Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp145188rwn; Wed, 7 Sep 2022 14:02:09 -0700 (PDT) X-Google-Smtp-Source: AA6agR7L0esWDCvD9nclGM/2s/7HIZoud/GNQgOL/fEGesihU79+phznt02TMkAVKTw0/DTCXoY6 X-Received: by 2002:a17:903:2309:b0:176:de48:e940 with SMTP id d9-20020a170903230900b00176de48e940mr5695118plh.15.1662584529316; Wed, 07 Sep 2022 14:02:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662584529; cv=none; d=google.com; s=arc-20160816; b=VVxHdLEH2LZuUdP7yzb99NZjrswU862rH7ov/XnwNy/fHmZAj7Y9jOlHmfq596yE2f GBoj67kG97IxRo4GrrIvuPjUyClU8Z4MrwLVq+ZN5DttAtLXjT6TpNQrhDRKeYe570wh adii7zH4dPrxL9OF2AD979sxSm3gmLIR573B/5iouCwOQtEJWorzBG0UbCZzL8fa6FyG 9o7CLT01ect92gPplZClXwe9+7N6rAkaRfX6YmnUPaaTk5y6IoC5ygGTy80w15lMhLG8 FI2pgWJmrJUejSyPnB/14ePm299G5GeSmM2NXUWQTkR/T0Lf2euEORFB1FWgqj9QuPmV Mt7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DdrorN8aXBAdiS3MQc998BdyvYtD7repapkoq0D0eU8=; b=twcJp0oYWmP/SROcbrIWlgEi39K4w9EMsw3y63VOsCXTUznStIow4Df+P76E8kCUeh HyrtHxRWdXUn8N0D/w6nPCQg6ZPf8DAnsvTff0Tw8NVwHSaviQ6GrQJbstWHFi44Mnw3 cA2uA0j/c/pPya2JkWFRg/SqbWrUcOdJk9RJBefCvvbGgflgUYmdZVKwoT9c0Cg3z5YO eytYEGg7mPVhemnRp0+if9IjlrYha6nOmn+JrkCy2qt6YsJHm+mEEDWDBezkiVRXxDng WYT2oyBDElK3jzng+qBE9h735qIMM98lZf/wzqHDVoQt+c4N8eT/NnY4yGB4+qxUl+w9 l1dw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Z3CwM+F2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o4-20020a056a0015c400b005385736b007si17668581pfu.29.2022.09.07.14.01.52; Wed, 07 Sep 2022 14:02:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Z3CwM+F2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229663AbiIGUpm (ORCPT + 99 others); Wed, 7 Sep 2022 16:45:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229563AbiIGUpk (ORCPT ); Wed, 7 Sep 2022 16:45:40 -0400 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D6BF1B07D7 for ; Wed, 7 Sep 2022 13:45:37 -0700 (PDT) Received: by mail-ej1-x62f.google.com with SMTP id dv25so3831029ejb.12 for ; Wed, 07 Sep 2022 13:45:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=DdrorN8aXBAdiS3MQc998BdyvYtD7repapkoq0D0eU8=; b=Z3CwM+F2x6Pj0jOEQZdrJ0yb8c6cYyZ9KR/7RWvfR51MpVGAfqiXsWrHSoEDs8im3f grPlJvXctP1dtxa2ttTtoR57/jHgw8y5RP29Q/wG7ljsz98uKmLZnWHdqDZAGSeH3c8n kCIYM6muoLkvg/JqKdZRyMZRr88eX82rEqeD4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=DdrorN8aXBAdiS3MQc998BdyvYtD7repapkoq0D0eU8=; b=5FlRWZMBXAS4r53E1lzXyLQBv6M6KNRMD5lyNS3uzqP7epYABHQL0Ip2WXwE7qbP/5 LjiJ6KVR0EWyDJnKiQiQX+6FKN7MFgj2849roVpGmuR9GgyhoW13H9PlA330xxiFv1Xp spjCISGOEo6KbPXrLyalDvyBg/tf7e4L7LS7x0wQB2Pq23JqYOs+fglSjP0ArjxyKCkd oiTfl1/98+pEQFsjY9trsOEq0YgA2P90Aos6IPXUXwz+92CNnmQEfnBr3lQaOGfPVXLu XXcy5m4FWeb6Uu72lHZczpwSFmqHB2WrrBgtjWj34RYrB3LEEvvwkJNu23zb5RZr/cwK iRoA== X-Gm-Message-State: ACgBeo2SRpCCxYdUsuJCY8RlLCz8dSGqG9QNyVotXH8/bhq3jnVJNnhN 4qUErExx49w9Q+u6hBs9mtQykDSVhBrFnBj+WxlxvA== X-Received: by 2002:a17:907:7605:b0:73d:cdf7:d8e0 with SMTP id jx5-20020a170907760500b0073dcdf7d8e0mr3617692ejc.430.1662583536042; Wed, 07 Sep 2022 13:45:36 -0700 (PDT) MIME-Version: 1.0 References: <20220907133055.1.Ic8a1dafe960dc0f8302e189642bc88ebb785d274@changeid> In-Reply-To: <20220907133055.1.Ic8a1dafe960dc0f8302e189642bc88ebb785d274@changeid> From: Sarthak Kukreti Date: Wed, 7 Sep 2022 13:45:24 -0700 Message-ID: Subject: Re: [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement To: Matthias Kaehlcke Cc: Alasdair Kergon , Mike Snitzer , Kees Cook , linux-security-module@vger.kernel.org, dm-devel@redhat.com, Douglas Anderson , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Reviewed-by: Sarthak Kukreti On Wed, Sep 7, 2022 at 1:31 PM Matthias Kaehlcke wrote: > > Verity targets can be configured to ignore corrupted data blocks. > LoadPin must only trust verity targets that are configured to > perform some kind of enforcement when data corruption is detected, > like returning an error, restarting the system or triggering a > panic. > > Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin") > Reported-by: Sarthak Kukreti > Signed-off-by: Matthias Kaehlcke > --- > > drivers/md/dm-verity-loadpin.c | 8 ++++++++ > drivers/md/dm-verity-target.c | 16 ++++++++++++++++ > drivers/md/dm-verity.h | 1 + > 3 files changed, 25 insertions(+) > > diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c > index 387ec43aef72..4f78cc55c251 100644 > --- a/drivers/md/dm-verity-loadpin.c > +++ b/drivers/md/dm-verity-loadpin.c > @@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests); > > static bool is_trusted_verity_target(struct dm_target *ti) > { > + int verity_mode; > u8 *root_digest; > unsigned int digest_size; > struct dm_verity_loadpin_trusted_root_digest *trd; > @@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti) > if (!dm_is_verity_target(ti)) > return false; > > + verity_mode = dm_verity_get_mode(ti); > + > + if ((verity_mode != DM_VERITY_MODE_EIO) && > + (verity_mode != DM_VERITY_MODE_RESTART) && > + (verity_mode != DM_VERITY_MODE_PANIC)) > + return false; > + > if (dm_verity_get_root_digest(ti, &root_digest, &digest_size)) > return false; > > diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c > index 94b6cb599db4..8a00cc42e498 100644 > --- a/drivers/md/dm-verity-target.c > +++ b/drivers/md/dm-verity-target.c > @@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti) > return ti->type->module == THIS_MODULE; > } > > +/* > + * Get the verity mode (error behavior) of a verity target. > + * > + * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity > + * target. > + */ > +int dm_verity_get_mode(struct dm_target *ti) nit: It might be cleaner to combine the mode check above into this function; eg. dm_verity_is_enforcing_mode(struct dm_target *ti). > +{ > + struct dm_verity *v = ti->private; > + > + if (!dm_is_verity_target(ti)) > + return -EINVAL; > + > + return v->mode; > +} > + > /* > * Get the root digest of a verity target. > * > diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h > index 45455de1b4bc..98f306ec6a33 100644 > --- a/drivers/md/dm-verity.h > +++ b/drivers/md/dm-verity.h > @@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io, > sector_t block, u8 *digest, bool *is_zero); > > extern bool dm_is_verity_target(struct dm_target *ti); > +extern int dm_verity_get_mode(struct dm_target *ti); > extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, > unsigned int *digest_size); > > -- > 2.37.2.789.g6183377224-goog >