[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <674f6e74-e630-4ed3-b7e8-1de89a83f032@linux.microsoft.com>
Date: Thu, 2 Nov 2023 16:09:59 -0700
From: Fan Wu <wufan@...ux.microsoft.com>
To: Paul Moore <paul@...l-moore.com>, corbet@....net,
zohar@...ux.ibm.com, jmorris@...ei.org, serge@...lyn.com,
tytso@....edu, ebiggers@...nel.org, axboe@...nel.dk,
agk@...hat.com, snitzer@...nel.org, eparis@...hat.com
Cc: linux-doc@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fscrypt@...r.kernel.org, linux-block@...r.kernel.org,
dm-devel@...hat.com, audit@...r.kernel.org,
roberto.sassu@...wei.com, linux-kernel@...r.kernel.org,
Deven Bowers <deven.desai@...ux.microsoft.com>
Subject: Re: [PATCH RFC v11 17/19] scripts: add boot policy generation program
On 10/23/2023 8:52 PM, Paul Moore wrote:
> On Oct 4, 2023 Fan Wu <wufan@...ux.microsoft.com> wrote:
>>
>> Enables an IPE policy to be enforced from kernel start, enabling access
>> control based on trust from kernel startup. This is accomplished by
>> transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a
>> c-string literal that is parsed at kernel startup as an unsigned policy.
>>
>> Signed-off-by: Deven Bowers <deven.desai@...ux.microsoft.com>
>> Signed-off-by: Fan Wu <wufan@...ux.microsoft.com>
>> ---
>> v2:
>> + No Changes
>>
>> v3:
>> + No Changes
>>
>> v4:
>> + No Changes
>>
>> v5:
>> + No Changes
>>
>> v6:
>> + No Changes
>>
>> v7:
>> + Move from 01/11 to 14/16
>> + Don't return errno directly.
>> + Make output of script more user-friendly
>> + Add escaping for tab and '?'
>> + Mark argv pointer const
>> + Invert return code check in the boot policy parsing code path.
>>
>> v8:
>> + No significant changes.
>>
>> v9:
>> + No changes
>>
>> v10:
>> + Update the init part code for rcu changes in the eval loop patch
>>
>> v11:
>> + Fix code style issues
>> ---
>> MAINTAINERS | 1 +
>> scripts/Makefile | 1 +
>> scripts/ipe/Makefile | 2 +
>> scripts/ipe/polgen/.gitignore | 1 +
>> scripts/ipe/polgen/Makefile | 6 ++
>> scripts/ipe/polgen/polgen.c | 145 ++++++++++++++++++++++++++++++++++
>> security/ipe/.gitignore | 1 +
>> security/ipe/Kconfig | 10 +++
>> security/ipe/Makefile | 11 +++
>> security/ipe/fs.c | 8 ++
>> security/ipe/ipe.c | 12 +++
>> 11 files changed, 198 insertions(+)
>> create mode 100644 scripts/ipe/Makefile
>> create mode 100644 scripts/ipe/polgen/.gitignore
>> create mode 100644 scripts/ipe/polgen/Makefile
>> create mode 100644 scripts/ipe/polgen/polgen.c
>> create mode 100644 security/ipe/.gitignore
>
> ...
>
>> diff --git a/scripts/ipe/polgen/polgen.c b/scripts/ipe/polgen/polgen.c
>> new file mode 100644
>> index 000000000000..40b6fe07f47b
>> --- /dev/null
>> +++ b/scripts/ipe/polgen/polgen.c
>> @@ -0,0 +1,145 @@
>
> ...
>
>> +static int write_boot_policy(const char *pathname, const char *buf, size_t size)
>> +{
>> + int rc = 0;
>> + FILE *fd;
>> + size_t i;
>> +
>> + fd = fopen(pathname, "w");
>> + if (!fd) {
>> + rc = errno;
>> + goto err;
>> + }
>> +
>> + fprintf(fd, "/* This file is automatically generated.");
>> + fprintf(fd, " Do not edit. */\n");
>> + fprintf(fd, "#include <linux/stddef.h>\n");
>> + fprintf(fd, "\nextern const char *const ipe_boot_policy;\n\n");
>> + fprintf(fd, "const char *const ipe_boot_policy =\n");
>> +
>> + if (!buf || size == 0) {
>> + fprintf(fd, "\tNULL;\n");
>> + fclose(fd);
>> + return 0;
>> + }
>> +
>> + fprintf(fd, "\t\"");
>> +
>> + for (i = 0; i < size; ++i) {
>> + switch (buf[i]) {
>> + case '"':
>> + fprintf(fd, "\\\"");
>> + break;
>> + case '\'':
>> + fprintf(fd, "'");
>> + break;
>
> The revision of IPE proposed in this patchset doesn't support parsing
> single or double quotes, yes? >
Actually all characters can be used in the policy. The previous revision
was removing the quote syntax, which supports having space in the policy
name like policy_name="example policy". But that is not related to the
boot policy generation code here.
The code here is to generate a C source code that will be linked into
IPE. Thus we have to escape these characters to conform with the C
language string literal standard.
-Fan
>> + case '\n':
>> + fprintf(fd, "\\n\"\n\t\"");
>> + break;
>> + case '\\':
>> + fprintf(fd, "\\\\");
>> + break;
>> + case '\t':
>> + fprintf(fd, "\\t");
>> + break;
>> + case '\?':
>> + fprintf(fd, "\\?");
>> + break;
>
> Similar, are question marks supported by the parser?
>
>> + default:
>> + fprintf(fd, "%c", buf[i]);
>> + }
>> + }
>> + fprintf(fd, "\";\n");
>> + fclose(fd);
>> +
>> + return 0;
>> +
>> +err:
>> + if (fd)
>> + fclose(fd);
>> + return rc;
>> +}
>
> ...
>
>> diff --git a/security/ipe/.gitignore b/security/ipe/.gitignore
>> new file mode 100644
>> index 000000000000..eca22ad5ed22
>> --- /dev/null
>> +++ b/security/ipe/.gitignore
>> @@ -0,0 +1 @@
>> +boot-policy.c
>> \ No newline at end of file
>
> Add a newline please.
>
> --
> paul-moore.com
Powered by blists - more mailing lists