From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Kumar Kartikeya Dwivedi <memxor@gmail.com>, joannelkoong@gmail.com
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, song@kernel.org, yhs@fb.com,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com,
haoluo@google.com, jolsa@kernel.org, mykolal@fb.com,
dhowells@redhat.com, jarkko@kernel.org, rostedt@goodmis.org,
mingo@redhat.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, shuah@kernel.org, bpf@vger.kernel.org,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
deso@posteo.net, Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [PATCH v16 07/12] bpf: Add bpf_verify_pkcs7_signature() kfunc
Date: Tue, 06 Sep 2022 10:07:41 +0200 [thread overview]
Message-ID: <3d32decb1fda80e261d9ed08decfdca45614c4af.camel@huaweicloud.com> (raw)
In-Reply-To: <CAP01T77F-A7igW+vp5RhzcqzRJymO6YRvNR2cfsh+2fKNy56YA@mail.gmail.com>
On Tue, 2022-09-06 at 04:57 +0200, Kumar Kartikeya Dwivedi wrote:
> On Mon, 5 Sept 2022 at 16:35, Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> >
> > Add the bpf_verify_pkcs7_signature() kfunc, to give eBPF security
> > modules
> > the ability to check the validity of a signature against supplied
> > data, by
> > using user-provided or system-provided keys as trust anchor.
> >
> > The new kfunc makes it possible to enforce mandatory policies, as
> > eBPF
> > programs might be allowed to make security decisions only based on
> > data
> > sources the system administrator approves.
> >
> > The caller should provide the data to be verified and the signature
> > as eBPF
> > dynamic pointers (to minimize the number of parameters) and a
> > bpf_key
> > structure containing a reference to the keyring with keys trusted
> > for
> > signature verification, obtained from bpf_lookup_user_key() or
> > bpf_lookup_system_key().
> >
> > For bpf_key structures obtained from the former lookup function,
> > bpf_verify_pkcs7_signature() completes the permission check
> > deferred by
> > that function by calling key_validate(). key_task_permission() is
> > already
> > called by the PKCS#7 code.
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > Acked-by: KP Singh <kpsingh@kernel.org>
> > ---
> > kernel/trace/bpf_trace.c | 45
> > ++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 45 insertions(+)
> >
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index 7a7023704ac2..8e2c026b0a58 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> > @@ -1294,12 +1294,57 @@ void bpf_key_put(struct bpf_key *bkey)
> > kfree(bkey);
> > }
> >
> > +#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
> > +/**
> > + * bpf_verify_pkcs7_signature - verify a PKCS#7 signature
> > + * @data_ptr: data to verify
> > + * @sig_ptr: signature of the data
> > + * @trusted_keyring: keyring with keys trusted for signature
> > verification
> > + *
> > + * Verify the PKCS#7 signature *sig_ptr* against the supplied
> > *data_ptr*
> > + * with keys in a keyring referenced by *trusted_keyring*.
> > + *
> > + * Return: 0 on success, a negative value on error.
> > + */
> > +int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr,
> > + struct bpf_dynptr_kern *sig_ptr,
> > + struct bpf_key *trusted_keyring)
> > +{
> > + int ret;
> > +
> > + if (trusted_keyring->has_ref) {
> > + /*
> > + * Do the permission check deferred in
> > bpf_lookup_user_key().
> > + * See bpf_lookup_user_key() for more details.
> > + *
> > + * A call to key_task_permission() here would be
> > redundant, as
> > + * it is already done by keyring_search() called by
> > + * find_asymmetric_key().
> > + */
> > + ret = key_validate(trusted_keyring->key);
> > + if (ret < 0)
> > + return ret;
> > + }
> > +
> > + return verify_pkcs7_signature(data_ptr->data,
> > + bpf_dynptr_get_size(data_ptr)
> > ,
> > + sig_ptr->data,
> > + bpf_dynptr_get_size(sig_ptr),
>
> MIssing check for data_ptr->data == NULL before making this call?
> Same
> for sig_ptr.
Patch 3 requires the dynptrs to be initialized. Isn't enough?
Thanks
Roberto
next prev parent reply other threads:[~2022-09-06 8:08 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-05 14:33 [PATCH v16 00/12] bpf: Add kfuncs for PKCS#7 signature verification Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 01/12] bpf: Allow kfuncs to be used in LSM programs Roberto Sassu
2022-09-06 2:28 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 02/12] bpf: Move dynptr type check to is_dynptr_type_expected() Roberto Sassu
2022-09-06 2:32 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 03/12] btf: Allow dynamic pointer parameters in kfuncs Roberto Sassu
2022-09-06 2:33 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 04/12] bpf: Export bpf_dynptr_get_size() Roberto Sassu
2022-09-06 2:33 ` Kumar Kartikeya Dwivedi
2022-09-06 3:06 ` Hou Tao
2022-09-05 14:33 ` [PATCH v16 05/12] KEYS: Move KEY_LOOKUP_ to include/linux/key.h and define KEY_LOOKUP_ALL Roberto Sassu
2022-09-05 21:38 ` Jarkko Sakkinen
2022-09-06 7:08 ` Roberto Sassu
2022-09-06 10:37 ` Jarkko Sakkinen
2022-09-06 11:04 ` Roberto Sassu
2022-09-06 11:43 ` Jarkko Sakkinen
2022-09-06 12:15 ` [PATCH v17 " Roberto Sassu
2022-09-06 12:26 ` Jarkko Sakkinen
2022-09-06 12:28 ` Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 06/12] bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs Roberto Sassu
2022-09-06 2:43 ` Kumar Kartikeya Dwivedi
2022-09-06 8:00 ` Roberto Sassu
2022-09-06 18:45 ` Alexei Starovoitov
2022-09-07 6:59 ` Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 07/12] bpf: Add bpf_verify_pkcs7_signature() kfunc Roberto Sassu
2022-09-06 2:57 ` Kumar Kartikeya Dwivedi
2022-09-06 8:07 ` Roberto Sassu [this message]
2022-09-07 2:28 ` Kumar Kartikeya Dwivedi
2022-09-07 12:19 ` Roberto Sassu
2022-09-07 13:55 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 08/12] selftests/bpf: Compile kernel with everything as built-in Roberto Sassu
2022-09-06 3:01 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 09/12] selftests/bpf: Add verifier tests for bpf_lookup_*_key() and bpf_key_put() Roberto Sassu
2022-09-06 3:03 ` Kumar Kartikeya Dwivedi
2022-09-05 14:33 ` [PATCH v16 10/12] selftests/bpf: Add additional tests for bpf_lookup_*_key() Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 11/12] selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc Roberto Sassu
2022-09-05 14:33 ` [PATCH v16 12/12] selftests/bpf: Add tests for dynamic pointers parameters in kfuncs Roberto Sassu
2022-09-06 3:15 ` Kumar Kartikeya Dwivedi
2022-09-06 8:30 ` Roberto Sassu
2022-09-07 2:34 ` Kumar Kartikeya Dwivedi
2022-09-07 14:59 ` [PATCH v17 " Roberto Sassu
2022-09-07 16:02 ` Kumar Kartikeya Dwivedi
2022-09-05 19:26 ` [PATCH v16 00/12] bpf: Add kfuncs for PKCS#7 signature verification Kumar Kartikeya Dwivedi
2022-09-06 7:35 ` Roberto Sassu
2022-09-07 14:49 ` Roberto Sassu
2022-09-07 14:57 ` Kumar Kartikeya Dwivedi
2022-09-07 15:09 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d32decb1fda80e261d9ed08decfdca45614c4af.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=deso@posteo.net \
--cc=dhowells@redhat.com \
--cc=haoluo@google.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=joannelkoong@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mingo@redhat.com \
--cc=mykolal@fb.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=rostedt@goodmis.org \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).