| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f1e5890316985ff642d17201e28e9d11.paul@paul-moore.com>
Date: Sat, 08 Jul 2023 01:37:02 -0400
From: Paul Moore <paul@...l-moore.com>
To: Fan Wu <wufan@...ux.microsoft.com>, corbet@....net,
zohar@...ux.ibm.com, jmorris@...ei.org, serge@...lyn.com,
tytso@....edu, ebiggers@...nel.org, axboe@...nel.dk,
agk@...hat.com, snitzer@...nel.org, eparis@...hat.com
Cc: linux-doc@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fscrypt@...r.kernel.org, linux-block@...r.kernel.org,
dm-devel@...hat.com, audit@...r.kernel.org,
roberto.sassu@...wei.com, linux-kernel@...r.kernel.org,
Deven Bowers <deven.desai@...ux.microsoft.com>,
Fan Wu <wufan@...ux.microsoft.com>
Subject: Re: [PATCH RFC v10 12/17] ipe: add support for dm-verity as a trust provider
On Jun 28, 2023 Fan Wu <wufan@...ux.microsoft.com> wrote:
>
> Allows author of IPE policy to indicate trust for a singular dm-verity
> volume, identified by roothash, through "dmverity_roothash" and all
> signed dm-verity volumes, through "dmverity_signature".
>
> Signed-off-by: Deven Bowers <deven.desai@...ux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@...ux.microsoft.com>
> ---
> security/ipe/Kconfig | 18 +++++
> security/ipe/Makefile | 1 +
> security/ipe/audit.c | 25 ++++++
> security/ipe/digest.c | 142 +++++++++++++++++++++++++++++++++++
> security/ipe/digest.h | 26 +++++++
> security/ipe/eval.c | 101 ++++++++++++++++++++++++-
> security/ipe/eval.h | 13 ++++
> security/ipe/hooks.c | 51 +++++++++++++
> security/ipe/hooks.h | 8 ++
> security/ipe/ipe.c | 15 ++++
> security/ipe/ipe.h | 4 +
> security/ipe/policy.h | 3 +
> security/ipe/policy_parser.c | 21 ++++++
> 13 files changed, 427 insertions(+), 1 deletion(-)
> create mode 100644 security/ipe/digest.c
> create mode 100644 security/ipe/digest.h
...
> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
> index 6f94f5c8a0c3..9651e582791e 100644
> --- a/security/ipe/hooks.c
> +++ b/security/ipe/hooks.c
> @@ -192,3 +195,51 @@ void ipe_sb_free_security(struct super_block *mnt_sb)
> {
> ipe_invalidate_pinned_sb(mnt_sb);
> }
> +
> +#ifdef CONFIG_IPE_PROP_DM_VERITY
> +/**
> + * ipe_bdev_free_security - free IPE's LSM blob of block_devices.
> + * @bdev: Supplies a pointer to a block_device that contains the structure
> + * to free.
> + */
> +void ipe_bdev_free_security(struct block_device *bdev)
> +{
> + struct ipe_bdev *blob = ipe_bdev(bdev);
> +
> + kfree(blob->digest);
> + kfree(blob->digest_algo);
> +}
> +
> +/**
> + * ipe_bdev_setsecurity - save data from a bdev to IPE's LSM blob.
> + * @bdev: Supplies a pointer to a block_device that contains the LSM blob.
> + * @key: Supplies the string key that uniquely identifies the value.
> + * @value: Supplies the value to store.
> + * @len: The length of @value.
> + */
> +int ipe_bdev_setsecurity(struct block_device *bdev, const char *key,
> + const void *value, size_t len)
> +{
> + struct ipe_bdev *blob = ipe_bdev(bdev);
Before you can interpret the @key value, you need to first determine
which type of block device you have been handed. It is possible that
multiple block device types could share the same key with very
different meanings for that key, yes?
> + if (!strcmp(key, DM_VERITY_ROOTHASH_SEC_NAME)) {
> + const struct dm_verity_digest *digest = value;
> +
> + blob->digest = kmemdup(digest->digest, digest->digest_len, GFP_KERNEL);
> + if (!blob->digest)
> + return -ENOMEM;
> +
> + blob->digest_algo = kstrdup_const(digest->algo, GFP_KERNEL);
> + if (!blob->digest_algo)
> + return -ENOMEM;
> +
> + blob->digest_len = digest->digest_len;
> + return 0;
> + } else if (!strcmp(key, DM_VERITY_SIGNATURE_SEC_NAME)) {
> + blob->dm_verity_signed = true;
> + return 0;
> + }
> +
> + return -EOPNOTSUPP;
> +}
> +#endif /* CONFIG_IPE_PROP_DM_VERITY */
--
paul-moore.com
Powered by blists - more mailing lists