Received: by 2002:a05:7412:b795:b0:e2:908c:2ebd with SMTP id iv21csp72879rdb; Wed, 1 Nov 2023 17:40:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH5VAbP87WF3HrpYf0JNLw5tXHl66OoJZ+3zEZ0IGr7sA7iWjIA/n3BOSxz0fOiPVf3Stj9 X-Received: by 2002:a17:903:1210:b0:1c9:dd6a:5bee with SMTP id l16-20020a170903121000b001c9dd6a5beemr16939160plh.52.1698885651224; Wed, 01 Nov 2023 17:40:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698885651; cv=none; d=google.com; s=arc-20160816; b=h2wvfY3dGfIJ1oaKt9QOR6rborXfwyFEgkRj1Qo69wGYeM1Slqj+piwQN2HFKdaLfj d151vNKHdhKwGasMD+ld+4GsR2BpG4tmyqrro09XmGAzE0qJAjohJ2uKTkb8nUSAt1u5 5ardN4a01eMai8j2PLak4jZh45NaDpaXqADJfU2rIz4dafEOHQ9w2dm4wXrvjUSD2iJl DnmzDs4nauZ5WZ4LjZj58q6HSd0PS5pvHMTboc8LWzTnIXw84qL1JawnQYmuYIb6Sb9f eYF6mvd/Xi2cZnyp9Fr+lD2DG+VUnm+T9wLXCWUMre8tuVTPT92SmCr2NX+8ahEO3ErY xkKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=XqFTar32ASbvPrjveH78MV7Rh5xk6Ufja7S8f/Bljs0=; fh=h0uglUI+ZkPgsSJhjrnU9XB03BOygkILvVNqhbcBwpk=; b=kIqrb7+4RLGbPHKgJueEDGC7kyGCz0S27bZIhemmeuff6G374u8eLnPVEu16OqmcFp xMLSwql0vBaceQkseHm9/hh1YrIvGlXHQ1GEoZ+nlVyMZ3hwdNPjFMH6O7ObTuKCu0rD Lb749LM3OYlWxv66jjBlgkL8eVpDuSqU3ygUCpbxrnVoa5OibSAFLAsHIpJsGZzfNCZU pAIuTCoGFBy9O3+UVQfI7nNLeKnEbNvaTl1je00s0HqcsVHWr0xlrpEL7Tqpu2EEiF0z ZOdryQvvcTmVdZeYz8O0IVGowUFck41a4cihAQaoAeQigrBzoD8KkVe3mqXm+7A4K1ZD P3pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=F7mWy0sD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id f17-20020a170903105100b001b9be3b94dfsi3797221plc.268.2023.11.01.17.40.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Nov 2023 17:40:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=F7mWy0sD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 7D99E80C6E91; Wed, 1 Nov 2023 17:40:46 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230502AbjKBAka (ORCPT + 99 others); Wed, 1 Nov 2023 20:40:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229861AbjKBAk2 (ORCPT ); Wed, 1 Nov 2023 20:40:28 -0400 Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17C10DB for ; Wed, 1 Nov 2023 17:40:18 -0700 (PDT) Received: by mail-yb1-xb34.google.com with SMTP id 3f1490d57ef6-d852b28ec3bso392898276.2 for ; Wed, 01 Nov 2023 17:40:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1698885617; x=1699490417; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=XqFTar32ASbvPrjveH78MV7Rh5xk6Ufja7S8f/Bljs0=; b=F7mWy0sDxS2NsZq4r0QIIkweMjFgefI5B9XATldwoY88ve/PPhdiO6WPTlCRZzZKYH bDAL7W3bJxXiOJ0tdx4Oars+508WwIqhuqekUkgZD6Kb6UhFk0q2Tl0baDFvH+0eotKR 242gTFN2/4qwp3Mt8DWC447jdlMMPTvPfMjumv1oPnP7lMq7CKDlxhTYm5KTON3NCoNV oU2XaTDUkxocJG0bR7yLUf9xyWKv6b02FIRYAtZ3biraiF7Qq2R9xLINkiSCYFzTmqxc OTBpwVzjfD+HLWavnU5OuO7RaMH9DhPxo6jRfyHL/h18I27yuPQRGDWSsHDo4FKV0SlS fmhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698885617; x=1699490417; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XqFTar32ASbvPrjveH78MV7Rh5xk6Ufja7S8f/Bljs0=; b=OOZFegGPTmYJzIkO/8/qp/TrJ/yiVO70wxtmLzXTb5LdVzdxUo/vLRP3oyUpsfwil7 JyA5uxWwDrHa5oZHFb5G76vpC6cl8gJV8SvolSOlhwU3Kb6lmkpi2gwFkfyWEisMFstC yUcqW/8Kr8B247eEM6KvbjZKXrulR9IQfSbSOeo4GRwVkarqaVhgDW6bXa/x4S/re2D4 Mm3gDQntoZEaq8jd7mHGZlqknjDfJDJnOj/ymkOwljWjHzOHn3NPeziNgoYrYlZy0HJ/ 22QEx7+RxqWXBYHzqF7iDRxNAU1dDFl3UdV7/gojLqfn9qQuoH2HBLLWL187pXYgAlAp UaAQ== X-Gm-Message-State: AOJu0YzUlAXd569Fhj58CENJ5gR14zTt80WeYqcfwNKpl7l55oEB/bZd JdyRwKEPHwWmKsVXHfpdTSeJDHayFueP1dwP1Roe X-Received: by 2002:a25:da82:0:b0:da0:5ff5:5df7 with SMTP id n124-20020a25da82000000b00da05ff55df7mr17332747ybf.12.1698885617167; Wed, 01 Nov 2023 17:40:17 -0700 (PDT) MIME-Version: 1.0 References: <1696457386-3010-16-git-send-email-wufan@linux.microsoft.com> <6efb7a80ba0eb3e02b3ae7a5c0a210f3.paul@paul-moore.com> In-Reply-To: <6efb7a80ba0eb3e02b3ae7a5c0a210f3.paul@paul-moore.com> From: Paul Moore Date: Wed, 1 Nov 2023 20:40:06 -0400 Message-ID: Subject: Re: [PATCH RFC v11 15/19] fsverity: consume builtin signature via LSM hook To: Fan Wu , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 01 Nov 2023 17:40:46 -0700 (PDT) On Mon, Oct 23, 2023 at 11:52=E2=80=AFPM Paul Moore w= rote: > On Oct 4, 2023 Fan Wu wrote: > > > > fsverity represents a mechanism to support both integrity and > > authenticity protection of a file, supporting both signed and unsigned > > digests. > > > > An LSM which controls access to a resource based on authenticity and > > integrity of said resource, can then use this data to make an informed > > decision on the authorization (provided by the LSM's policy) of said > > claim. > > > > This effectively allows the extension of a policy enforcement layer in > > LSM for fsverity, allowing for more granular control of how a > > particular authenticity claim can be used. For example, "all (built-in) > > signed fsverity files should be allowed to execute, but only these > > hashes are allowed to be loaded as kernel modules". > > > > This enforcement must be done in kernel space, as a userspace only > > solution would fail a simple litmus test: Download a self-contained > > malicious binary that never touches the userspace stack. This > > binary would still be able to execute. > > > > Signed-off-by: Deven Bowers > > Signed-off-by: Fan Wu > > --- > > v1-v6: > > + Not present > > > > v7: > > Introduced > > > > v8: > > + Split fs/verity/ changes and security/ changes into separate patche= s > > + Change signature of fsverity_create_info to accept non-const inode > > + Change signature of fsverity_verify_signature to accept non-const i= node > > + Don't cast-away const from inode. > > + Digest functionality dropped in favor of: > > ("fs-verity: define a function to return the integrity protected > > file digest") > > + Reworded commit description and title to match changes. > > + Fix a bug wherein no LSM implements the particular fsverity @name > > (or LSM is disabled), and returns -EOPNOTSUPP, causing errors. > > > > v9: > > + No changes > > > > v10: > > + Rename the signature blob key > > + Cleanup redundant code > > + Make the hook call depends on CONFIG_FS_VERITY_BUILTIN_SIGNATURES > > > > v11: > > + No changes > > --- > > fs/verity/fsverity_private.h | 2 +- > > fs/verity/open.c | 26 +++++++++++++++++++++++++- > > include/linux/fsverity.h | 2 ++ > > 3 files changed, 28 insertions(+), 2 deletions(-) > > We need an ACK from some VFS folks on this. Eric and/or Ted, can we get either an ACK or some feedback on this patch? For reference, the full patchset can be found on lore at the link below: https://lore.kernel.org/linux-security-module/1696457386-3010-1-git-send-em= ail-wufan@linux.microsoft.com/ > > diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.= h > > index d071a6e32581..4a82716e852f 100644 > > --- a/fs/verity/fsverity_private.h > > +++ b/fs/verity/fsverity_private.h > > @@ -108,7 +108,7 @@ int fsverity_init_merkle_tree_params(struct merkle_= tree_params *params, > > unsigned int log_blocksize, > > const u8 *salt, size_t salt_size); > > > > -struct fsverity_info *fsverity_create_info(const struct inode *inode, > > +struct fsverity_info *fsverity_create_info(struct inode *inode, > > struct fsverity_descriptor *de= sc); > > > > void fsverity_set_info(struct inode *inode, struct fsverity_info *vi); > > diff --git a/fs/verity/open.c b/fs/verity/open.c > > index 6c31a871b84b..5b48e2c39086 100644 > > --- a/fs/verity/open.c > > +++ b/fs/verity/open.c > > @@ -8,6 +8,7 @@ > > #include "fsverity_private.h" > > > > #include > > +#include > > #include > > > > static struct kmem_cache *fsverity_info_cachep; > > @@ -172,12 +173,28 @@ static int compute_file_digest(const struct fsver= ity_hash_alg *hash_alg, > > return err; > > } > > > > +#ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES > > +static int fsverity_inode_setsecurity(struct inode *inode, > > + struct fsverity_descriptor *desc) > > +{ > > + return security_inode_setsecurity(inode, FS_VERITY_INODE_SEC_NAME= , > > + desc->signature, > > + le32_to_cpu(desc->sig_size), 0)= ; > > +} > > +#else > > +static inline int fsverity_inode_setsecurity(struct inode *inode, > > + struct fsverity_descriptor *= desc) > > +{ > > + return 0; > > +} > > +#endif /* CONFIG_IPE_PROP_FS_VERITY*/ > > + > > /* > > * Create a new fsverity_info from the given fsverity_descriptor (with= optional > > * appended builtin signature), and check the signature if present. T= he > > * fsverity_descriptor must have already undergone basic validation. > > */ > > -struct fsverity_info *fsverity_create_info(const struct inode *inode, > > +struct fsverity_info *fsverity_create_info(struct inode *inode, > > struct fsverity_descriptor *de= sc) > > { > > struct fsverity_info *vi; > > @@ -242,6 +259,13 @@ struct fsverity_info *fsverity_create_info(const s= truct inode *inode, > > spin_lock_init(&vi->hash_page_init_lock); > > } > > > > + err =3D fsverity_inode_setsecurity(inode, desc); > > + if (err =3D=3D -EOPNOTSUPP) > > + err =3D 0; > > + > > + if (err) > > + goto fail; > > + > > return vi; > > > > fail: > > diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h > > index 1eb7eae580be..9666721baf15 100644 > > --- a/include/linux/fsverity.h > > +++ b/include/linux/fsverity.h > > @@ -319,4 +319,6 @@ static inline int fsverity_prepare_setattr(struct d= entry *dentry, > > return 0; > > } > > > > +#define FS_VERITY_INODE_SEC_NAME "fsverity.builtin-sig" > > + > > #endif /* _LINUX_FSVERITY_H */ > > -- > > 2.25.1 --=20 paul-moore.com