that this change breaks existing users of the LoadPin verity feature. The risk of this actually happening seems very low given that the feature only landed in v6.0, which hasn't been released yet. security/loadpin/Kconfig | 7 ++++++- security/loadpin/loadpin.c | 16 +++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index 994c1d9376e6..6724eaba3d36 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -33,4 +33,9 @@ config SECURITY_LOADPIN_VERITY on the LoadPin securityfs entry 'dm-verity'. The ioctl expects a file descriptor of a file with verity digests as parameter. The file must be located on the pinned root and - contain one digest per line. + start with the line: + + # LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS + + This is followed by the verity digests, with one digest per + line. diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 44521582dcba..de41621f4998 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -21,6 +21,8 @@ #include #include +#define VERITY_DIGEST_FILE_HEADER "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS" + static void report_load(const char *origin, struct file *file, char *operation) { char *cmdline, *pathname; @@ -292,9 +294,21 @@ static int read_trusted_verity_root_digests(unsigned int fd) p = strim(data); while ((d = strsep(&p, "\n")) != NULL) { - int len = strlen(d); + int len; struct dm_verity_loadpin_trusted_root_digest *trd; + if (d == data) { + /* first line, validate header */ + if (strcmp(d, VERITY_DIGEST_FILE_HEADER)) { + rc = -EPROTO; + goto err; + } + + continue; + } + + len = strlen(d); + if (len % 2) { rc = -EPROTO; goto err; -- 2.37.2.789.g6183377224-goog