From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BEDD2C43458 for ; Tue, 28 Jul 2020 21:36:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9D15520656 for ; Tue, 28 Jul 2020 21:36:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="BCkI4a0C" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729639AbgG1Vge (ORCPT ); Tue, 28 Jul 2020 17:36:34 -0400 Received: from linux.microsoft.com ([13.77.154.182]:47292 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729560AbgG1Vga (ORCPT ); Tue, 28 Jul 2020 17:36:30 -0400 Received: from dede-linux-virt.corp.microsoft.com (unknown [131.107.160.54]) by linux.microsoft.com (Postfix) with ESMTPSA id E94BB20B4916; Tue, 28 Jul 2020 14:36:28 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E94BB20B4916 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1595972189; bh=DwuN3lMsKoJor7oyJ4PDhforl2EL5d2MZQdT2xusZcc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BCkI4a0CRIZAWxhXndb9PoKEGhx0cs1tND6LSp438pFrU7cuTR89sRstNPk/OyZoh VUWjC08xAJ9axkPNZPcy0WI7Dp9I9j3K6EBdshAHu+pt4ppBJXLm0G4t7cH9ddkK/B 81P6lpeJVtTNyCEsiil4ZGwc2gXGLhDG0sxhJShc= From: Deven Bowers To: agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, viro@zeniv.linux.org.uk, paul@paul-moore.com, eparis@redhat.com, jannh@google.com, dm-devel@redhat.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-audit@redhat.com Cc: tyhicks@linux.microsoft.com, linux-kernel@vger.kernel.org, corbet@lwn.net, sashal@kernel.org, jaskarankhurana@linux.microsoft.com, mdsakib@microsoft.com, nramas@linux.microsoft.com, pasha.tatashin@soleen.com Subject: [RFC PATCH v5 09/11] dm-verity: add bdev_setsecurity hook for root-hash Date: Tue, 28 Jul 2020 14:36:09 -0700 Message-Id: <20200728213614.586312-10-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200728213614.586312-1-deven.desai@linux.microsoft.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Add a security hook call to set a security property of a block_device in dm-verity with the root-hash that was verified to match the merkel-tree. Signed-off-by: Deven Bowers --- drivers/md/dm-verity-target.c | 8 + include/linux/device-mapper.h | 1 + security/ipe/ipe-blobs.c | 11 ++ security/ipe/ipe-engine.h | 3 + security/ipe/ipe.c | 4 + security/ipe/properties/Kconfig | 13 +- security/ipe/properties/Makefile | 1 + security/ipe/properties/dmverity-roothash.c | 153 ++++++++++++++++++++ security/ipe/properties/prop-entry.h | 9 ++ 9 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 security/ipe/properties/dmverity-roothash.c diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c index fabc173aa7b3..7f609906af16 100644 --- a/drivers/md/dm-verity-target.c +++ b/drivers/md/dm-verity-target.c @@ -16,8 +16,10 @@ #include "dm-verity.h" #include "dm-verity-fec.h" #include "dm-verity-verify-sig.h" +#include "dm-core.h" #include #include +#include #define DM_MSG_PREFIX "verity" @@ -530,6 +532,12 @@ static int verity_verify_io(struct dm_verity_io *io) return -EIO; } + r = security_bdev_setsecurity(dm_table_get_md(v->ti->table)->bdev, + DM_VERITY_ROOTHASH_SEC_NAME, + v->root_digest, v->digest_size); + if (unlikely(r < 0)) + return r; + /* * At this point, the merkel tree has finished validating. * if signature was specified, validate the signature here. diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h index 02be0be21d38..b82e8223d52a 100644 --- a/include/linux/device-mapper.h +++ b/include/linux/device-mapper.h @@ -625,5 +625,6 @@ static inline unsigned long to_bytes(sector_t n) } #define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-sig" +#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-rh" #endif /* _LINUX_DEVICE_MAPPER_H */ diff --git a/security/ipe/ipe-blobs.c b/security/ipe/ipe-blobs.c index 041d7d47b723..6a09d5c6dea8 100644 --- a/security/ipe/ipe-blobs.c +++ b/security/ipe/ipe-blobs.c @@ -46,6 +46,7 @@ void ipe_bdev_free_security(struct block_device *bdev) struct ipe_bdev_blob *bdev_sec = ipe_bdev(bdev); kfree(bdev_sec->dmverity_rh_sig); + kfree(bdev_sec->dmverity_rh); memset(bdev_sec, 0x0, sizeof(*bdev_sec)); } @@ -80,5 +81,15 @@ int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, return 0; } + if (!strcmp(key, DM_VERITY_ROOTHASH_SEC_NAME)) { + bdev_sec->dmverity_rh = kmemdup(value, len, GFP_KERNEL); + if (!bdev_sec->dmverity_rh) + return -ENOMEM; + + bdev_sec->rh_size = len; + + return 0; + } + return -ENOSYS; } diff --git a/security/ipe/ipe-engine.h b/security/ipe/ipe-engine.h index 038c39a8973e..696baaa423ff 100644 --- a/security/ipe/ipe-engine.h +++ b/security/ipe/ipe-engine.h @@ -18,6 +18,9 @@ struct ipe_bdev_blob { u8 *dmverity_rh_sig; size_t dmv_rh_sig_len; + + u8 *dmverity_rh; + size_t rh_size; }; struct ipe_engine_ctx { diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index 8a612eb62879..8f4dfb8c547f 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -47,6 +47,10 @@ static int __init ipe_load_properties(void) if (rc != 0) return rc; + rc = ipe_init_dm_verity_rh(); + if (rc != 0) + return rc; + return rc; } diff --git a/security/ipe/properties/Kconfig b/security/ipe/properties/Kconfig index 4046f7e5eaef..4f09092522d9 100644 --- a/security/ipe/properties/Kconfig +++ b/security/ipe/properties/Kconfig @@ -14,8 +14,19 @@ config IPE_BOOT_PROP if unsure, answer N. +config IPE_DM_VERITY_ROOTHASH + bool "Enable property for authorizing dm-verity volumes via root-hash" + depends on DM_VERITY + help + This option enables IPE's integration with Device-Mapper Verity. + This enables the usage of the property "dmverity_roothash" in IPE's + policy. This property allows authorization or revocation via a + a hex-string representing the roothash of a dmverity volume. + + if unsure, answer Y. + config IPE_DM_VERITY_SIGNATURE - bool "Enable property for signature verified dm-verity volumes" + bool "Enable property for verified dm-verity volumes" depends on DM_VERITY_VERIFY_ROOTHASH_SIG help This option enables IPE's integration with Device-Mapper Verity's diff --git a/security/ipe/properties/Makefile b/security/ipe/properties/Makefile index 6b67cbe36e31..d9a3807797f4 100644 --- a/security/ipe/properties/Makefile +++ b/security/ipe/properties/Makefile @@ -10,3 +10,4 @@ obj-$(CONFIG_SECURITY_IPE) += properties.o properties-$(CONFIG_IPE_BOOT_PROP) += boot-verified.o properties-$(CONFIG_IPE_DM_VERITY_SIGNATURE) += dmverity-signature.o +properties-$(CONFIG_IPE_DM_VERITY_ROOTHASH) += dmverity-roothash.o diff --git a/security/ipe/properties/dmverity-roothash.c b/security/ipe/properties/dmverity-roothash.c new file mode 100644 index 000000000000..09112e1af753 --- /dev/null +++ b/security/ipe/properties/dmverity-roothash.c @@ -0,0 +1,153 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "../ipe.h" +#include "../ipe-pin.h" +#include "../ipe-property.h" +#include "../utility.h" + +#include +#include +#include +#include +#include +#include + +#define PROPERTY_NAME "dmverity_roothash" + +struct counted_array { + u8 *arr; + size_t len; +}; + +static void audit(struct audit_buffer *ab, const void *value) +{ + const struct counted_array *a = (const struct counted_array *)value; + + if (!a || a->len == 0) + audit_log_format(ab, "NULL"); + else + audit_log_n_hex(ab, a->arr, a->len); +} + +static inline void audit_rule_value(struct audit_buffer *ab, + const void *value) +{ + audit(ab, value); +} + +static inline void audit_ctx(struct audit_buffer *ab, + const struct ipe_engine_ctx *ctx) +{ + struct counted_array a; + + if (!has_bdev(ctx->file)) + return audit(ab, NULL); + + a.arr = ctx->sec_bdev->dmverity_rh; + a.len = ctx->sec_bdev->rh_size; + + return audit(ab, &a); +} + +static bool evaluate(const struct ipe_engine_ctx *ctx, + const void *value) +{ + const struct counted_array *a = (const struct counted_array *)value; + + if (!has_bdev(ctx->file)) + return false; + + if (a->len != ctx->sec_bdev->rh_size) + return false; + + return memcmp(a->arr, ctx->sec_bdev->dmverity_rh, a->len) == 0; +} + +static int parse(const char *val_str, void **value) +{ + struct counted_array *arr = NULL; + int rv = 0; + + arr = kzalloc(sizeof(*arr), GFP_KERNEL); + if (!arr) { + rv = -ENOMEM; + goto err; + } + + arr->len = strlen(val_str) / 2; + + arr->arr = kzalloc(arr->len, GFP_KERNEL); + if (!arr->arr) { + rv = -ENOMEM; + goto err; + } + + rv = hex2bin(arr->arr, val_str, arr->len); + if (rv != 0) + goto err; + + *value = arr; + return rv; +err: + if (arr) + kfree(arr->arr); + kfree(arr); + return rv; +} + +static int duplicate(const void *src, void **dest) +{ + struct counted_array *arr = NULL; + const struct counted_array *src_arr = src; + int rv = 0; + + arr = kmemdup(src_arr, sizeof(*arr), GFP_KERNEL); + if (!arr) { + rv = -ENOMEM; + goto err; + } + + arr->arr = kmemdup(src_arr->arr, src_arr->len, GFP_KERNEL); + if (!arr->arr) { + rv = -ENOMEM; + goto err; + } + + *dest = arr; + return rv; +err: + if (arr) + kfree(arr->arr); + kfree(arr); + + return rv; +} + +static void free_val(void **value) +{ + struct counted_array *a = (struct counted_array *)*value; + + if (a) + kfree(a->arr); + kfree(a); + *value = NULL; +} + +static const struct ipe_property dmv_roothash = { + .property_name = PROPERTY_NAME, + .version = 1, + .eval = evaluate, + .parse = parse, + .rule_audit = audit_rule_value, + .ctx_audit = audit_ctx, + .dup = duplicate, + .free_val = free_val, +}; + +int ipe_init_dm_verity_rh(void) +{ + return ipe_register_property(&dmv_roothash); +} diff --git a/security/ipe/properties/prop-entry.h b/security/ipe/properties/prop-entry.h index 85366366ff0d..86a360570f3b 100644 --- a/security/ipe/properties/prop-entry.h +++ b/security/ipe/properties/prop-entry.h @@ -26,4 +26,13 @@ static inline int __init ipe_init_dm_verity_signature(void) int __init ipe_init_dm_verity_signature(void); #endif /* CONFIG_IPE_DM_VERITY_SIGNATURE */ +#ifndef CONFIG_IPE_DM_VERITY_ROOTHASH +static inline int __init ipe_init_dm_verity_rh(void) +{ + return 0; +} +#else +int __init ipe_init_dm_verity_rh(void); +#endif /* CONFIG_IPE_DM_VERITY_ROOTHASH */ + #endif /* IPE_PROP_ENTRY_H */ -- 2.27.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91F1BC433EC for ; Tue, 28 Jul 2020 21:48:01 +0000 (UTC) Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [63.128.21.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3DF2E2075D for ; Tue, 28 Jul 2020 21:48:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3DF2E2075D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-440-v2Npno0JPN2Lj8mBNygcOA-1; Tue, 28 Jul 2020 17:47:58 -0400 X-MC-Unique: v2Npno0JPN2Lj8mBNygcOA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 58DCB19200C5; Tue, 28 Jul 2020 21:47:49 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3EAD15DA6A; Tue, 28 Jul 2020 21:47:49 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0E7C71800FEA; Tue, 28 Jul 2020 21:47:49 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 06SLaYis019874 for ; Tue, 28 Jul 2020 17:36:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id D60A410F26F7; Tue, 28 Jul 2020 21:36:33 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D1E1210F26F4 for ; Tue, 28 Jul 2020 21:36:33 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B1FBD8F099D for ; Tue, 28 Jul 2020 21:36:33 +0000 (UTC) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by relay.mimecast.com with ESMTP id us-mta-52-X2loutc2P5qdJYf1Uhg1Gg-1; Tue, 28 Jul 2020 17:36:31 -0400 X-MC-Unique: X2loutc2P5qdJYf1Uhg1Gg-1 Received: from dede-linux-virt.corp.microsoft.com (unknown [131.107.160.54]) by linux.microsoft.com (Postfix) with ESMTPSA id E94BB20B4916; Tue, 28 Jul 2020 14:36:28 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E94BB20B4916 From: Deven Bowers To: agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, viro@zeniv.linux.org.uk, paul@paul-moore.com, eparis@redhat.com, jannh@google.com, dm-devel@redhat.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-audit@redhat.com Subject: [RFC PATCH v5 09/11] dm-verity: add bdev_setsecurity hook for root-hash Date: Tue, 28 Jul 2020 14:36:09 -0700 Message-Id: <20200728213614.586312-10-deven.desai@linux.microsoft.com> In-Reply-To: <20200728213614.586312-1-deven.desai@linux.microsoft.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 06SLaYis019874 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Tue, 28 Jul 2020 17:47:37 -0400 Cc: sashal@kernel.org, pasha.tatashin@soleen.com, mdsakib@microsoft.com, corbet@lwn.net, linux-kernel@vger.kernel.org, nramas@linux.microsoft.com, tyhicks@linux.microsoft.com, jaskarankhurana@linux.microsoft.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Add a security hook call to set a security property of a block_device in dm-verity with the root-hash that was verified to match the merkel-tree. Signed-off-by: Deven Bowers --- drivers/md/dm-verity-target.c | 8 + include/linux/device-mapper.h | 1 + security/ipe/ipe-blobs.c | 11 ++ security/ipe/ipe-engine.h | 3 + security/ipe/ipe.c | 4 + security/ipe/properties/Kconfig | 13 +- security/ipe/properties/Makefile | 1 + security/ipe/properties/dmverity-roothash.c | 153 ++++++++++++++++++++ security/ipe/properties/prop-entry.h | 9 ++ 9 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 security/ipe/properties/dmverity-roothash.c diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c index fabc173aa7b3..7f609906af16 100644 --- a/drivers/md/dm-verity-target.c +++ b/drivers/md/dm-verity-target.c @@ -16,8 +16,10 @@ #include "dm-verity.h" #include "dm-verity-fec.h" #include "dm-verity-verify-sig.h" +#include "dm-core.h" #include #include +#include #define DM_MSG_PREFIX "verity" @@ -530,6 +532,12 @@ static int verity_verify_io(struct dm_verity_io *io) return -EIO; } + r = security_bdev_setsecurity(dm_table_get_md(v->ti->table)->bdev, + DM_VERITY_ROOTHASH_SEC_NAME, + v->root_digest, v->digest_size); + if (unlikely(r < 0)) + return r; + /* * At this point, the merkel tree has finished validating. * if signature was specified, validate the signature here. diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h index 02be0be21d38..b82e8223d52a 100644 --- a/include/linux/device-mapper.h +++ b/include/linux/device-mapper.h @@ -625,5 +625,6 @@ static inline unsigned long to_bytes(sector_t n) } #define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-sig" +#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-rh" #endif /* _LINUX_DEVICE_MAPPER_H */ diff --git a/security/ipe/ipe-blobs.c b/security/ipe/ipe-blobs.c index 041d7d47b723..6a09d5c6dea8 100644 --- a/security/ipe/ipe-blobs.c +++ b/security/ipe/ipe-blobs.c @@ -46,6 +46,7 @@ void ipe_bdev_free_security(struct block_device *bdev) struct ipe_bdev_blob *bdev_sec = ipe_bdev(bdev); kfree(bdev_sec->dmverity_rh_sig); + kfree(bdev_sec->dmverity_rh); memset(bdev_sec, 0x0, sizeof(*bdev_sec)); } @@ -80,5 +81,15 @@ int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, return 0; } + if (!strcmp(key, DM_VERITY_ROOTHASH_SEC_NAME)) { + bdev_sec->dmverity_rh = kmemdup(value, len, GFP_KERNEL); + if (!bdev_sec->dmverity_rh) + return -ENOMEM; + + bdev_sec->rh_size = len; + + return 0; + } + return -ENOSYS; } diff --git a/security/ipe/ipe-engine.h b/security/ipe/ipe-engine.h index 038c39a8973e..696baaa423ff 100644 --- a/security/ipe/ipe-engine.h +++ b/security/ipe/ipe-engine.h @@ -18,6 +18,9 @@ struct ipe_bdev_blob { u8 *dmverity_rh_sig; size_t dmv_rh_sig_len; + + u8 *dmverity_rh; + size_t rh_size; }; struct ipe_engine_ctx { diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index 8a612eb62879..8f4dfb8c547f 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -47,6 +47,10 @@ static int __init ipe_load_properties(void) if (rc != 0) return rc; + rc = ipe_init_dm_verity_rh(); + if (rc != 0) + return rc; + return rc; } diff --git a/security/ipe/properties/Kconfig b/security/ipe/properties/Kconfig index 4046f7e5eaef..4f09092522d9 100644 --- a/security/ipe/properties/Kconfig +++ b/security/ipe/properties/Kconfig @@ -14,8 +14,19 @@ config IPE_BOOT_PROP if unsure, answer N. +config IPE_DM_VERITY_ROOTHASH + bool "Enable property for authorizing dm-verity volumes via root-hash" + depends on DM_VERITY + help + This option enables IPE's integration with Device-Mapper Verity. + This enables the usage of the property "dmverity_roothash" in IPE's + policy. This property allows authorization or revocation via a + a hex-string representing the roothash of a dmverity volume. + + if unsure, answer Y. + config IPE_DM_VERITY_SIGNATURE - bool "Enable property for signature verified dm-verity volumes" + bool "Enable property for verified dm-verity volumes" depends on DM_VERITY_VERIFY_ROOTHASH_SIG help This option enables IPE's integration with Device-Mapper Verity's diff --git a/security/ipe/properties/Makefile b/security/ipe/properties/Makefile index 6b67cbe36e31..d9a3807797f4 100644 --- a/security/ipe/properties/Makefile +++ b/security/ipe/properties/Makefile @@ -10,3 +10,4 @@ obj-$(CONFIG_SECURITY_IPE) += properties.o properties-$(CONFIG_IPE_BOOT_PROP) += boot-verified.o properties-$(CONFIG_IPE_DM_VERITY_SIGNATURE) += dmverity-signature.o +properties-$(CONFIG_IPE_DM_VERITY_ROOTHASH) += dmverity-roothash.o diff --git a/security/ipe/properties/dmverity-roothash.c b/security/ipe/properties/dmverity-roothash.c new file mode 100644 index 000000000000..09112e1af753 --- /dev/null +++ b/security/ipe/properties/dmverity-roothash.c @@ -0,0 +1,153 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "../ipe.h" +#include "../ipe-pin.h" +#include "../ipe-property.h" +#include "../utility.h" + +#include +#include +#include +#include +#include +#include + +#define PROPERTY_NAME "dmverity_roothash" + +struct counted_array { + u8 *arr; + size_t len; +}; + +static void audit(struct audit_buffer *ab, const void *value) +{ + const struct counted_array *a = (const struct counted_array *)value; + + if (!a || a->len == 0) + audit_log_format(ab, "NULL"); + else + audit_log_n_hex(ab, a->arr, a->len); +} + +static inline void audit_rule_value(struct audit_buffer *ab, + const void *value) +{ + audit(ab, value); +} + +static inline void audit_ctx(struct audit_buffer *ab, + const struct ipe_engine_ctx *ctx) +{ + struct counted_array a; + + if (!has_bdev(ctx->file)) + return audit(ab, NULL); + + a.arr = ctx->sec_bdev->dmverity_rh; + a.len = ctx->sec_bdev->rh_size; + + return audit(ab, &a); +} + +static bool evaluate(const struct ipe_engine_ctx *ctx, + const void *value) +{ + const struct counted_array *a = (const struct counted_array *)value; + + if (!has_bdev(ctx->file)) + return false; + + if (a->len != ctx->sec_bdev->rh_size) + return false; + + return memcmp(a->arr, ctx->sec_bdev->dmverity_rh, a->len) == 0; +} + +static int parse(const char *val_str, void **value) +{ + struct counted_array *arr = NULL; + int rv = 0; + + arr = kzalloc(sizeof(*arr), GFP_KERNEL); + if (!arr) { + rv = -ENOMEM; + goto err; + } + + arr->len = strlen(val_str) / 2; + + arr->arr = kzalloc(arr->len, GFP_KERNEL); + if (!arr->arr) { + rv = -ENOMEM; + goto err; + } + + rv = hex2bin(arr->arr, val_str, arr->len); + if (rv != 0) + goto err; + + *value = arr; + return rv; +err: + if (arr) + kfree(arr->arr); + kfree(arr); + return rv; +} + +static int duplicate(const void *src, void **dest) +{ + struct counted_array *arr = NULL; + const struct counted_array *src_arr = src; + int rv = 0; + + arr = kmemdup(src_arr, sizeof(*arr), GFP_KERNEL); + if (!arr) { + rv = -ENOMEM; + goto err; + } + + arr->arr = kmemdup(src_arr->arr, src_arr->len, GFP_KERNEL); + if (!arr->arr) { + rv = -ENOMEM; + goto err; + } + + *dest = arr; + return rv; +err: + if (arr) + kfree(arr->arr); + kfree(arr); + + return rv; +} + +static void free_val(void **value) +{ + struct counted_array *a = (struct counted_array *)*value; + + if (a) + kfree(a->arr); + kfree(a); + *value = NULL; +} + +static const struct ipe_property dmv_roothash = { + .property_name = PROPERTY_NAME, + .version = 1, + .eval = evaluate, + .parse = parse, + .rule_audit = audit_rule_value, + .ctx_audit = audit_ctx, + .dup = duplicate, + .free_val = free_val, +}; + +int ipe_init_dm_verity_rh(void) +{ + return ipe_register_property(&dmv_roothash); +} diff --git a/security/ipe/properties/prop-entry.h b/security/ipe/properties/prop-entry.h index 85366366ff0d..86a360570f3b 100644 --- a/security/ipe/properties/prop-entry.h +++ b/security/ipe/properties/prop-entry.h @@ -26,4 +26,13 @@ static inline int __init ipe_init_dm_verity_signature(void) int __init ipe_init_dm_verity_signature(void); #endif /* CONFIG_IPE_DM_VERITY_SIGNATURE */ +#ifndef CONFIG_IPE_DM_VERITY_ROOTHASH +static inline int __init ipe_init_dm_verity_rh(void) +{ + return 0; +} +#else +int __init ipe_init_dm_verity_rh(void); +#endif /* CONFIG_IPE_DM_VERITY_ROOTHASH */ + #endif /* IPE_PROP_ENTRY_H */ -- 2.27.0 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit