| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2022 20:59:08 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Roberto Sassu <roberto.sassu@...wei.com>
Cc: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
kpsingh@...nel.org, john.fastabend@...il.com,
songliubraving@...com, kafai@...com, yhs@...com,
bpf@...r.kernel.org, netdev@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RESEND][PATCH v4 4/4] selftests/bpf: Add test for
bpf_verify_pkcs7_signature() helper
On Tue, Jun 14, 2022 at 03:06:21PM +0200, Roberto Sassu wrote:
> +
> + if (child_pid == 0) {
> + snprintf(path, sizeof(path), "%s/signing_key.pem", tmp_dir);
> +
> + return execlp("./sign-file", "./sign-file", "sha256",
> + path, path, signed_file_template, NULL);
Please use sign_only option,
so it saves the signature and doesn't do 'struct module_signature' append.
Parsing of that is unnecessary for the purpose of the helper.
Checking MODULE_SIG_STRING is unnecessary, etc, etc.
Long term we won't be following mod sig approach anyway.
bpf maps and progs will have a different format.
> + }
> +
> + waitpid(child_pid, &child_status, 0);
> +
> + ret = WEXITSTATUS(child_status);
> + if (ret)
> + goto out;
> +
> + ret = stat(signed_file_template, &st);
> + if (ret == -1) {
> + ret = -errno;
> + goto out;
> + }
> +
> + if (st.st_size > sizeof(data_item->payload) - sizeof(u32)) {
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + *(u32 *)data_item->payload = __cpu_to_be32(st.st_size);
> +
> + fd = open(signed_file_template, O_RDONLY);
> + if (fd == -1) {
> + ret = -errno;
> + goto out;
> + }
> +
> + ret = read(fd, data_item->payload + sizeof(u32), st.st_size);
> +
> + close(fd);
> +
> + if (ret != st.st_size) {
> + ret = -EIO;
> + goto out;
> + }
> +
> + ret = 0;
> +out:
> + unlink(signed_file_template);
> + return ret;
> +}
> +
> +void test_verify_pkcs7_sig(void)
> +{
> + char tmp_dir_template[] = "/tmp/verify_sigXXXXXX";
> + char *tmp_dir;
> + char *buf = NULL;
> + struct test_verify_pkcs7_sig *skel = NULL;
> + struct bpf_map *map;
> + struct data data;
> + u32 saved_len;
> + int ret, zero = 0;
> +
> + LIBBPF_OPTS(bpf_object_open_opts, opts);
> +
> + /* Trigger creation of session keyring. */
> + syscall(__NR_request_key, "keyring", "_uid.0", NULL,
> + KEY_SPEC_SESSION_KEYRING);
My understanding that user space can receive a specific id here.
It should pass it to bpf prog via global variable and prog
should use that id instead of max_ulong hack.
Powered by blists - more mailing lists