From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, song@kernel.org, yhs@fb.com,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com,
haoluo@google.com, jolsa@kernel.org, mykolal@fb.com,
dhowells@redhat.com, jarkko@kernel.org, rostedt@goodmis.org,
mingo@redhat.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, shuah@kernel.org
Cc: bpf@vger.kernel.org, keyrings@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
deso@posteo.net, memxor@gmail.com,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v14 07/12] bpf: Add bpf_verify_pkcs7_signature() kfunc
Date: Tue, 30 Aug 2022 18:17:11 +0200 [thread overview]
Message-ID: <20220830161716.754078-8-roberto.sassu@huaweicloud.com> (raw)
In-Reply-To: <20220830161716.754078-1-roberto.sassu@huaweicloud.com>
From: Roberto Sassu <roberto.sassu@huawei.com>
Add the bpf_verify_pkcs7_signature() kfunc, to give eBPF security modules
the ability to check the validity of a signature against supplied data, by
using user-provided or system-provided keys as trust anchor.
The new kfunc makes it possible to enforce mandatory policies, as eBPF
programs might be allowed to make security decisions only based on data
sources the system administrator approves.
The caller should provide the data to be verified and the signature as eBPF
dynamic pointers (to minimize the number of parameters) and a bpf_key
structure containing a reference to the keyring with keys trusted for
signature verification, obtained from bpf_lookup_user_key() or
bpf_lookup_system_key().
For bpf_key structures obtained from the former lookup function,
bpf_verify_pkcs7_signature() completes the permission check deferred by
that function by calling key_validate(). key_task_permission() is already
called by the PKCS#7 code.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: KP Singh <kpsingh@kernel.org>
---
kernel/trace/bpf_trace.c | 45 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 901a96621235..a533acb5593c 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1294,12 +1294,57 @@ void bpf_key_put(struct bpf_key *bkey)
kfree(bkey);
}
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+/**
+ * bpf_verify_pkcs7_signature - verify a PKCS#7 signature
+ * @data_ptr: data to verify
+ * @sig_ptr: signature of the data
+ * @trusted_keyring: keyring with keys trusted for signature verification
+ *
+ * Verify the PKCS#7 signature *sig_ptr* against the supplied *data_ptr*
+ * with keys in a keyring referenced by *trusted_keyring*.
+ *
+ * Return: 0 on success, a negative value on error.
+ */
+int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr,
+ struct bpf_dynptr_kern *sig_ptr,
+ struct bpf_key *trusted_keyring)
+{
+ int ret;
+
+ if (trusted_keyring->has_ref) {
+ /*
+ * Do the permission check deferred in bpf_lookup_user_key().
+ * See bpf_lookup_user_key() for more details.
+ *
+ * A call to key_task_permission() here would be redundant, as
+ * it is already done by keyring_search() called by
+ * find_asymmetric_key().
+ */
+ ret = key_validate(trusted_keyring->key);
+ if (ret < 0)
+ return ret;
+ }
+
+ return verify_pkcs7_signature(data_ptr->data,
+ bpf_dynptr_get_size(data_ptr),
+ sig_ptr->data,
+ bpf_dynptr_get_size(sig_ptr),
+ trusted_keyring->key,
+ VERIFYING_UNSPECIFIED_SIGNATURE, NULL,
+ NULL);
+}
+#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
+
__diag_pop();
BTF_SET8_START(key_sig_kfunc_set)
BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL)
BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE)
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+BTF_ID_FLAGS(func, bpf_verify_pkcs7_signature, KF_SLEEPABLE)
+#endif
BTF_SET8_END(key_sig_kfunc_set)
static const struct btf_kfunc_id_set bpf_key_sig_kfunc_set = {
--
2.25.1
next prev parent reply other threads:[~2022-08-30 16:20 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-30 16:17 [PATCH v14 00/12] bpf: Add kfuncs for PKCS#7 signature verification Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 01/12] bpf: Allow kfuncs to be used in LSM programs Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 02/12] bpf: Move dynptr type check to is_dynptr_type_expected() Roberto Sassu
2022-08-30 16:46 ` Joanne Koong
2022-08-31 9:22 ` Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 03/12] btf: Allow dynamic pointer parameters in kfuncs Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 04/12] bpf: Export bpf_dynptr_get_size() Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 05/12] KEYS: Move KEY_LOOKUP_ to include/linux/key.h and set KEY_LOOKUP_FLAGS_ALL Roberto Sassu
2022-08-31 2:53 ` Jarkko Sakkinen
2022-08-31 4:51 ` Jarkko Sakkinen
2022-08-31 6:29 ` Jarkko Sakkinen
2022-08-31 9:23 ` Roberto Sassu
2022-08-31 15:33 ` Alexei Starovoitov
2022-08-31 15:55 ` Roberto Sassu
2022-09-02 3:27 ` Jarkko Sakkinen
2022-08-30 16:17 ` [PATCH v14 06/12] bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs Roberto Sassu
2022-08-30 16:17 ` Roberto Sassu [this message]
2022-08-30 16:17 ` [PATCH v14 08/12] selftests/bpf: Compile kernel with everything as built-in Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 09/12] selftests/bpf: Add verifier tests for bpf_lookup_*_key() and bpf_key_put() Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 10/12] selftests/bpf: Add additional tests for bpf_lookup_*_key() Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 11/12] selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 12/12] selftests/bpf: Add verifier tests for dynamic pointers parameters in kfuncs Roberto Sassu
2022-08-30 16:54 ` Joanne Koong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220830161716.754078-8-roberto.sassu@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=deso@posteo.net \
--cc=dhowells@redhat.com \
--cc=haoluo@google.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mingo@redhat.com \
--cc=mykolal@fb.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=rostedt@goodmis.org \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.