From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org,
dm-devel@redhat.com, linux-audit@redhat.com,
roberto.sassu@huawei.com, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
Fan Wu <wufan@linux.microsoft.com>
Subject: [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook
Date: Mon, 30 Jan 2023 14:57:25 -0800 [thread overview]
Message-ID: <1675119451-23180-11-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
dm-verity provides a strong guarantee of a block device's integrity. As
a generic way to check the integrity of a block device, it provides
those integrity guarantees to its higher layers, including the filesystem
level.
An LSM that control access to a resource on the system based on the
available integrity claims can use this transitive property of
dm-verity, by querying the underlying block_device of a particular
file.
The digest and signature information need to be stored in the block
device to fulfill the next requirement of authorization via LSM policy.
This will enable the LSM to perform revocation of devices that are still
mounted, prohibiting execution of files that are no longer authorized
by the LSM in question.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
+ No Changes
v3:
+ No changes
v4:
+ No changes
v5:
+ No changes
v6:
+ Fix an improper cleanup that can result in
a leak
v7:
+ Squash patch 08/12, 10/12 to [11/16]
+ Use part0 for block_device, to retrieve the block_device, when
calling security_bdev_setsecurity
v8:
+ Undo squash of 08/12, 10/12 - separating drivers/md/ from
security/ & block/
+ Use common-audit function for dmverity_signature.
+ Change implementation for storing the dm-verity digest to use the
newly introduced dm_verity_digest structure introduced in patch
14/20.
+ Create new structure, dm_verity_digest, containing digest algorithm,
size, and digest itself to pass to the LSM layer. V7 was missing the
algorithm.
+ Create an associated public header containing this new structure and
the key values for the LSM hook, specific to dm-verity.
+ Additional information added to commit, discussing the layering of
the changes and how the information passed will be used.
v9:
+ No changes
---
drivers/md/dm-verity-target.c | 25 +++++++++++++++++++++++--
drivers/md/dm-verity-verify-sig.c | 16 +++++++++++++---
drivers/md/dm-verity-verify-sig.h | 10 ++++++----
include/linux/dm-verity.h | 19 +++++++++++++++++++
4 files changed, 61 insertions(+), 9 deletions(-)
create mode 100644 include/linux/dm-verity.h
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index ccf5b852fbf7..afea61eed4ec 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -13,6 +13,7 @@
* access behavior.
*/
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
@@ -21,6 +22,9 @@
#include <linux/scatterlist.h>
#include <linux/string.h>
#include <linux/jump_label.h>
+#include <linux/security.h>
+#include <linux/dm-verity.h>
+#include <crypto/hash_info.h>
#define DM_MSG_PREFIX "verity"
@@ -1169,6 +1173,8 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
sector_t hash_position;
char dummy;
char *root_hash_digest_to_validate;
+ struct block_device *bdev;
+ struct dm_verity_digest root_digest;
v = kzalloc(sizeof(struct dm_verity), GFP_KERNEL);
if (!v) {
@@ -1211,6 +1217,13 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
}
v->version = num;
+ bdev = dm_table_get_md(ti->table)->disk->part0;
+ if (!bdev) {
+ ti->error = "Mapped device lookup failed";
+ r = -ENOMEM;
+ goto bad;
+ }
+
r = dm_get_device(ti, argv[1], FMODE_READ, &v->data_dev);
if (r) {
ti->error = "Data device lookup failed";
@@ -1343,7 +1356,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
}
/* Root hash signature is a optional parameter*/
- r = verity_verify_root_hash(root_hash_digest_to_validate,
+ r = verity_verify_root_hash(bdev, root_hash_digest_to_validate,
strlen(root_hash_digest_to_validate),
verify_args.sig,
verify_args.sig_size);
@@ -1428,12 +1441,20 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->per_io_data_size = roundup(ti->per_io_data_size,
__alignof__(struct dm_verity_io));
+ root_digest.digest = v->root_digest;
+ root_digest.digest_len = v->digest_size;
+ root_digest.algo = v->alg_name;
+
+ r = security_bdev_setsecurity(bdev, DM_VERITY_ROOTHASH_SEC_NAME, &root_digest,
+ sizeof(root_digest));
+ if (r)
+ goto bad;
+
verity_verify_sig_opts_cleanup(&verify_args);
return 0;
bad:
-
verity_verify_sig_opts_cleanup(&verify_args);
verity_dtr(ti);
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index db61a1f43ae9..5a73b91157d5 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -9,6 +9,9 @@
#include <linux/verification.h>
#include <keys/user-type.h>
#include <linux/module.h>
+#include <linux/security.h>
+#include <linux/dm-verity.h>
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-verify-sig.h"
@@ -97,14 +100,17 @@ int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
* verify_verify_roothash - Verify the root hash of the verity hash device
* using builtin trusted keys.
*
+ * @bdev: block_device representing the device-mapper created block device.
+ * Used by the security hook, to set information about the block_device.
* @root_hash: For verity, the roothash/data to be verified.
* @root_hash_len: Size of the roothash/data to be verified.
* @sig_data: The trusted signature that verifies the roothash/data.
* @sig_len: Size of the signature.
*
*/
-int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(struct block_device *bdev, const void *root_hash,
+ size_t root_hash_len, const void *sig_data,
+ size_t sig_len)
{
int ret;
@@ -126,8 +132,12 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
+ if (ret)
+ return ret;
- return ret;
+ return security_bdev_setsecurity(bdev,
+ DM_VERITY_SIGNATURE_SEC_NAME,
+ sig_data, sig_len);
}
void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
diff --git a/drivers/md/dm-verity-verify-sig.h b/drivers/md/dm-verity-verify-sig.h
index 3987c7141f79..31692fff92e4 100644
--- a/drivers/md/dm-verity-verify-sig.h
+++ b/drivers/md/dm-verity-verify-sig.h
@@ -20,8 +20,9 @@ struct dm_verity_sig_opts {
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 2
-int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len);
+int verity_verify_root_hash(struct block_device *bdev, const void *data,
+ size_t data_len, const void *sig_data,
+ size_t sig_len);
bool verity_verify_is_sig_opt_arg(const char *arg_name);
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
@@ -34,8 +35,9 @@ void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts);
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 0
-static inline int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(struct block_device *bdev, const void *data,
+ size_t data_len, const void *sig_data,
+ size_t sig_len)
{
return 0;
}
diff --git a/include/linux/dm-verity.h b/include/linux/dm-verity.h
new file mode 100644
index 000000000000..bb0413d55d72
--- /dev/null
+++ b/include/linux/dm-verity.h
@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#ifndef _LINUX_DM_VERITY_H
+#define _LINUX_DM_VERITY_H
+
+#include <linux/types.h>
+#include <crypto/hash_info.h>
+#include <linux/device-mapper.h>
+
+struct dm_verity_digest {
+ const char *algo;
+ const u8 *digest;
+ size_t digest_len;
+};
+
+#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-signature"
+#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-roothash"
+
+#endif /* _LINUX_DM_VERITY_H */
--
2.39.0
WARNING: multiple messages have this Message-ID (diff)
From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: Fan Wu <wufan@linux.microsoft.com>,
dm-devel@redhat.com, linux-doc@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
roberto.sassu@huawei.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-audit@redhat.com,
linux-integrity@vger.kernel.org
Subject: [dm-devel] [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook
Date: Mon, 30 Jan 2023 14:57:25 -0800 [thread overview]
Message-ID: <1675119451-23180-11-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
dm-verity provides a strong guarantee of a block device's integrity. As
a generic way to check the integrity of a block device, it provides
those integrity guarantees to its higher layers, including the filesystem
level.
An LSM that control access to a resource on the system based on the
available integrity claims can use this transitive property of
dm-verity, by querying the underlying block_device of a particular
file.
The digest and signature information need to be stored in the block
device to fulfill the next requirement of authorization via LSM policy.
This will enable the LSM to perform revocation of devices that are still
mounted, prohibiting execution of files that are no longer authorized
by the LSM in question.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
+ No Changes
v3:
+ No changes
v4:
+ No changes
v5:
+ No changes
v6:
+ Fix an improper cleanup that can result in
a leak
v7:
+ Squash patch 08/12, 10/12 to [11/16]
+ Use part0 for block_device, to retrieve the block_device, when
calling security_bdev_setsecurity
v8:
+ Undo squash of 08/12, 10/12 - separating drivers/md/ from
security/ & block/
+ Use common-audit function for dmverity_signature.
+ Change implementation for storing the dm-verity digest to use the
newly introduced dm_verity_digest structure introduced in patch
14/20.
+ Create new structure, dm_verity_digest, containing digest algorithm,
size, and digest itself to pass to the LSM layer. V7 was missing the
algorithm.
+ Create an associated public header containing this new structure and
the key values for the LSM hook, specific to dm-verity.
+ Additional information added to commit, discussing the layering of
the changes and how the information passed will be used.
v9:
+ No changes
---
drivers/md/dm-verity-target.c | 25 +++++++++++++++++++++++--
drivers/md/dm-verity-verify-sig.c | 16 +++++++++++++---
drivers/md/dm-verity-verify-sig.h | 10 ++++++----
include/linux/dm-verity.h | 19 +++++++++++++++++++
4 files changed, 61 insertions(+), 9 deletions(-)
create mode 100644 include/linux/dm-verity.h
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index ccf5b852fbf7..afea61eed4ec 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -13,6 +13,7 @@
* access behavior.
*/
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
@@ -21,6 +22,9 @@
#include <linux/scatterlist.h>
#include <linux/string.h>
#include <linux/jump_label.h>
+#include <linux/security.h>
+#include <linux/dm-verity.h>
+#include <crypto/hash_info.h>
#define DM_MSG_PREFIX "verity"
@@ -1169,6 +1173,8 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
sector_t hash_position;
char dummy;
char *root_hash_digest_to_validate;
+ struct block_device *bdev;
+ struct dm_verity_digest root_digest;
v = kzalloc(sizeof(struct dm_verity), GFP_KERNEL);
if (!v) {
@@ -1211,6 +1217,13 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
}
v->version = num;
+ bdev = dm_table_get_md(ti->table)->disk->part0;
+ if (!bdev) {
+ ti->error = "Mapped device lookup failed";
+ r = -ENOMEM;
+ goto bad;
+ }
+
r = dm_get_device(ti, argv[1], FMODE_READ, &v->data_dev);
if (r) {
ti->error = "Data device lookup failed";
@@ -1343,7 +1356,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
}
/* Root hash signature is a optional parameter*/
- r = verity_verify_root_hash(root_hash_digest_to_validate,
+ r = verity_verify_root_hash(bdev, root_hash_digest_to_validate,
strlen(root_hash_digest_to_validate),
verify_args.sig,
verify_args.sig_size);
@@ -1428,12 +1441,20 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->per_io_data_size = roundup(ti->per_io_data_size,
__alignof__(struct dm_verity_io));
+ root_digest.digest = v->root_digest;
+ root_digest.digest_len = v->digest_size;
+ root_digest.algo = v->alg_name;
+
+ r = security_bdev_setsecurity(bdev, DM_VERITY_ROOTHASH_SEC_NAME, &root_digest,
+ sizeof(root_digest));
+ if (r)
+ goto bad;
+
verity_verify_sig_opts_cleanup(&verify_args);
return 0;
bad:
-
verity_verify_sig_opts_cleanup(&verify_args);
verity_dtr(ti);
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index db61a1f43ae9..5a73b91157d5 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -9,6 +9,9 @@
#include <linux/verification.h>
#include <keys/user-type.h>
#include <linux/module.h>
+#include <linux/security.h>
+#include <linux/dm-verity.h>
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-verify-sig.h"
@@ -97,14 +100,17 @@ int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
* verify_verify_roothash - Verify the root hash of the verity hash device
* using builtin trusted keys.
*
+ * @bdev: block_device representing the device-mapper created block device.
+ * Used by the security hook, to set information about the block_device.
* @root_hash: For verity, the roothash/data to be verified.
* @root_hash_len: Size of the roothash/data to be verified.
* @sig_data: The trusted signature that verifies the roothash/data.
* @sig_len: Size of the signature.
*
*/
-int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(struct block_device *bdev, const void *root_hash,
+ size_t root_hash_len, const void *sig_data,
+ size_t sig_len)
{
int ret;
@@ -126,8 +132,12 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
+ if (ret)
+ return ret;
- return ret;
+ return security_bdev_setsecurity(bdev,
+ DM_VERITY_SIGNATURE_SEC_NAME,
+ sig_data, sig_len);
}
void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
diff --git a/drivers/md/dm-verity-verify-sig.h b/drivers/md/dm-verity-verify-sig.h
index 3987c7141f79..31692fff92e4 100644
--- a/drivers/md/dm-verity-verify-sig.h
+++ b/drivers/md/dm-verity-verify-sig.h
@@ -20,8 +20,9 @@ struct dm_verity_sig_opts {
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 2
-int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len);
+int verity_verify_root_hash(struct block_device *bdev, const void *data,
+ size_t data_len, const void *sig_data,
+ size_t sig_len);
bool verity_verify_is_sig_opt_arg(const char *arg_name);
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
@@ -34,8 +35,9 @@ void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts);
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 0
-static inline int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(struct block_device *bdev, const void *data,
+ size_t data_len, const void *sig_data,
+ size_t sig_len)
{
return 0;
}
diff --git a/include/linux/dm-verity.h b/include/linux/dm-verity.h
new file mode 100644
index 000000000000..bb0413d55d72
--- /dev/null
+++ b/include/linux/dm-verity.h
@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#ifndef _LINUX_DM_VERITY_H
+#define _LINUX_DM_VERITY_H
+
+#include <linux/types.h>
+#include <crypto/hash_info.h>
+#include <linux/device-mapper.h>
+
+struct dm_verity_digest {
+ const char *algo;
+ const u8 *digest;
+ size_t digest_len;
+};
+
+#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-signature"
+#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-roothash"
+
+#endif /* _LINUX_DM_VERITY_H */
--
2.39.0
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
WARNING: multiple messages have this Message-ID (diff)
From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: Fan Wu <wufan@linux.microsoft.com>,
dm-devel@redhat.com, linux-doc@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
roberto.sassu@huawei.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-audit@redhat.com,
linux-integrity@vger.kernel.org
Subject: [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook
Date: Mon, 30 Jan 2023 14:57:25 -0800 [thread overview]
Message-ID: <1675119451-23180-11-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
dm-verity provides a strong guarantee of a block device's integrity. As
a generic way to check the integrity of a block device, it provides
those integrity guarantees to its higher layers, including the filesystem
level.
An LSM that control access to a resource on the system based on the
available integrity claims can use this transitive property of
dm-verity, by querying the underlying block_device of a particular
file.
The digest and signature information need to be stored in the block
device to fulfill the next requirement of authorization via LSM policy.
This will enable the LSM to perform revocation of devices that are still
mounted, prohibiting execution of files that are no longer authorized
by the LSM in question.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
---
v2:
+ No Changes
v3:
+ No changes
v4:
+ No changes
v5:
+ No changes
v6:
+ Fix an improper cleanup that can result in
a leak
v7:
+ Squash patch 08/12, 10/12 to [11/16]
+ Use part0 for block_device, to retrieve the block_device, when
calling security_bdev_setsecurity
v8:
+ Undo squash of 08/12, 10/12 - separating drivers/md/ from
security/ & block/
+ Use common-audit function for dmverity_signature.
+ Change implementation for storing the dm-verity digest to use the
newly introduced dm_verity_digest structure introduced in patch
14/20.
+ Create new structure, dm_verity_digest, containing digest algorithm,
size, and digest itself to pass to the LSM layer. V7 was missing the
algorithm.
+ Create an associated public header containing this new structure and
the key values for the LSM hook, specific to dm-verity.
+ Additional information added to commit, discussing the layering of
the changes and how the information passed will be used.
v9:
+ No changes
---
drivers/md/dm-verity-target.c | 25 +++++++++++++++++++++++--
drivers/md/dm-verity-verify-sig.c | 16 +++++++++++++---
drivers/md/dm-verity-verify-sig.h | 10 ++++++----
include/linux/dm-verity.h | 19 +++++++++++++++++++
4 files changed, 61 insertions(+), 9 deletions(-)
create mode 100644 include/linux/dm-verity.h
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index ccf5b852fbf7..afea61eed4ec 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -13,6 +13,7 @@
* access behavior.
*/
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-fec.h"
#include "dm-verity-verify-sig.h"
@@ -21,6 +22,9 @@
#include <linux/scatterlist.h>
#include <linux/string.h>
#include <linux/jump_label.h>
+#include <linux/security.h>
+#include <linux/dm-verity.h>
+#include <crypto/hash_info.h>
#define DM_MSG_PREFIX "verity"
@@ -1169,6 +1173,8 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
sector_t hash_position;
char dummy;
char *root_hash_digest_to_validate;
+ struct block_device *bdev;
+ struct dm_verity_digest root_digest;
v = kzalloc(sizeof(struct dm_verity), GFP_KERNEL);
if (!v) {
@@ -1211,6 +1217,13 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
}
v->version = num;
+ bdev = dm_table_get_md(ti->table)->disk->part0;
+ if (!bdev) {
+ ti->error = "Mapped device lookup failed";
+ r = -ENOMEM;
+ goto bad;
+ }
+
r = dm_get_device(ti, argv[1], FMODE_READ, &v->data_dev);
if (r) {
ti->error = "Data device lookup failed";
@@ -1343,7 +1356,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
}
/* Root hash signature is a optional parameter*/
- r = verity_verify_root_hash(root_hash_digest_to_validate,
+ r = verity_verify_root_hash(bdev, root_hash_digest_to_validate,
strlen(root_hash_digest_to_validate),
verify_args.sig,
verify_args.sig_size);
@@ -1428,12 +1441,20 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
ti->per_io_data_size = roundup(ti->per_io_data_size,
__alignof__(struct dm_verity_io));
+ root_digest.digest = v->root_digest;
+ root_digest.digest_len = v->digest_size;
+ root_digest.algo = v->alg_name;
+
+ r = security_bdev_setsecurity(bdev, DM_VERITY_ROOTHASH_SEC_NAME, &root_digest,
+ sizeof(root_digest));
+ if (r)
+ goto bad;
+
verity_verify_sig_opts_cleanup(&verify_args);
return 0;
bad:
-
verity_verify_sig_opts_cleanup(&verify_args);
verity_dtr(ti);
diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
index db61a1f43ae9..5a73b91157d5 100644
--- a/drivers/md/dm-verity-verify-sig.c
+++ b/drivers/md/dm-verity-verify-sig.c
@@ -9,6 +9,9 @@
#include <linux/verification.h>
#include <keys/user-type.h>
#include <linux/module.h>
+#include <linux/security.h>
+#include <linux/dm-verity.h>
+#include "dm-core.h"
#include "dm-verity.h"
#include "dm-verity-verify-sig.h"
@@ -97,14 +100,17 @@ int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
* verify_verify_roothash - Verify the root hash of the verity hash device
* using builtin trusted keys.
*
+ * @bdev: block_device representing the device-mapper created block device.
+ * Used by the security hook, to set information about the block_device.
* @root_hash: For verity, the roothash/data to be verified.
* @root_hash_len: Size of the roothash/data to be verified.
* @sig_data: The trusted signature that verifies the roothash/data.
* @sig_len: Size of the signature.
*
*/
-int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(struct block_device *bdev, const void *root_hash,
+ size_t root_hash_len, const void *sig_data,
+ size_t sig_len)
{
int ret;
@@ -126,8 +132,12 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
+ if (ret)
+ return ret;
- return ret;
+ return security_bdev_setsecurity(bdev,
+ DM_VERITY_SIGNATURE_SEC_NAME,
+ sig_data, sig_len);
}
void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
diff --git a/drivers/md/dm-verity-verify-sig.h b/drivers/md/dm-verity-verify-sig.h
index 3987c7141f79..31692fff92e4 100644
--- a/drivers/md/dm-verity-verify-sig.h
+++ b/drivers/md/dm-verity-verify-sig.h
@@ -20,8 +20,9 @@ struct dm_verity_sig_opts {
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 2
-int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len);
+int verity_verify_root_hash(struct block_device *bdev, const void *data,
+ size_t data_len, const void *sig_data,
+ size_t sig_len);
bool verity_verify_is_sig_opt_arg(const char *arg_name);
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as, struct dm_verity *v,
@@ -34,8 +35,9 @@ void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts);
#define DM_VERITY_ROOT_HASH_VERIFICATION_OPTS 0
-static inline int verity_verify_root_hash(const void *data, size_t data_len,
- const void *sig_data, size_t sig_len)
+int verity_verify_root_hash(struct block_device *bdev, const void *data,
+ size_t data_len, const void *sig_data,
+ size_t sig_len)
{
return 0;
}
diff --git a/include/linux/dm-verity.h b/include/linux/dm-verity.h
new file mode 100644
index 000000000000..bb0413d55d72
--- /dev/null
+++ b/include/linux/dm-verity.h
@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#ifndef _LINUX_DM_VERITY_H
+#define _LINUX_DM_VERITY_H
+
+#include <linux/types.h>
+#include <crypto/hash_info.h>
+#include <linux/device-mapper.h>
+
+struct dm_verity_digest {
+ const char *algo;
+ const u8 *digest;
+ size_t digest_len;
+};
+
+#define DM_VERITY_SIGNATURE_SEC_NAME DM_NAME ".verity-signature"
+#define DM_VERITY_ROOTHASH_SEC_NAME DM_NAME ".verity-roothash"
+
+#endif /* _LINUX_DM_VERITY_H */
--
2.39.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2023-01-30 22:59 UTC|newest]
Thread overview: 225+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 22:57 [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 01/16] security: add ipe lsm Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-03-02 19:00 ` Paul Moore
2023-03-02 19:00 ` Paul Moore
2023-03-02 19:00 ` [dm-devel] " Paul Moore
2023-04-06 19:20 ` Fan Wu
2023-04-06 19:20 ` Fan Wu
2023-04-06 19:20 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 02/16] ipe: add policy parser Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 10:53 ` Roberto Sassu
2023-01-31 10:53 ` [dm-devel] " Roberto Sassu
2023-01-31 10:53 ` Roberto Sassu
2023-02-01 22:38 ` Fan Wu
2023-02-01 22:38 ` Fan Wu
2023-02-01 22:38 ` [dm-devel] " Fan Wu
2023-03-02 19:02 ` Paul Moore
2023-03-02 19:02 ` Paul Moore
2023-03-02 19:02 ` [dm-devel] " Paul Moore
2023-04-06 20:00 ` Fan Wu
2023-04-06 20:00 ` Fan Wu
2023-04-06 20:00 ` [dm-devel] " Fan Wu
2023-04-11 19:13 ` Paul Moore
2023-04-11 19:13 ` Paul Moore
2023-04-11 19:13 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 10:29 ` Roberto Sassu
2023-01-31 10:29 ` [dm-devel] " Roberto Sassu
2023-01-31 10:29 ` Roberto Sassu
2023-01-31 15:49 ` Roberto Sassu
2023-01-31 15:49 ` [dm-devel] " Roberto Sassu
2023-01-31 15:49 ` Roberto Sassu
2023-02-10 23:21 ` Fan Wu
2023-02-10 23:21 ` Fan Wu
2023-02-10 23:21 ` [dm-devel] " Fan Wu
2023-03-02 2:33 ` Paul Moore
2023-03-02 2:33 ` Paul Moore
2023-03-02 2:33 ` [dm-devel] " Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-04-10 18:53 ` Fan Wu
2023-04-10 18:53 ` Fan Wu
2023-04-10 18:53 ` [dm-devel] " Fan Wu
2023-04-11 20:32 ` Paul Moore
2023-04-11 20:32 ` Paul Moore
2023-04-11 20:32 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 04/16] security: add new securityfs delete function Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 05/16] ipe: add userspace interface Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 10:49 ` Roberto Sassu
2023-01-31 10:49 ` [dm-devel] " Roberto Sassu
2023-01-31 10:49 ` Roberto Sassu
2023-02-01 19:46 ` Fan Wu
2023-02-01 19:46 ` [dm-devel] " Fan Wu
2023-02-01 19:46 ` Fan Wu
2023-02-05 8:42 ` kernel test robot
2023-03-02 19:04 ` Paul Moore
2023-03-02 19:04 ` Paul Moore
2023-03-02 19:04 ` [dm-devel] " Paul Moore
2023-04-10 19:10 ` Fan Wu
2023-04-10 19:10 ` Fan Wu
2023-04-10 19:10 ` [dm-devel] " Fan Wu
2023-04-11 21:45 ` Paul Moore
2023-04-11 21:45 ` Paul Moore
2023-04-11 21:45 ` [dm-devel] " Paul Moore
2023-04-12 23:36 ` Fan Wu
2023-04-12 23:36 ` Fan Wu
2023-04-12 23:36 ` [dm-devel] " Fan Wu
2023-04-13 18:45 ` Paul Moore
2023-04-13 18:45 ` Paul Moore
2023-04-13 18:45 ` [dm-devel] " Paul Moore
2023-04-17 18:06 ` Fan Wu
2023-04-17 18:06 ` Fan Wu
2023-04-17 18:06 ` [dm-devel] " Fan Wu
2023-04-17 20:16 ` Paul Moore
2023-04-17 20:16 ` Paul Moore
2023-04-17 20:16 ` [dm-devel] " Paul Moore
2023-04-17 21:18 ` Fan Wu
2023-04-17 21:18 ` Fan Wu
2023-04-17 21:18 ` [dm-devel] " Fan Wu
2023-04-17 21:31 ` Paul Moore
2023-04-17 21:31 ` Paul Moore
2023-04-17 21:31 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 12:51 ` Roberto Sassu
2023-01-31 12:51 ` [dm-devel] " Roberto Sassu
2023-01-31 12:51 ` Roberto Sassu
2023-02-09 22:42 ` Fan Wu
2023-02-09 22:42 ` Fan Wu
2023-02-09 22:42 ` [dm-devel] " Fan Wu
2023-03-02 19:05 ` Paul Moore
2023-03-02 19:05 ` Paul Moore
2023-03-02 19:05 ` [dm-devel] " Paul Moore
2023-04-10 21:22 ` Fan Wu
2023-04-10 21:22 ` Fan Wu
2023-04-10 21:22 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 12:57 ` Roberto Sassu
2023-01-31 12:57 ` [dm-devel] " Roberto Sassu
2023-01-31 12:57 ` Roberto Sassu
2023-01-31 17:10 ` Steve Grubb
2023-01-31 17:10 ` [dm-devel] " Steve Grubb
2023-01-31 17:10 ` Steve Grubb
2023-03-02 19:05 ` [dm-devel] " Paul Moore
2023-03-02 19:05 ` Paul Moore
2023-03-02 19:05 ` Paul Moore
2023-03-16 22:53 ` Fan Wu
2023-03-16 22:53 ` Fan Wu
2023-03-16 22:53 ` [dm-devel] " Fan Wu
2023-04-11 23:07 ` Paul Moore
2023-04-11 23:07 ` Paul Moore
2023-04-11 23:07 ` [dm-devel] " Paul Moore
2023-04-11 23:21 ` Paul Moore
2023-04-11 23:21 ` Paul Moore
2023-04-11 23:21 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 08/16] ipe: add permissive toggle Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-03-02 19:06 ` Paul Moore
2023-03-02 19:06 ` Paul Moore
2023-03-02 19:06 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 09/16] block|security: add LSM blob to block_device Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 8:53 ` Christoph Hellwig
2023-01-31 8:53 ` Christoph Hellwig
2023-01-31 8:53 ` [dm-devel] " Christoph Hellwig
2023-01-31 23:01 ` Fan Wu
2023-01-31 23:01 ` Fan Wu
2023-01-31 23:01 ` [dm-devel] " Fan Wu
2023-03-02 19:07 ` Paul Moore
2023-03-02 19:07 ` Paul Moore
2023-03-02 19:07 ` [dm-devel] " Paul Moore
2023-01-30 22:57 ` Fan Wu [this message]
2023-01-30 22:57 ` [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 13:22 ` Roberto Sassu
2023-01-31 13:22 ` [dm-devel] " Roberto Sassu
2023-01-31 13:22 ` Roberto Sassu
2023-02-01 23:26 ` Fan Wu
2023-02-01 23:26 ` Fan Wu
2023-02-01 23:26 ` [dm-devel] " Fan Wu
2023-02-02 8:21 ` Roberto Sassu
2023-02-02 8:21 ` [dm-devel] " Roberto Sassu
2023-02-02 8:21 ` Roberto Sassu
2023-02-07 23:52 ` Fan Wu
2023-02-07 23:52 ` Fan Wu
2023-02-07 23:52 ` [dm-devel] " Fan Wu
2023-02-01 4:10 ` kernel test robot
2023-01-30 22:57 ` [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 1:42 ` kernel test robot
2023-03-02 19:08 ` Paul Moore
2023-03-02 19:08 ` Paul Moore
2023-03-02 19:08 ` [dm-devel] " Paul Moore
2023-03-16 22:10 ` Fan Wu
2023-03-16 22:10 ` Fan Wu
2023-03-16 22:10 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-02-09 3:30 ` Eric Biggers
2023-02-09 3:30 ` Eric Biggers
2023-02-09 3:30 ` [dm-devel] " Eric Biggers
2023-02-09 22:21 ` Fan Wu
2023-02-09 22:21 ` Fan Wu
2023-02-09 22:21 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 13/16] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 14:00 ` Roberto Sassu
2023-01-31 14:00 ` [dm-devel] " Roberto Sassu
2023-01-31 14:00 ` Roberto Sassu
2023-02-01 23:50 ` Fan Wu
2023-02-01 23:50 ` Fan Wu
2023-02-01 23:50 ` [dm-devel] " Fan Wu
2023-02-02 9:51 ` Roberto Sassu
2023-02-02 9:51 ` [dm-devel] " Roberto Sassu
2023-02-02 9:51 ` Roberto Sassu
2023-02-08 0:16 ` Fan Wu
2023-02-08 0:16 ` Fan Wu
2023-02-08 0:16 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 14/16] scripts: add boot policy generation program Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 15/16] ipe: kunit test for parser Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 16/16] documentation: add ipe documentation Fan Wu
2023-01-30 22:57 ` Fan Wu
2023-01-30 22:57 ` [dm-devel] " Fan Wu
2023-01-31 3:59 ` Bagas Sanjaya
2023-01-31 3:59 ` Bagas Sanjaya
2023-01-31 3:59 ` [dm-devel] " Bagas Sanjaya
2023-02-02 0:19 ` Fan Wu
2023-02-02 0:19 ` Fan Wu
2023-02-02 0:19 ` [dm-devel] " Fan Wu
2023-01-31 14:22 ` [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Roberto Sassu
2023-01-31 14:22 ` [dm-devel] " Roberto Sassu
2023-01-31 14:22 ` Roberto Sassu
2023-02-01 0:48 ` Fan Wu
2023-02-01 0:48 ` Fan Wu
2023-02-01 0:48 ` [dm-devel] " Fan Wu
2023-02-02 10:48 ` Roberto Sassu
2023-02-02 10:48 ` [dm-devel] " Roberto Sassu
2023-02-02 10:48 ` Roberto Sassu
2023-02-08 0:31 ` Fan Wu
2023-02-08 0:31 ` Fan Wu
2023-02-08 0:31 ` [dm-devel] " Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1675119451-23180-11-git-send-email-wufan@linux.microsoft.com \
--to=wufan@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.