From: Matthias Kaehlcke <mka@chromium.org>
To: Mike Snitzer <snitzer@kernel.org>
Cc: Milan Broz <gmazyland@gmail.com>,
Alasdair Kergon <agk@redhat.com>,
Kees Cook <keescook@chromium.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
dm-devel@redhat.com, Douglas Anderson <dianders@chromium.org>,
linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org,
Song Liu <song@kernel.org>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v4 1/3] dm: Add verity helpers for LoadPin
Date: Wed, 18 May 2022 13:34:21 -0700 [thread overview]
Message-ID: <YoVYTf7oI4FNVHAJ@google.com> (raw)
In-Reply-To: <YoVRIHfXPa7+e1Zh@redhat.com>
On Wed, May 18, 2022 at 04:03:44PM -0400, Mike Snitzer wrote:
> On Wed, May 18 2022 at 11:13P -0400,
> Matthias Kaehlcke <mka@chromium.org> wrote:
>
> > Hi Milan,
> >
> > On Wed, May 18, 2022 at 09:57:43AM +0200, Milan Broz wrote:
> > > On 18/05/2022 01:34, Matthias Kaehlcke wrote:
> > > > LoadPin limits loading of kernel modules, firmware and certain
> > > > other files to a 'pinned' file system (typically a read-only
> > > > rootfs). To provide more flexibility LoadPin is being extended
> > > > to also allow loading these files from trusted dm-verity
> > > > devices. For that purpose LoadPin can be provided with a list
> > > > of verity root digests that it should consider as trusted.
> > > >
> > > > Add a bunch of helpers to allow LoadPin to check whether a DM
> > > > device is a trusted verity device. The new functions broadly
> > > > fall in two categories: those that need access to verity
> > > > internals (like the root digest), and the 'glue' between
> > > > LoadPin and verity. The new file dm-verity-loadpin.c contains
> > > > the glue functions.
> > > >
> > > > Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> > >
> > > ...
> > >
> > > > +
> > > > + if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
> > > > + return false;
> > >
> > > Almost unrelated note, but as there are more and more situations
> > > that checks verity root digest, shouldn't we export this as read-only
> > > sysfs attribute for DM verity devices?
> > >
> > > Attacker can always calculate (but not change) Merkle tree, so this
> > > is not something that need to be hidden.
> > >
> > > It would allow userspace to easily enumerate trusted DM devices without
> > > calling kernel ioctls...
> >
> > I guess that's an option if there are scenarios where it is useful. It
> > should probably be a separate patch, since it isn't directly related with
> > extending LoadPin support to trusted verity devices.
> >
> > > > +
> > > > + table = dm_get_live_table(md, &srcu_idx);
> > > > +
> > > > + if (dm_table_get_num_targets(table) != 1)
> > > > + goto out;
> > > > +
> > > > + ti = dm_table_get_target(table, 0);
> > > > +
> > > > + if (is_trusted_verity_target(ti))
> > > > + trusted = true;
> > >
> > > What happens is someone reloads verity table later with
> > > a different content (or even different target type)?
> > > Does LoadPin even care here?
> >
> > LoadPin cares, but only when new kernel files are loaded. It will then check
> > against the new verity table, and only allow loading of the file if it comes
> > from a verity target with a trusted digest.
> >
> > > > static struct target_type verity_target = {
> > > > .name = "verity",
> > > > .version = {1, 8, 0},
> > >
> > > Please increase the minor version, it is very useful to detect (in logs)
> > > that the target driver has compatible extensions.
> >
> > I can do that, but would like to confirm that this is really needed/desired.
> > This patch adds kernel-internal APIs which aren't accessible to userspace,
> > that don't impact verity directly, so I'm not sure an increased minor version
> > would be useful.
>
> Bumping to 1.8.1 is useful to indicate new changes that offer expanded
> use of the verity target (even if by LoadPin).
Ok, I'll bump the version, thanks for the confirmation.
next prev parent reply other threads:[~2022-05-18 20:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-17 23:34 [PATCH v4 0/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-05-17 23:34 ` [PATCH v4 1/3] dm: Add verity helpers for LoadPin Matthias Kaehlcke
2022-05-18 7:57 ` [dm-devel] " Milan Broz
2022-05-18 15:13 ` Matthias Kaehlcke
2022-05-18 20:03 ` Mike Snitzer
2022-05-18 20:34 ` Matthias Kaehlcke [this message]
2022-05-18 19:52 ` Mike Snitzer
2022-05-18 20:35 ` Matthias Kaehlcke
2022-05-17 23:34 ` [PATCH v4 2/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-05-18 8:58 ` kernel test robot
2022-05-18 14:40 ` Matthias Kaehlcke
2022-05-18 12:40 ` kernel test robot
2022-05-17 23:34 ` [PATCH v4 3/3] dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation Matthias Kaehlcke
2022-05-18 19:23 ` [PATCH v4 0/3] LoadPin: Enable loading from trusted dm-verity devices Kees Cook
2022-05-18 19:43 ` Mike Snitzer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YoVYTf7oI4FNVHAJ@google.com \
--to=mka@chromium.org \
--cc=agk@redhat.com \
--cc=dianders@chromium.org \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).