| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Jun 2022 15:59:14 +0200
From: Roberto Sassu <roberto.sassu@...wei.com>
To: <ast@...nel.org>, <daniel@...earbox.net>, <andrii@...nel.org>,
<kpsingh@...nel.org>
CC: <bpf@...r.kernel.org>, <netdev@...r.kernel.org>,
<linux-kselftest@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
Roberto Sassu <roberto.sassu@...wei.com>
Subject: [PATCH v3 0/2] bpf: Add bpf_verify_signature() helper
One of the desirable features in security is the ability to restrict import
of data to a given system based on data authenticity. If data import can be
restricted, it would be possible to enforce a system-wide policy based on
the signing keys the system owner trusts.
This feature is widely used in the kernel. For example, if the restriction
is enabled, kernel modules can be plugged in only if they are signed with a
key whose public part is in the primary or secondary keyring.
For eBPF, it can be useful as well. For example, it might be useful to
authenticate data an eBPF program makes security decisions on.
After a discussion in the eBPF mailing list, it was decided that the stated
goal should be accomplished by introducing a new helper:
bpf_verify_signature(). Its job is simply to call the signature verification
function corresponding to the passed signature type, with the keyring selected
through the passed keyring identifier.
Since verify_pkcs7_signature() is doing crypto operations, it must be
called by a sleepable program. This restricts the set of functions that can
call the associated helper (for example, lsm.s/bpf is suitable,
fexit/array_map_update_elem is not).
The added test checks the ability of an eBPF program to verify module-style
appended signatures, as produced by the kernel tool sign-file, currently
used to sign kernel modules.
The patch set is organized as follows.
Patch 1 introduces the new helper. Patch 2 adds the test for the new
helper.
Changelog
v1:
- Don't define new map flag but introduce simple wrapper of
verify_pkcs7_signature() (suggested by Alexei and KP)
v2:
- Rename bpf_verify_pkcs7_signature() to a more generic
bpf_verify_signature() and pass the signature type (suggested by KP)
- Move the helper and prototype declaration under #ifdef so that user
space can probe for support for the helper (suggested by Daniel)
- Describe better the keyring types (suggested by Daniel)
- Include linux/bpf.h instead of vmlinux.h to avoid implicit or
redeclaration
- Make the test selfcontained (suggested by Alexei)
Roberto Sassu (2):
bpf: Add bpf_verify_signature() helper
selftests/bpf: Add test for bpf_verify_signature() helper
include/uapi/linux/bpf.h | 17 ++
kernel/bpf/bpf_lsm.c | 46 ++++
tools/include/uapi/linux/bpf.h | 17 ++
tools/testing/selftests/bpf/Makefile | 11 +-
tools/testing/selftests/bpf/config | 1 +
.../selftests/bpf/prog_tests/verify_sig.c | 200 ++++++++++++++++++
.../selftests/bpf/progs/test_verify_sig.c | 160 ++++++++++++++
.../testing/selftests/bpf/verify_sig_setup.sh | 100 +++++++++
8 files changed, 549 insertions(+), 3 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/verify_sig.c
create mode 100644 tools/testing/selftests/bpf/progs/test_verify_sig.c
create mode 100755 tools/testing/selftests/bpf/verify_sig_setup.sh
--
2.25.1
Powered by blists - more mailing lists