All of lore.kernel.org
 help / color / mirror / Atom feed
From: Matthias Kaehlcke <mka@chromium.org>
To: Mike Snitzer <snitzer@redhat.com>
Cc: Alasdair Kergon <agk@redhat.com>,
	Mike Snitzer <snitzer@kernel.org>,
	Kees Cook <keescook@chromium.org>,
	James Morris <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	dm-devel@redhat.com, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, Song Liu <song@kernel.org>,
	Douglas Anderson <dianders@chromium.org>,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v3 1/3] dm: Add verity helpers for LoadPin
Date: Thu, 12 May 2022 11:14:39 -0700	[thread overview]
Message-ID: <Yn1Oj5aneik2hNZy@google.com> (raw)
In-Reply-To: <Yn1BkO4t+CXR0nzk@redhat.com>

Hi Mike,

On Thu, May 12, 2022 at 01:19:12PM -0400, Mike Snitzer wrote:
> On Wed, May 11 2022 at  4:54P -0400,
> Matthias Kaehlcke <mka@chromium.org> wrote:
> 
> > Alasdar/Mike, I'd be interested in your take on adding these functions
> > to verity/DM, to get an idea whether this series has a path forward to
> > landing upstream.
> 
> I'll be reviewing your patchset now. Comments inlined below.

Thanks for the review!

> > On Wed, May 04, 2022 at 12:54:17PM -0700, Matthias Kaehlcke wrote:
> > > LoadPin limits loading of kernel modules, firmware and certain
> > > other files to a 'pinned' file system (typically a read-only
> > > rootfs). To provide more flexibility LoadPin is being extended
> > > to also allow loading these files from trusted dm-verity
> > > devices. For that purpose LoadPin can be provided with a list
> > > of verity root digests that it should consider as trusted.
> > > 
> > > Add a bunch of helpers to allow LoadPin to check whether a DM
> > > device is a trusted verity device. The new functions broadly
> > > fall in two categories: those that need access to verity
> > > internals (like the root digest), and the 'glue' between
> > > LoadPin and verity. The new file dm-verity-loadpin.c contains
> > > the glue functions.
> > > 
> > > Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> > > ---
> > > 
> > > Changes in v3:
> > > - none
> > > 
> > > Changes in v2:
> > > - none
> > > 
> > >  drivers/md/Makefile               |  6 +++
> > >  drivers/md/dm-verity-loadpin.c    | 80 +++++++++++++++++++++++++++++++
> > >  drivers/md/dm-verity-target.c     | 33 +++++++++++++
> > >  drivers/md/dm-verity.h            |  4 ++
> > >  include/linux/dm-verity-loadpin.h | 27 +++++++++++
> > >  5 files changed, 150 insertions(+)
> > >  create mode 100644 drivers/md/dm-verity-loadpin.c
> > >  create mode 100644 include/linux/dm-verity-loadpin.h
> > > 
> > > diff --git a/drivers/md/Makefile b/drivers/md/Makefile
> > > index 0454b0885b01..e12cd004d375 100644
> > > --- a/drivers/md/Makefile
> > > +++ b/drivers/md/Makefile
> > > @@ -100,6 +100,12 @@ ifeq ($(CONFIG_IMA),y)
> > >  dm-mod-objs			+= dm-ima.o
> > >  endif
> > >  
> > > +ifeq ($(CONFIG_DM_VERITY),y)
> > > +ifeq ($(CONFIG_SECURITY_LOADPIN),y)
> > > +dm-mod-objs			+= dm-verity-loadpin.o
> > > +endif
> > > +endif
> > > +
> 
> Why are you extending dm-mod-objs?  Why not dm-verity-objs?
> 
> > >  ifeq ($(CONFIG_DM_VERITY_FEC),y)
> > >  dm-verity-objs			+= dm-verity-fec.o
> > >  endif
> > > diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c
> > > new file mode 100644
> > > index 000000000000..972ca93a2231
> > > --- /dev/null
> > > +++ b/drivers/md/dm-verity-loadpin.c
> > > @@ -0,0 +1,80 @@
> > > +// SPDX-License-Identifier: GPL-2.0-only
> > > +
> > > +#include <linux/list.h>
> > > +#include <linux/kernel.h>
> > > +#include <linux/dm-verity-loadpin.h>
> > > +
> > > +#include "dm.h"
> > > +#include "dm-verity.h"
> > > +
> > > +static struct list_head *trusted_root_digests;
> > > +
> > > +/*
> > > + * Sets the root digests of verity devices which LoadPin considers as trusted.
> > > + *
> > > + * This function must only be called once.
> > > + */
> > > +void dm_verity_loadpin_set_trusted_root_digests(struct list_head *digests)
> > > +{
> > > +	if (!trusted_root_digests)
> > > +		trusted_root_digests = digests;
> > > +	else
> > > +		pr_warn("verity root digests trusted by LoadPin are already set!!!\n");
> > > +}
> 
> Would prefer you set a DM_MSG_PREFIX and use DMWARN() instead.

Sure, I'll change it to DMWARN().

> You never explicitly initialize trusted_root_digests to NULL.

That's what I had initially, however checkpatch didn't like it:

ERROR: do not initialise statics to NULL
#70: FILE: drivers/md/dm-verity-loadpin.c:10:
+static struct list_head *trusted_root_digests = NULL;

So I removed it.

> Also, I'll have to look at the caller(s), but without locking this
> branching is racey.

The list of trusted root digests can only be set once and is never
cleared. So if it is not set there is nothing to do, and if it is
set the list is immutable. We are trusting the caller to adhere to
that 'contract' and partially enforce it in dm_verity_loadpin_set_trusted_root_digests()
With that do you still think locking is needed?

> > > +
> > > +static bool is_trusted_verity_target(struct dm_target *ti)
> > > +{
> > > +	u8 *root_digest;
> > > +	unsigned int digest_size;
> > > +	struct trusted_root_digest *trd;
> > > +	bool trusted = false;
> > > +
> > > +	if (!dm_is_verity_target(ti))
> > > +		return false;
> > > +
> > > +	if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
> > > +		return false;
> > > +
> > > +	list_for_each_entry(trd, trusted_root_digests, node) {
> > > +		if ((trd->len == digest_size) &&
> > > +		    !memcmp(trd->data, root_digest, digest_size)) {
> > > +			trusted = true;
> > > +			break;
> > > +		}
> > > +	}
> > > +
> > > +	kfree(root_digest);
> > > +
> > > +	return trusted;
> > > +}
> > > +
> > > +/*
> > > + * Determines whether a mapped device is a verity device that is trusted
> > > + * by LoadPin.
> > > + */
> > > +bool dm_verity_loadpin_is_md_trusted(struct mapped_device *md)
> > > +{
> > > +	int srcu_idx;
> > > +	struct dm_table *table;
> > > +	unsigned int num_targets;
> > > +	bool trusted = false;
> > > +	int i;
> > > +
> > > +	if (!trusted_root_digests || list_empty(trusted_root_digests))
> > > +		return false;
> 
> Again, where is the locking to protect trusted_root_digests?

See above

WARNING: multiple messages have this Message-ID
From: Matthias Kaehlcke <mka@chromium.org>
To: Mike Snitzer <snitzer@redhat.com>
Cc: linux-security-module@vger.kernel.org,
	Douglas Anderson <dianders@chromium.org>,
	Kees Cook <keescook@chromium.org>,
	Mike Snitzer <snitzer@kernel.org>,
	James Morris <jmorris@namei.org>,
	linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org,
	Song Liu <song@kernel.org>,
	dm-devel@redhat.com, Alasdair Kergon <agk@redhat.com>,
	"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [dm-devel] [PATCH v3 1/3] dm: Add verity helpers for LoadPin
Date: Thu, 12 May 2022 11:14:39 -0700	[thread overview]
Message-ID: <Yn1Oj5aneik2hNZy@google.com> (raw)
In-Reply-To: <Yn1BkO4t+CXR0nzk@redhat.com>

Hi Mike,

On Thu, May 12, 2022 at 01:19:12PM -0400, Mike Snitzer wrote:
> On Wed, May 11 2022 at  4:54P -0400,
> Matthias Kaehlcke <mka@chromium.org> wrote:
> 
> > Alasdar/Mike, I'd be interested in your take on adding these functions
> > to verity/DM, to get an idea whether this series has a path forward to
> > landing upstream.
> 
> I'll be reviewing your patchset now. Comments inlined below.

Thanks for the review!

> > On Wed, May 04, 2022 at 12:54:17PM -0700, Matthias Kaehlcke wrote:
> > > LoadPin limits loading of kernel modules, firmware and certain
> > > other files to a 'pinned' file system (typically a read-only
> > > rootfs). To provide more flexibility LoadPin is being extended
> > > to also allow loading these files from trusted dm-verity
> > > devices. For that purpose LoadPin can be provided with a list
> > > of verity root digests that it should consider as trusted.
> > > 
> > > Add a bunch of helpers to allow LoadPin to check whether a DM
> > > device is a trusted verity device. The new functions broadly
> > > fall in two categories: those that need access to verity
> > > internals (like the root digest), and the 'glue' between
> > > LoadPin and verity. The new file dm-verity-loadpin.c contains
> > > the glue functions.
> > > 
> > > Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> > > ---
> > > 
> > > Changes in v3:
> > > - none
> > > 
> > > Changes in v2:
> > > - none
> > > 
> > >  drivers/md/Makefile               |  6 +++
> > >  drivers/md/dm-verity-loadpin.c    | 80 +++++++++++++++++++++++++++++++
> > >  drivers/md/dm-verity-target.c     | 33 +++++++++++++
> > >  drivers/md/dm-verity.h            |  4 ++
> > >  include/linux/dm-verity-loadpin.h | 27 +++++++++++
> > >  5 files changed, 150 insertions(+)
> > >  create mode 100644 drivers/md/dm-verity-loadpin.c
> > >  create mode 100644 include/linux/dm-verity-loadpin.h
> > > 
> > > diff --git a/drivers/md/Makefile b/drivers/md/Makefile
> > > index 0454b0885b01..e12cd004d375 100644
> > > --- a/drivers/md/Makefile
> > > +++ b/drivers/md/Makefile
> > > @@ -100,6 +100,12 @@ ifeq ($(CONFIG_IMA),y)
> > >  dm-mod-objs			+= dm-ima.o
> > >  endif
> > >  
> > > +ifeq ($(CONFIG_DM_VERITY),y)
> > > +ifeq ($(CONFIG_SECURITY_LOADPIN),y)
> > > +dm-mod-objs			+= dm-verity-loadpin.o
> > > +endif
> > > +endif
> > > +
> 
> Why are you extending dm-mod-objs?  Why not dm-verity-objs?
> 
> > >  ifeq ($(CONFIG_DM_VERITY_FEC),y)
> > >  dm-verity-objs			+= dm-verity-fec.o
> > >  endif
> > > diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c
> > > new file mode 100644
> > > index 000000000000..972ca93a2231
> > > --- /dev/null
> > > +++ b/drivers/md/dm-verity-loadpin.c
> > > @@ -0,0 +1,80 @@
> > > +// SPDX-License-Identifier: GPL-2.0-only
> > > +
> > > +#include <linux/list.h>
> > > +#include <linux/kernel.h>
> > > +#include <linux/dm-verity-loadpin.h>
> > > +
> > > +#include "dm.h"
> > > +#include "dm-verity.h"
> > > +
> > > +static struct list_head *trusted_root_digests;
> > > +
> > > +/*
> > > + * Sets the root digests of verity devices which LoadPin considers as trusted.
> > > + *
> > > + * This function must only be called once.
> > > + */
> > > +void dm_verity_loadpin_set_trusted_root_digests(struct list_head *digests)
> > > +{
> > > +	if (!trusted_root_digests)
> > > +		trusted_root_digests = digests;
> > > +	else
> > > +		pr_warn("verity root digests trusted by LoadPin are already set!!!\n");
> > > +}
> 
> Would prefer you set a DM_MSG_PREFIX and use DMWARN() instead.

Sure, I'll change it to DMWARN().

> You never explicitly initialize trusted_root_digests to NULL.

That's what I had initially, however checkpatch didn't like it:

ERROR: do not initialise statics to NULL
#70: FILE: drivers/md/dm-verity-loadpin.c:10:
+static struct list_head *trusted_root_digests = NULL;

So I removed it.

> Also, I'll have to look at the caller(s), but without locking this
> branching is racey.

The list of trusted root digests can only be set once and is never
cleared. So if it is not set there is nothing to do, and if it is
set the list is immutable. We are trusting the caller to adhere to
that 'contract' and partially enforce it in dm_verity_loadpin_set_trusted_root_digests()
With that do you still think locking is needed?

> > > +
> > > +static bool is_trusted_verity_target(struct dm_target *ti)
> > > +{
> > > +	u8 *root_digest;
> > > +	unsigned int digest_size;
> > > +	struct trusted_root_digest *trd;
> > > +	bool trusted = false;
> > > +
> > > +	if (!dm_is_verity_target(ti))
> > > +		return false;
> > > +
> > > +	if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
> > > +		return false;
> > > +
> > > +	list_for_each_entry(trd, trusted_root_digests, node) {
> > > +		if ((trd->len == digest_size) &&
> > > +		    !memcmp(trd->data, root_digest, digest_size)) {
> > > +			trusted = true;
> > > +			break;
> > > +		}
> > > +	}
> > > +
> > > +	kfree(root_digest);
> > > +
> > > +	return trusted;
> > > +}
> > > +
> > > +/*
> > > + * Determines whether a mapped device is a verity device that is trusted
> > > + * by LoadPin.
> > > + */
> > > +bool dm_verity_loadpin_is_md_trusted(struct mapped_device *md)
> > > +{
> > > +	int srcu_idx;
> > > +	struct dm_table *table;
> > > +	unsigned int num_targets;
> > > +	bool trusted = false;
> > > +	int i;
> > > +
> > > +	if (!trusted_root_digests || list_empty(trusted_root_digests))
> > > +		return false;
> 
> Again, where is the locking to protect trusted_root_digests?

See above

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel


  reply	other threads:[~2022-05-12 18:14 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-04 19:54 [PATCH v3 0/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-05-04 19:54 ` [dm-devel] " Matthias Kaehlcke
2022-05-04 19:54 ` [PATCH v3 1/3] dm: Add verity helpers for LoadPin Matthias Kaehlcke
2022-05-04 19:54   ` [dm-devel] " Matthias Kaehlcke
2022-05-11 20:54   ` Matthias Kaehlcke
2022-05-11 20:54     ` [dm-devel] " Matthias Kaehlcke
2022-05-12 17:19     ` Mike Snitzer
2022-05-12 17:19       ` [dm-devel] " Mike Snitzer
2022-05-12 18:14       ` Matthias Kaehlcke [this message]
2022-05-12 18:14         ` Matthias Kaehlcke
2022-05-12 20:44       ` Matthias Kaehlcke
2022-05-12 20:44         ` [dm-devel] " Matthias Kaehlcke
2022-05-13 16:29         ` Mike Snitzer
2022-05-13 16:29           ` [dm-devel] " Mike Snitzer
2022-05-13 16:53           ` Matthias Kaehlcke
2022-05-13 16:53             ` Matthias Kaehlcke
2022-05-13 22:15   ` Kees Cook
2022-05-13 22:15     ` [dm-devel] " Kees Cook
2022-05-16 18:51     ` Matthias Kaehlcke
2022-05-16 18:51       ` [dm-devel] " Matthias Kaehlcke
2022-05-17  3:38       ` Kees Cook
2022-05-17  3:38         ` [dm-devel] " Kees Cook
2022-05-04 19:54 ` [PATCH v3 2/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-05-04 19:54   ` [dm-devel] " Matthias Kaehlcke
2022-05-04 22:26   ` kernel test robot
2022-05-04 22:26     ` [dm-devel] " kernel test robot
2022-05-13 16:32   ` Mike Snitzer
2022-05-13 16:32     ` [dm-devel] " Mike Snitzer
2022-05-13 17:01     ` Matthias Kaehlcke
2022-05-13 17:01       ` [dm-devel] " Matthias Kaehlcke
2022-05-13 18:26     ` Kees Cook
2022-05-13 18:26       ` [dm-devel] " Kees Cook
2022-05-13 22:36   ` Kees Cook
2022-05-13 22:36     ` [dm-devel] " Kees Cook
2022-05-16 18:17     ` Matthias Kaehlcke
2022-05-16 18:17       ` [dm-devel] " Matthias Kaehlcke
2022-05-17  3:44       ` Kees Cook
2022-05-17  3:44         ` [dm-devel] " Kees Cook
2022-05-17 19:28         ` Matthias Kaehlcke
2022-05-17 19:28           ` [dm-devel] " Matthias Kaehlcke
2022-05-04 19:54 ` [PATCH v3 3/3] dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation Matthias Kaehlcke
2022-05-04 19:54   ` [dm-devel] " Matthias Kaehlcke

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yn1Oj5aneik2hNZy@google.com \
    --to=mka@chromium.org \
    --cc=agk@redhat.com \
    --cc=dianders@chromium.org \
    --cc=dm-devel@redhat.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-raid@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=snitzer@kernel.org \
    --cc=snitzer@redhat.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.