Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp215294rwb;
        Tue, 25 Jul 2023 14:42:23 -0700 (PDT)
X-Google-Smtp-Source: APBJJlHaoaZNyM8ETl6kGpoyxeRJU57ZQenAy4YfWAM5qm5J4ZfkTtuuo4fVYgr7PN9fOG/T7o+K
X-Received: by 2002:a17:906:3f47:b0:993:fb68:ed6c with SMTP id f7-20020a1709063f4700b00993fb68ed6cmr460953ejj.15.1690321343306;
        Tue, 25 Jul 2023 14:42:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690321343; cv=none;
        d=google.com; s=arc-20160816;
        b=iqsuJyw58T5PcMj3ewN/XpvGW/PqOXh9aQKP0slC57oT98Q2KjbygQSHCJ5g+YJQN2
         WCo0PN+6EF3GzKZGpQAUj5nk9AMTawXArz/JMiSybcnJO4/5hXjBoXp81krbmLSk17jh
         stUGZFA+WZpKVslnMw6lazogkJNkO6H4O1rnQfcj495p0jtQ/FFVMNMUoaCa7tYNYA+/
         bOMZ9acsrexnDljeHMri2TRaMcJ5yegNYHDBZaJLHWK1JqoeSANjXK8EP9eeoBTevKiV
         sfP3cwLnUHsRxey+kwb8Lai5LifqVFU3M788cPqHzLsq5iCDhOyjnvUb6CkyzPTViUxQ
         Ep2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=nWFtInZ1K1dOfuS7k8qAbtMBBIEMrxLy4VGVUtC5gnI=;
        fh=Rv1lHCWv3BPCbJ10hFRnhHHZ6K4WayhKbhjG4Err+sM=;
        b=CFkXAecUN2Wa2SOdIMCdIq/OFemGwQJ6n9K18rWArANJENt33yrRHrneWlctA/pMpO
         cMFy9vy01rfuIP5/FS+14budKKmjD20ZEo9MhYvma8dOfXRyFwPbB+7Qyv/raszEQpLG
         8JX049ZAk8O1dipzk5R1k3cb2uenxgDH0r7NR4TVTkOtsxPbOPOpkGOuBR8pbIguvnVS
         6eq7CcGiDfrVncQfdSe9pzVVVhf9Nd/DEI3BvXXi4zv5wLrhBKMKZ9jYs/4T0fD8aqPw
         nmLgfEnbpWEf65vOnN8f8hnZgrMxRwyQuHFC4U4CgH6KktCRN6atCEapYD/I6PY33LnY
         ujyg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore.com header.s=google header.b=C8boa0Mv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d8-20020a170906544800b00997c69cdb87si9242635ejp.718.2023.07.25.14.41.59;
        Tue, 25 Jul 2023 14:42:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore.com header.s=google header.b=C8boa0Mv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230135AbjGYUo2 (ORCPT <rfc822;andrew.melo@gmail.com>
        + 99 others); Tue, 25 Jul 2023 16:44:28 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42276 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229701AbjGYUo1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Jul 2023 16:44:27 -0400
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6E6526B7
        for <linux-kernel@vger.kernel.org>; Tue, 25 Jul 2023 13:44:00 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-d16639e16e6so1668062276.3
        for <linux-kernel@vger.kernel.org>; Tue, 25 Jul 2023 13:44:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore.com; s=google; t=1690317840; x=1690922640;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nWFtInZ1K1dOfuS7k8qAbtMBBIEMrxLy4VGVUtC5gnI=;
        b=C8boa0Mv2x13zaBKrUj+xzuVti30LteOQD/85/WnBKhzbeDHEzvYvZ3kQdHoCjYdG0
         ftqVyfqFa6NOhebzP3zMyFH7Nlp1JPPPKMGc1aE91kApgf84Ufspb27OrNQYnal4fJdI
         RuMjkIlaBANH5JbWHDMSmJYGIzqqyjVZTAseBtkUxPVzAHisNHbe6FS0O0hpPY2Mahdy
         fdrDOGG8cimzMGhjO/sM3c08lCiYTBbFA4aZL9R/TiSrtJIosdGWlE6hbhCkOQUU/TaG
         FqmFBGWx8K2cus33+JbUinADhEt8mhX8e9cNl+6Pf8/2HVcctD7B/+1vZNujcT3jVfWL
         BwBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1690317840; x=1690922640;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=nWFtInZ1K1dOfuS7k8qAbtMBBIEMrxLy4VGVUtC5gnI=;
        b=RAIRjLV4KLwYvMwff3XgIwJv7pjA0t7R0/A//dtGhCP6xJvD/hmpyYcgiYtvunTE74
         q9BpVvCPHwG92oCB5XBH1Yqdjyr1k/KikgUo9nGTe9qYbybI4N5ItcZ2ZNDIfGEVVNrN
         VU8KrJ9arQZMuo8v6t/qSTWLHYnNjiYWCqUS/oHbQXZ6uxpXQhpiDJ0WPJoQ/IVt5dKD
         40R4+qcsgUyZLZVGZM8n4pifGl7jd2qNxbcUgMPkxbQ/tyFxe8UlsrY1x203HTy2mSpW
         KiA5ivvpeD0txhMsrSqwD7aauacW2hTuyGCwvmsBFu+gm4c1SUMt5RIHRy4E90FocyYp
         qTGw==
X-Gm-Message-State: ABy/qLbJAxtBgIQd4ya5duJVM366D8EKzwmqZceZaBfLboc+HKnyQYYy
        AZhFNMLhtorwf2vdQ0F/54lOT2csCY+kDKtcF2o0
X-Received: by 2002:a25:2f16:0:b0:c83:27d4:c0d6 with SMTP id
 v22-20020a252f16000000b00c8327d4c0d6mr98124ybv.37.1690317839194; Tue, 25 Jul
 2023 13:43:59 -0700 (PDT)
MIME-Version: 1.0
References: <1687986571-16823-1-git-send-email-wufan@linux.microsoft.com>
 <1687986571-16823-12-git-send-email-wufan@linux.microsoft.com>
 <ZKgm+ffQbdDTxrg9@redhat.com> <20230712034319.GA17642@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net>
In-Reply-To: <20230712034319.GA17642@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net>
From:   Paul Moore <paul@paul-moore.com>
Date:   Tue, 25 Jul 2023 16:43:48 -0400
Message-ID: <CAHC9VhQFxqcfgR0acgdiXKP9LT1KLgGjZd-QHs6O1dEex31HEQ@mail.gmail.com>
Subject: Re: [RFC PATCH v10 11/17] dm-verity: consume root hash digest and
 signature data via LSM hook
To:     Fan Wu <wufan@linux.microsoft.com>
Cc:     Mike Snitzer <snitzer@kernel.org>, corbet@lwn.net,
        zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com,
        tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk,
        agk@redhat.com, eparis@redhat.com, linux-doc@vger.kernel.org,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org,
        dm-devel@redhat.com, audit@vger.kernel.org,
        roberto.sassu@huawei.com, linux-kernel@vger.kernel.org,
        Deven Bowers <deven.desai@linux.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 11, 2023 at 11:43=E2=80=AFPM Fan Wu <wufan@linux.microsoft.com>=
 wrote:
> On Fri, Jul 07, 2023 at 10:53:45AM -0400, Mike Snitzer wrote:

...

> > Both of your calls to security_bdev_setsecurity() to set your blobs in
> > the bdev are suspect because you're doing so from the verity_ctr().
> > The mapped_device has 2 dm_table slots (active and inactive).  The
> > verity_ctr() becomes part of the inactive slot, there is an extra step
> > to bind the inactive table to the active table.
> >
> > This leads to you changing the blobs in the global bdev _before_ the
> > table is actually active.  It is possible that the inactive table will
> > simply be removed and the DM verity device put back in service;
> > leaving your blob(s) in the bdev inconsistent.
> >
> > This issue has parallels to how we need to defer changing the global
> > queue_limits associated with a request_queue until _after_ all table
> > loading is settled and then the update is done just before resuming
> > the DM device (mapped_device) -- see dm_table_set_restrictions().
> >
> > Unfortunately, this feels like it may require a new hook in the
> > target_type struct (e.g. ->finalize())
>
> Thanks for pointing out this issue. We were calling security_bdev_setsecu=
rity()
> because the roothash signature data is only available in verity_ctr()
> and it is discarded after verity_ctr() finishes.
> After digging deeper into the table_load, I realized that we were indeed
> wrong here.
>
> Based on my understanding of your suggestion, it seems that the correct
> approach would be to save the roothash signature into the struct dm_targe=
t

Would you be doing this with a LSM hook, or would this live in the
device mapper layer?

> and then invoke security_bdev_setsecurity() before activating
> the inactive table in the __bind function (where dm_table_set_restriction=
s is called).
>
> To facilitate this process, it seems appropriate to introduce a new hook
> called finalize() within the struct target_type. This hook would enable
> targets to define tasks that need to be completed before activating
> a new table.
>
> In our specific case, we would add a finalize hook to the dm-verity modul=
e,
> allowing us to call security_bdev_setsecurity() and associate the roothas=
h
> information in the struct dm_target with the struct block_device of
> the struct mapped_device. Is this correct?

Where would the finalize() hook be called?

--=20
paul-moore.com