lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3bd4d9a8-58ce-4cb2-a91e-c0d33174d951@linux.microsoft.com>
Date: Tue, 21 May 2024 14:42:47 -0700
From: Fan Wu <wufan@...ux.microsoft.com>
To: Mikulas Patocka <mpatocka@...hat.com>
Cc: Mike Snitzer <snitzer@...nel.org>, corbet@....net, zohar@...ux.ibm.com,
 jmorris@...ei.org, serge@...lyn.com, tytso@....edu, ebiggers@...nel.org,
 axboe@...nel.dk, agk@...hat.com, eparis@...hat.com, paul@...l-moore.com,
 linux-doc@...r.kernel.org, linux-integrity@...r.kernel.org,
 linux-security-module@...r.kernel.org, fsverity@...ts.linux.dev,
 linux-block@...r.kernel.org, dm-devel@...ts.linux.dev,
 audit@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v18 12/21] dm: add finalize hook to target_type



On 5/20/2024 5:31 AM, Mikulas Patocka wrote:
> 
> 
> On Fri, 17 May 2024, Fan Wu wrote:
> 
>>> So, it seems that the preresume callback provides the guarantee that you
>>> looking for.
>>>
>>>> -Fan
>>>
>>> Mikulas
>>
>> Thanks for the info. I have tested and verified that the preresume() hook can
>> also work for our case.
>>
>>  From the source code
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-ioctl.c#n1149,
>> the whole resume process appears to be:
>>
>> 1. Check if there is a new map for the device. If so, attempt to activate the
>> new map using dm_swap_table() (where the finalize() callback occurs).
>>
>> 2. Check if the device is suspended. If so, use dm_resume() (where the
>> preresume() callback occurs) to resume the device.
>>
>> 3. If a new map is activated, use dm_table_destroy() to destroy the old map.
>>
>> For our case:
>>
>> - Using the finalize() callback, the metadata of the dm-verity target inside
>> the table is attached to the mapped device every time a new table is
>> activated.
>> - Using the preresume() callback, the same metadata is attached every time the
>> device resumes from suspension.
>>
>> If I understand the code correctly, resuming from suspension is a necessary
>> step for loading a new mapping table. Thus, the preresume() callback covers
>> all conditions where the finalize() callback would be triggered.
> 
> Yes.
> 
>> However, the preresume() callback can also be triggered when the device
>> resumes from suspension without loading a new table, in which case there
>> is no new metadata in the table to attach to the mapped device.
> 
> Yes.
> 
>> In the scenario where the finalize() callback succeeds but the preresume()
>> callback fails, it seems the device will remain in a suspended state, the
>> newly activated table will be kept, and the old table will be destroyed, so it
>> seems there is no inconsistency using finalize() even preresume() potentially
>> fails.
> 
> What does your security module do when the verification of the dm-verity
> hash fails? Does it halt the whole system? Does it destroy just the
> failing dm device? Or does it attempt to recover somehow from this
> situation?
>

I'm not sure which hash verification is being referred to here, but it 
could be either root hash signature verification or block-level hash 
verification. Our security module does not intervene in these processes, 
so the behavior remains as dm-verity currently handles it.

Within the device mapper, our security module uses the device mapper 
callback to duplicate the root hash of a dm-verity target and record the 
signature verification state of the dm-verity target, then attach this 
information to the security field of the block_device structure. This 
process can only fail if the system is out of memory.

With the root hash and signature verification state attached to the 
security field of the block device, the security system can access this 
important metadata to enforce policies. For example, these policies can 
include only allowing files from a dm-verity volume specified by its 
root hash to execute or only allowing files from a verified signed 
dm-verity volume to execute.

>> I believe both the finalize() callback proposed by Mike and the preresume()
>> callback suggested by Mikulas can work for our case. I am fine with either
>> approach, but I would like to know which one is preferred by the maintainers
>> and would appreciate an ACK for the chosen approach.
>>
>> -Fan
> 
> I would prefer preresume - we shouldn't add new callbacks unless it's
> necessary.
> 
> Mikulas
>

Thanks for the confirmation. I will switch to use prereume and I will 
send a new version later this week.

-Fan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ