| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230209222153.GA6647@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net>
Date: Thu, 9 Feb 2023 14:21:53 -0800
From: Fan Wu <wufan@...ux.microsoft.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: corbet@....net, zohar@...ux.ibm.com, jmorris@...ei.org,
serge@...lyn.com, tytso@....edu, axboe@...nel.dk, agk@...hat.com,
snitzer@...nel.org, eparis@...hat.com, paul@...l-moore.com,
linux-doc@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fscrypt@...r.kernel.org, linux-block@...r.kernel.org,
dm-devel@...hat.com, linux-audit@...hat.com,
roberto.sassu@...wei.com, linux-kernel@...r.kernel.org,
Deven Bowers <deven.desai@...ux.microsoft.com>
Subject: Re: [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM
hook
On Wed, Feb 08, 2023 at 07:30:33PM -0800, Eric Biggers wrote:
> So disregarding the fact that using the fsverity builtin signatures still seems
> like a bad idea to me, here's a few comments on the diff itself:
>
Thanks for the review. I have verified the headers are indeed unnecessary,
I will remove them in the next version.
> On Mon, Jan 30, 2023 at 02:57:27PM -0800, Fan Wu wrote:
> > diff --git a/fs/verity/open.c b/fs/verity/open.c
> > index 81ff94442f7b..7e6fa52c0e9c 100644
> > --- a/fs/verity/open.c
> > +++ b/fs/verity/open.c
> > @@ -7,7 +7,9 @@
> >
> > #include "fsverity_private.h"
> >
> > +#include <linux/security.h>
> > #include <linux/slab.h>
> > +#include <crypto/public_key.h>
>
> There's no need to include <crypto/public_key.h>.
>
> >
> > + if (err) {
> > + fsverity_err(inode, "Error %d verifying signature", err);
> > + goto out;
> > + }
>
> The above error message is unnecessary because fsverity_verify_signature()
> already prints an error message on failure.
>
> > +
> > + err = security_inode_setsecurity(inode, FS_VERITY_INODE_SEC_NAME, desc->signature,
> > + le32_to_cpu(desc->sig_size), 0);
>
> This runs even if CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled. Is that
> really the right behavior?
>
Yes the hook call should better depend on a KCONFIG. After second thought I think it
should depend on CONFIG_IPE_PROP_FS_VERITY, which also indirectly introduces the
dependency on CONFIG_FS_VERITY_BUILTIN_SIGNATURES.
Currently security_inode_setsecurity only allows one LSM to save data with a given name.
In our case IPE will be the only LSM that saves the signature.
I will update this part in the next version.
> Also a nit: please stick to the preferred line length of 80 characters.
> See Documentation/process/coding-style.rst
>
> > diff --git a/fs/verity/signature.c b/fs/verity/signature.c
> > index 143a530a8008..5d7b9496f9c4 100644
> > --- a/fs/verity/signature.c
> > +++ b/fs/verity/signature.c
> > @@ -9,6 +9,7 @@
> >
> > #include <linux/cred.h>
> > #include <linux/key.h>
> > +#include <linux/security.h>
> > #include <linux/slab.h>
> > #include <linux/verification.h>
>
> This change is unnecessary.
>
> > diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h
> > index 40f14e5fed9d..29e9888287ba 100644
> > --- a/include/linux/fsverity.h
> > +++ b/include/linux/fsverity.h
> > @@ -254,4 +254,6 @@ static inline bool fsverity_active(const struct inode *inode)
> > return fsverity_get_info(inode) != NULL;
> > }
> >
> > +#define FS_VERITY_INODE_SEC_NAME "fsverity.inode-info"
>
> "inode-info" is very vague. Shouldn't it be named "builtin-sig" or something?
>
> - Eric
I agree this name works better, I will change it to "fsverity.builtin-sig".
-Fan
Powered by blists - more mailing lists