Received: by 2002:a05:6500:1b8f:b0:1fa:5c73:8e2d with SMTP id df15csp1045416lqb; Wed, 29 May 2024 20:38:57 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWxZgTBgpsQ6YDEiUVhfpwzIfOPCJZw4/KTBMpIf/7I897SbWbBB2RgOCKOY/0X2Tp/2UBDQkAN9uGgoA1g2O0q1GO+2ju2bRnYhNT0rw== X-Google-Smtp-Source: AGHT+IEgaNWnMBlPT/MWSdtDDIQkxk3orbvNoh14p4ledts3TCil2s/IxqD4vrfMoNvLvkA42DUg X-Received: by 2002:a05:6870:528:b0:24f:e5f2:1d04 with SMTP id 586e51a60fabf-25060b6f90bmr1234384fac.16.1717040336895; Wed, 29 May 2024 20:38:56 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717040336; cv=pass; d=google.com; s=arc-20160816; b=T82vl8CQb96gfVmxvQbq8P7QzzUkUZypGtvFQLc62bHETHzTPKvu50gL59Kx2QtaXT 3v0+L5cZAAx5PfMAStQcTQYa4AtL6hjR63qRLrdGvQ1XtRNAMcS3R+ACC7G2M2KUDdJ3 QpZrXkpBK+EE5gHstpjGYFneu1ZF03NqyYJRZxNTmVeOwVT1qbG9blNxpt6yDWyoTc4Y Qg7EbU96Pv9URPbjzzphZk+ETeteKH5cRVB4cwgCFel5CLBGnlTY0Nt5wHXAJQM/gV12 F17U70eRZIDRK4zusyupL5YB8IEoZiWhJgI4M7/bQp/aes1dlRrTRlelXooOTUX8f3Ma otZw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature :dkim-filter; bh=TLCa5Lp6oUMDlTzuXOnFGatDontTY5GUZPEI/tmIjEw=; fh=gRaCLIS/6tiUXGpGpWMhSMCrE0h79sfORrIZJJoLe2k=; b=zMW8UsrGT3N/b5ATZHMnIar5ooB4hFEZHPglD7s05u5QSx5C36cBhJZ4rdfoKsC5K+ 0o0Okn0BzCFuFIApuHF2TN3O62vjs3FY3Q4PEqU+BQBfPmMCc/PvCAiURJrjv21IF2xo pC/3LoWOPwom7/bqqTrK0e4m02WGm7vtNINepbeoStc5nJT4x1JJQTZZfcJGNuKqaiGp Wzx0IdsRroCVpc2SDlVFMBbxG1GvRibBnTy1QOKs6YaMxRsDH6FKvb5O6HnLIr7dHiyn jT9cquP62iWb6MDmWgPC13+e/Aw7N+fTnIGreE3CHf9j9FHPthdhxK/xzb+Tshg4oi87 rZKg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=pCqjkDZk; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-194917-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-194917-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d2e1a72fcca58-70234a3561bsi83137b3a.386.2024.05.29.20.38.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 May 2024 20:38:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-194917-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=pCqjkDZk; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-194917-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-194917-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 756952851AD for ; Thu, 30 May 2024 03:38:56 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1E0D713A256; Thu, 30 May 2024 03:38:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="pCqjkDZk" Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7D55E42AAB; Thu, 30 May 2024 03:38:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717040325; cv=none; b=a0qncLwnf+HAUOEvD0F0HIRmbbMBEOQnywOijivfFX64gOuhIJ4xlA9Tk5YAIpjACj9pPB+Xjf4MehTLVbr5eIXp1otyZTN2gg447LD0cQJL1cAwJD7z7UbS3Td0KuHr7qRfA3d+xh5xt+Pzx6VSCEmqBxKJMEEyB3pwOhfVVR0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717040325; c=relaxed/simple; bh=0Z+2DCu+nIujQLs3EfHQoGwPrgs21PJ6gT1bOiZx0yI=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=qrCz/E78RvxCLQVC+d7vkPchIrdVyLkweiN6TMmNTK6OoTNiDsgCjxqurpyITdT02BUhWdEbqra5gFddjyfoWLHujlh6E8/0FWNqXLw6WkCjgeLET4krzsVEJROoxpKDcLkaLQU9MoGd3RTc0zxc1S9/QnXyB5o4D9BmYGeRCGs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=pCqjkDZk; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Received: from [10.137.106.151] (unknown [167.220.2.23]) by linux.microsoft.com (Postfix) with ESMTPSA id C4B8220B915A; Wed, 29 May 2024 20:38:41 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com C4B8220B915A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1717040321; bh=TLCa5Lp6oUMDlTzuXOnFGatDontTY5GUZPEI/tmIjEw=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=pCqjkDZkF9FDZNihcL/ShWsnn+No/zPiWEf13D3v2wpDg/tTVVU0zopv71uVpLq+h Mqq06U7kuSUGZ24nO79MTV1eK87ubwB2yMbC9dvgSi2VXCbBz/t3CpZ7URhit2Ia7s icM6r86KS1HnZkw2iwTpSNwYShDoCsJ9DZKWtPZo= Message-ID: Date: Wed, 29 May 2024 20:38:41 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v19 15/20] fsverity: expose verified fsverity built-in signatures to LSMs To: Eric Biggers , Paul Moore Cc: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, mpatocka@redhat.com, eparis@redhat.com, linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, fsverity@lists.linux.dev, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers References: <1716583609-21790-1-git-send-email-wufan@linux.microsoft.com> <1716583609-21790-16-git-send-email-wufan@linux.microsoft.com> <20240530030605.GA29189@sol.localdomain> Content-Language: en-US From: Fan Wu In-Reply-To: <20240530030605.GA29189@sol.localdomain> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 5/29/2024 8:06 PM, Eric Biggers wrote: > On Wed, May 29, 2024 at 09:46:57PM -0400, Paul Moore wrote: >> On Fri, May 24, 2024 at 4:46 PM Fan Wu wrote: >>> >>> This patch enhances fsverity's capabilities to support both integrity and >>> authenticity protection by introducing the exposure of built-in >>> signatures through a new LSM hook. This functionality allows LSMs, >>> e.g. IPE, to enforce policies based on the authenticity and integrity of >>> files, specifically focusing on built-in fsverity signatures. It enables >>> a policy enforcement layer within LSMs for fsverity, offering granular >>> control over the usage of authenticity claims. For instance, a policy >>> could be established to permit the execution of all files with verified >>> built-in fsverity signatures while restricting kernel module loading >>> from specified fsverity files via fsverity digests. >>> >>> The introduction of a security_inode_setintegrity() hook call within >>> fsverity's workflow ensures that the verified built-in signature of a file >>> is exposed to LSMs. This enables LSMs to recognize and label fsverity files >>> that contain a verified built-in fsverity signature. This hook is invoked >>> subsequent to the fsverity_verify_signature() process, guaranteeing the >>> signature's verification against fsverity's keyring. This mechanism is >>> crucial for maintaining system security, as it operates in kernel space, >>> effectively thwarting attempts by malicious binaries to bypass user space >>> stack interactions. >>> >>> The second to last commit in this patch set will add a link to the IPE >>> documentation in fsverity.rst. >>> >>> Signed-off-by: Deven Bowers >>> Signed-off-by: Fan Wu >>> >>> --- >>> v1-v6: >>> + Not present >>> >>> v7: >>> Introduced >>> >>> v8: >>> + Split fs/verity/ changes and security/ changes into separate patches >>> + Change signature of fsverity_create_info to accept non-const inode >>> + Change signature of fsverity_verify_signature to accept non-const inode >>> + Don't cast-away const from inode. >>> + Digest functionality dropped in favor of: >>> ("fs-verity: define a function to return the integrity protected >>> file digest") >>> + Reworded commit description and title to match changes. >>> + Fix a bug wherein no LSM implements the particular fsverity @name >>> (or LSM is disabled), and returns -EOPNOTSUPP, causing errors. >>> >>> v9: >>> + No changes >>> >>> v10: >>> + Rename the signature blob key >>> + Cleanup redundant code >>> + Make the hook call depends on CONFIG_FS_VERITY_BUILTIN_SIGNATURES >>> >>> v11: >>> + No changes >>> >>> v12: >>> + Add constification to the hook call >>> >>> v13: >>> + No changes >>> >>> v14: >>> + Add doc/comment to built-in signature verification >>> >>> v15: >>> + Add more docs related to IPE >>> + Switch the hook call to security_inode_setintegrity() >>> >>> v16: >>> + Explicitly mention "fsverity builtin signatures" in the commit >>> message >>> + Amend documentation in fsverity.rst >>> + Fix format issue >>> + Change enum name >>> >>> v17: >>> + Fix various documentation issues >>> + Use new enum name LSM_INT_FSVERITY_BUILTINSIG_VALID >>> >>> v18: >>> + Fix typos >>> + Move the inode_setintegrity hook call into fsverity_verify_signature() >>> >>> v19: >>> + Cleanup code w.r.t inode_setintegrity hook refactoring >>> --- >>> Documentation/filesystems/fsverity.rst | 23 +++++++++++++++++++++-- >>> fs/verity/signature.c | 18 +++++++++++++++++- >>> include/linux/security.h | 1 + >>> 3 files changed, 39 insertions(+), 3 deletions(-) >> >> Eric, can you give this patch in particular a look to make sure you >> are okay with everything? I believe Fan has addressed all of your >> previous comments and it would be nice to have your Ack/Review tag if >> you are okay with the current revision. > > Sorry, I've just gotten a bit tired of finding so many basic issues in this > patchset even after years of revisions. > > This patch in particular is finally looking better. There are a couple issues > that I still see. (BTW, you're welcome to review it too to help find these > things, given that you seem to have an interest in getting this landed...): > >> + err = security_inode_setintegrity(inode, >> + LSM_INT_FSVERITY_BUILTINSIG_VALID, >> + signature, >> + le32_to_cpu(sig_size)); > > This is doing le32_to_cpu() on a variable of type size_t, which will do the > wrong thing on big endian systems and will generate a 'sparse' warning. > Sorry for the mistake. As sig_size is already converted in open.c, there is indeed no need to call this function again. I will remove this unnecessary conversion. > Also, the commit message still incorrectly claims that this patch allows > "restricting kernel module loading from specified fsverity files via fsverity > digests". As I said before (sigh...), this is not correct as that can be done > without this patch. > > - Eric As for the commit message, my intention was to provide an example of a policy that with the patch IPE can enforce, not to claim that this specific restriction requires the patch. However, I will remove it as it seems to be causing confusion. -Fan