From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AE55C38A2B for ; Wed, 15 Apr 2020 16:27:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 08926208E4 for ; Wed, 15 Apr 2020 16:27:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="l48z5JK7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1415913AbgDOQ1a (ORCPT ); Wed, 15 Apr 2020 12:27:30 -0400 Received: from linux.microsoft.com ([13.77.154.182]:49198 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1415797AbgDOQ0F (ORCPT ); Wed, 15 Apr 2020 12:26:05 -0400 Received: from dede-linux.corp.microsoft.com (unknown [131.107.147.242]) by linux.microsoft.com (Postfix) with ESMTPSA id 4308B207295E; Wed, 15 Apr 2020 09:25:58 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 4308B207295E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1586967958; bh=BJW4QUk5SRvBXWMvbM+utBTv/Wl5G8SB4XBmU5eLNMg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l48z5JK7YcZfpPWXeqOnWZom7ZGAPNthaI7gdX84AhMc703yqgS1vlhlaAnaiImFp CUkdU4aMjK7bo5ZJyDQ6KnFMHWANUNnfoo7jCUaKxY0XcIycmiA+DjNHejreD0MOXs Tici3x/Emes39zMFH07aYj42EmzpXwmqmh7YM+OU= From: deven.desai@linux.microsoft.com To: agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, dm-devel@redhat.com, linux-block@vger.kernel.org, jannh@google.com Cc: tyhicks@linux.microsoft.com, pasha.tatashin@soleen.com, sashal@kernel.org, jaskarankhurana@linux.microsoft.com, nramas@linux.microsoft.com, mdsakib@linux.microsoft.com, linux-kernel@vger.kernel.org, corbet@lwn.net Subject: [RFC PATCH v3 10/12] ipe: add property for dmverity roothash Date: Wed, 15 Apr 2020 09:25:48 -0700 Message-Id: <20200415162550.2324-11-deven.desai@linux.microsoft.com> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200415162550.2324-1-deven.desai@linux.microsoft.com> References: <20200415162550.2324-1-deven.desai@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Deven Bowers Add a property to allow IPE policy to express rules around a specific root-hash of a dm-verity volume. This can be used for revocation, (when combined with the previous dm-verity property) or the authorization of a single dm-verity volume. Signed-off-by: Deven Bowers --- security/ipe/ipe-blobs.c | 10 ++ security/ipe/ipe-engine.h | 3 + security/ipe/ipe.c | 4 + security/ipe/properties/Kconfig | 13 +- security/ipe/properties/Makefile | 1 + security/ipe/properties/dmverity-roothash.c | 152 ++++++++++++++++++++ security/ipe/properties/prop-entry.h | 9 ++ 7 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 security/ipe/properties/dmverity-roothash.c diff --git a/security/ipe/ipe-blobs.c b/security/ipe/ipe-blobs.c index a4ee8df02855..1e054eb13857 100644 --- a/security/ipe/ipe-blobs.c +++ b/security/ipe/ipe-blobs.c @@ -45,6 +45,8 @@ void ipe_bdev_free_security(struct block_device *bdev) { struct ipe_bdev_blob *bdev_sec = ipe_bdev(bdev); + kfree(bdev_sec->dmverity_rh); + memset(bdev_sec, 0x0, sizeof(*bdev_sec)); } @@ -76,5 +78,13 @@ int ipe_bdev_setsecurity(struct block_device *bdev, const char *key, bdev_sec->dmv_rh_sig_len = len; } + if (!strcmp(key, DM_VERITY_ROOTHASH_SEC_NAME)) { + bdev_sec->dmverity_rh = kmemdup(value, len, GFP_KERNEL); + if (!bdev_sec->dmverity_rh) + return -ENOMEM; + + bdev_sec->rh_size = len; + } + return 0; } diff --git a/security/ipe/ipe-engine.h b/security/ipe/ipe-engine.h index 038c39a8973e..696baaa423ff 100644 --- a/security/ipe/ipe-engine.h +++ b/security/ipe/ipe-engine.h @@ -18,6 +18,9 @@ struct ipe_bdev_blob { u8 *dmverity_rh_sig; size_t dmv_rh_sig_len; + + u8 *dmverity_rh; + size_t rh_size; }; struct ipe_engine_ctx { diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index eceecb9423bd..b85e6a3ffff5 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -49,6 +49,10 @@ static int __init ipe_load_properties(void) if (rc != 0) return rc; + rc = ipe_init_dm_verity_rh(); + if (rc != 0) + return rc; + return rc; } diff --git a/security/ipe/properties/Kconfig b/security/ipe/properties/Kconfig index 2d8866ee456e..57b97b2b3877 100644 --- a/security/ipe/properties/Kconfig +++ b/security/ipe/properties/Kconfig @@ -13,8 +13,19 @@ config IPE_BOOT_PROP if unsure, answer N. +config IPE_DM_VERITY_ROOTHASH + bool "Enable property for authorizing dm-verity volumes via root-hash" + depends on DM_VERITY + help + This option enables IPE's integration with Device-Mapper Verity. + This enables the usage of the property "dmverity_roothash" in IPE's + policy. This property allows authorization or revocation via a + a hex-string representing the roothash of a dmverity volume. + + if unsure, answer Y. + config IPE_DM_VERITY_SIGNATURE - bool "Enable property for signature verified dm-verity volumes" + bool "Enable property for verified dm-verity volumes" depends on DM_VERITY_VERIFY_ROOTHASH_SIG help This option enables IPE's integration with Device-Mapper Verity's diff --git a/security/ipe/properties/Makefile b/security/ipe/properties/Makefile index 6b67cbe36e31..d9a3807797f4 100644 --- a/security/ipe/properties/Makefile +++ b/security/ipe/properties/Makefile @@ -10,3 +10,4 @@ obj-$(CONFIG_SECURITY_IPE) += properties.o properties-$(CONFIG_IPE_BOOT_PROP) += boot-verified.o properties-$(CONFIG_IPE_DM_VERITY_SIGNATURE) += dmverity-signature.o +properties-$(CONFIG_IPE_DM_VERITY_ROOTHASH) += dmverity-roothash.o diff --git a/security/ipe/properties/dmverity-roothash.c b/security/ipe/properties/dmverity-roothash.c new file mode 100644 index 000000000000..5fa66fd6627b --- /dev/null +++ b/security/ipe/properties/dmverity-roothash.c @@ -0,0 +1,152 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include "../ipe.h" +#include "../ipe-pin.h" +#include "../ipe-property.h" +#include "../utility.h" + +#include +#include +#include +#include +#include +#include + +#define PROPERTY_NAME "dmverity_roothash" + +struct counted_array { + u8 *arr; + size_t len; +}; + +static void audit(struct audit_buffer *ab, const void *value) +{ + const struct counted_array *a = (const struct counted_array *)value; + + if (!a || a->len == 0) + audit_log_format(ab, "NULL"); + else + audit_log_n_hex(ab, a->arr, a->len); +} + +static inline void audit_rule_value(struct audit_buffer *ab, + const void *value) +{ + audit(ab, value); +} + +static inline void audit_ctx(struct audit_buffer *ab, + const struct ipe_engine_ctx *ctx) +{ + struct counted_array a; + + if (!has_bdev(ctx->file)) + return audit(ab, NULL); + + a.arr = ctx->sec_bdev->dmverity_rh; + a.len = ctx->sec_bdev->rh_size; + + return audit(ab, &a); +} + +static bool evaluate(const struct ipe_engine_ctx *ctx, + const void *value) +{ + const struct counted_array *a = (const struct counted_array *)value; + + if (!has_bdev(ctx->file)) + return false; + + if (a->len != ctx->sec_bdev->rh_size) + return false; + + return memcmp(a->arr, ctx->sec_bdev->dmverity_rh, a->len) == 0; +} + +static int parse(const char *val_str, void **value) +{ + struct counted_array *arr = NULL; + int rv = 0; + + arr = kzalloc(sizeof(*arr), GFP_KERNEL); + if (!arr) { + rv = -ENOMEM; + goto err; + } + + arr->len = strlen(val_str) / 2; + + arr->arr = kzalloc(arr->len, GFP_KERNEL); + if (!arr->arr) { + rv = -ENOMEM; + goto err; + } + + rv = hex2bin(arr->arr, val_str, arr->len); + if (rv != 0) + goto err; + + *value = arr; + return rv; +err: + if (arr) + kfree(arr->arr); + kfree(arr); + return rv; +} + +static int duplicate(const void *src, void **dest) +{ + struct counted_array *arr = NULL; + const struct counted_array *src_arr = src; + int rv = 0; + + arr = kmemdup(src_arr, sizeof(*arr), GFP_KERNEL); + if (!arr) { + rv = -ENOMEM; + goto err; + } + + arr->arr = kmemdup(src_arr->arr, src_arr->len, GFP_KERNEL); + if (!arr->arr) { + rv = -ENOMEM; + goto err; + } + + *dest = arr; + return rv; +err: + if (arr) + kfree(arr->arr); + kfree(arr); + + return rv; +} + +static void free_val(void **value) +{ + struct counted_array *a = (struct counted_array *)*value; + + if (a) + kfree(a->arr); + kfree(a); + *value = NULL; +} + +static const struct ipe_property dmv_roothash = { + .property_name = PROPERTY_NAME, + .eval = evaluate, + .parse = parse, + .rule_audit = audit_rule_value, + .ctx_audit = audit_ctx, + .dup = duplicate, + .free_val = free_val, +}; + +int ipe_init_dm_verity_rh(void) +{ + return ipe_register_property(&dmv_roothash); +} diff --git a/security/ipe/properties/prop-entry.h b/security/ipe/properties/prop-entry.h index 85366366ff0d..86a360570f3b 100644 --- a/security/ipe/properties/prop-entry.h +++ b/security/ipe/properties/prop-entry.h @@ -26,4 +26,13 @@ static inline int __init ipe_init_dm_verity_signature(void) int __init ipe_init_dm_verity_signature(void); #endif /* CONFIG_IPE_DM_VERITY_SIGNATURE */ +#ifndef CONFIG_IPE_DM_VERITY_ROOTHASH +static inline int __init ipe_init_dm_verity_rh(void) +{ + return 0; +} +#else +int __init ipe_init_dm_verity_rh(void); +#endif /* CONFIG_IPE_DM_VERITY_ROOTHASH */ + #endif /* IPE_PROP_ENTRY_H */ -- 2.26.0