Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp10566rwl; Tue, 11 Apr 2023 13:33:51 -0700 (PDT) X-Google-Smtp-Source: AKy350Y1xf10ctKR+TN0NSMWBsYl5/T/uFCXpX8kbF2mXpK4ntO4/EIhxn9F2ecMJTI0HUDnaFCl X-Received: by 2002:a17:90b:1d8e:b0:246:681c:71fd with SMTP id pf14-20020a17090b1d8e00b00246681c71fdmr18174328pjb.6.1681245231478; Tue, 11 Apr 2023 13:33:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681245231; cv=none; d=google.com; s=arc-20160816; b=pnFMSJ3osYLtebrv5H2oFL/elTbXW8787vPmRwnLLy9GiP/PrltE0CJi5/NLyo/OyJ LciPfIK5rFqZdp8aiMD92xyLaGjzNf0XkwwUs/mo0Gjm+IGJx305Z+Xc4aYlT4aO6TKH zM6sE0dHSNwyctI+4otSdwv30kNwVmSCLLQjMfVazSKj8TTcnN9+8voZ8lh0EZfd4asu WRnDkAg5IkJT1aeW7uvTUgw6pOGLLvneXsWb9aRcLd8KcJrFGpQC+1Dzct4jU/Z77mJd Z9An38SbV7o6WaPMb5qC24WA+Ypu3RXEZULgxKF07zu/6MjdABRd5AildAjbLGuxJudv r8vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ikdi+6xxj2kvpls/7KRBOAg0lIkRgRoVXw8KwuRi4Nc=; b=TCGv4Iaxa5pKuX9I9dU4Yoion+FwHKUAPnDzuzds7nOGItWbmdSDZby7e1n+U9TR/i 1rQxxPxGK8zZQk5ixT9hKq8eHjAZe1zPGqTJGFEbovee+kkDw2FjbTha0apPsosUZw5e 1CIlOuj8KDNqQOkqbMU4JXoKB3sBlf61lpODZVmAhofkIaJNmpXgnSQHEEPxROa+ZfIv 6PXyW1lVoyojTvNhEpdT4sIUmdqAddGxkyilUV9BZA45oo+l2Er7gxylKZtpLzcfndvb /5Hsaa/eh523cwd+4UaNkw498MqLh1VuAhFCmEt+fwwyqdoK0MAs5MWxqPTuILKJD4Cu I2dQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=IQ9zZGCN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k17-20020a170902ba9100b0016efde92292si14035592pls.255.2023.04.11.13.33.39; Tue, 11 Apr 2023 13:33:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=IQ9zZGCN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229757AbjDKUdA (ORCPT + 99 others); Tue, 11 Apr 2023 16:33:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43018 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229504AbjDKUc6 (ORCPT ); Tue, 11 Apr 2023 16:32:58 -0400 Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A79EE4690 for ; Tue, 11 Apr 2023 13:32:53 -0700 (PDT) Received: by mail-yb1-xb32.google.com with SMTP id bv15so7803262ybb.1 for ; Tue, 11 Apr 2023 13:32:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1681245173; x=1683837173; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ikdi+6xxj2kvpls/7KRBOAg0lIkRgRoVXw8KwuRi4Nc=; b=IQ9zZGCNRzZwfZFuGDrY6qwE9SFscSfIixOwnA4rFQL16vvokxAcya+cMNiEJWF/lB jfUjEDfBjxQmhe/m3jewm7jJLjeF+tKcqSL03+AbqWymsVlf8EEP00s1SU0cxksL0zEq aELwAeeUCgGgh9NbZTSKlmYtsFMknlxQ5vc+LAgXie28umXXh7hhlP0K8oGds+yB5mEO vnwwKYtfeLTL9Ggt6AoI0LCSpTdf8MtVDWfJHa7h5gd+mCjLpYJP73Z+fFhKTpm6ehpS eULjph7vC73UZBatpFNnwz8A7xfnzCLiAhRTkuk93Tn1z4Nwff5SzQw+maLC17p1NBra luBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681245173; x=1683837173; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ikdi+6xxj2kvpls/7KRBOAg0lIkRgRoVXw8KwuRi4Nc=; b=GgPNi2cNuUUvieCzly1UWQETw4eHsWOT3OCXkslsM65xe5RM+SD+wc62EUU12zJU1j Ve6Bm9LdHaFSNnc9w+hz7OqBFZfwoEAiJ5jFSxMdwMwM9FA/YOhnJqzF7DuTA4tNpGPK 6oXDPsYaunymJPp6C9ZbjDBPZEfj1pgZIdpOBUBjDTazkkeod52/C8JvnugwMqYaftkD B7k5zQXAZip7EKskG5nHKxD412ZbtZdixrwW+SmAYmq3bfPgawdZ4p0AtjN2r/FXqrGl GUvxhAHLqlS7ZFQIy09TYHx3QsQSiBlW1xvRoKiqzALnk1iBV95EClzs4TV513O2248T b1Ow== X-Gm-Message-State: AAQBX9ev65JpASu3lJAcbM7EM3/BNONGsj3vj0DSBYcBNaOZgJN/UsiF /ZN15WzliVs1OnzR1ElKOqCqBuBpAJji0ZfEyi+R X-Received: by 2002:a25:d702:0:b0:b68:7a4a:5258 with SMTP id o2-20020a25d702000000b00b687a4a5258mr101812ybg.3.1681245172701; Tue, 11 Apr 2023 13:32:52 -0700 (PDT) MIME-Version: 1.0 References: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com> <1675119451-23180-4-git-send-email-wufan@linux.microsoft.com> <20230410185334.GA18827@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> In-Reply-To: <20230410185334.GA18827@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> From: Paul Moore Date: Tue, 11 Apr 2023 16:32:41 -0400 Message-ID: Subject: Re: [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider To: Fan Wu Cc: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 10, 2023 at 2:53=E2=80=AFPM Fan Wu = wrote: > On Thu, Mar 02, 2023 at 02:03:11PM -0500, Paul Moore wrote: > > On Mon, Jan 30, 2023 at 5:58???PM Fan Wu wr= ote: > > > > > > From: Deven Bowers > > > > > > IPE must have a centralized function to evaluate incoming callers > > > against IPE's policy. This iteration of the policy against the rules > > > for that specific caller is known as the evaluation loop. > > > > > > In addition, IPE is designed to provide system level trust guarantees= , > > > this usually implies that trust starts from bootup with a hardware ro= ot > > > of trust, which validates the bootloader. After this, the bootloader > > > verifies the kernel and the initramfs. > > > > > > As there's no currently supported integrity method for initramfs, and > > > it's typically already verified by the bootloader, introduce a proper= ty > > > that causes the first superblock to have an execution to be "pinned", > > > which is typically initramfs. > > > > > > Signed-off-by: Deven Bowers > > > Signed-off-by: Fan Wu > > > > ... > > > > > --- > > > security/ipe/Makefile | 1 + > > > security/ipe/eval.c | 180 +++++++++++++++++++++++++++++++++= ++ > > > security/ipe/eval.h | 28 ++++++ > > > security/ipe/hooks.c | 25 +++++ > > > security/ipe/hooks.h | 14 +++ > > > security/ipe/ipe.c | 1 + > > > security/ipe/policy.c | 20 ++++ > > > security/ipe/policy.h | 3 + > > > security/ipe/policy_parser.c | 8 +- > > > 9 files changed, 279 insertions(+), 1 deletion(-) > > > create mode 100644 security/ipe/eval.c > > > create mode 100644 security/ipe/eval.h > > > create mode 100644 security/ipe/hooks.c > > > create mode 100644 security/ipe/hooks.h ... > > > diff --git a/security/ipe/eval.c b/security/ipe/eval.c > > > new file mode 100644 > > > index 000000000000..48b5104a3463 > > > --- /dev/null > > > +++ b/security/ipe/eval.c > > > @@ -0,0 +1,180 @@ > > > +// SPDX-License-Identifier: GPL-2.0 > > > +/* > > > + * Copyright (C) Microsoft Corporation. All rights reserved. > > > + */ > > > + > > > +#include "ipe.h" > > > +#include "eval.h" > > > +#include "hooks.h" > > > +#include "policy.h" > > > + > > > +#include > > > +#include > > > +#include > > > +#include > > > +#include > > > +#include > > > +#include > > > + > > > +struct ipe_policy __rcu *ipe_active_policy; > > > + > > > +static struct super_block *pinned_sb; > > > +static DEFINE_SPINLOCK(pin_lock); > > > +#define FILE_SUPERBLOCK(f) ((f)->f_path.mnt->mnt_sb) > > > + > > > +/** > > > + * pin_sb - Pin the underlying superblock of @f, marking it as trust= ed. > > > + * @f: Supplies a file structure to source the super_block from. > > > + */ > > > +static void pin_sb(const struct file *f) > > > +{ > > > + if (!f) > > > + return; > > > + spin_lock(&pin_lock); > > > + if (pinned_sb) > > > + goto out; > > > + pinned_sb =3D FILE_SUPERBLOCK(f); > > > +out: > > > + spin_unlock(&pin_lock); > > > +} > > > > Since you don't actually use @f, just the super_block, you might > > consider passing the super_block as the parameter and not the > > associated file. > > > > I'd probably also flip the if-then to avoid the 'goto', for example: > > > > static void pin_sb(const struct super_block *sb) > > { > > if (!sb) > > return; > > spin_lock(&pin_lock); > > if (!pinned_sb) > > pinned_sb =3D sb; > > spin_unlock(&pin_lock); > > } > > > > Sure, I can change the code accordingly. > > > Also, do we need to worry about the initramfs' being unmounted and the > > super_block going away? > > If initramfs is being unmounted, the boot_verified property will never be= TRUE, > which is an expected behavior. In an actual use case, we can leverage thi= s > property to only enable files in initramfs during the booting stage, and = later switch > to another policy without the boot_verified property after unmounting the= initramfs. > This approach helps keep the allowed set of files minimum at each stage. I think I was worried about not catching when the fs was unmounted and the superblock disappeared, but you've got a hook defined for that so it should be okay. I'm not sure what I was thinking here, sorry for the noise ... Regardless of the source of my confusion, your policy/boot_verified description all sounds good to me. --=20 paul-moore.com