lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241017155516.2582369-12-eric.snowberg@oracle.com>
Date: Thu, 17 Oct 2024 09:55:14 -0600
From: Eric Snowberg <eric.snowberg@...cle.com>
To: linux-security-module@...r.kernel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org, herbert@...dor.apana.org.au,
        davem@...emloft.net, ardb@...nel.org, jarkko@...nel.org,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
        zohar@...ux.ibm.com, roberto.sassu@...wei.com,
        dmitry.kasatkin@...il.com, mic@...ikod.net, casey@...aufler-ca.com,
        stefanb@...ux.ibm.com, eric.snowberg@...cle.com, ebiggers@...nel.org,
        rdunlap@...radead.org, linux-kernel@...r.kernel.org,
        keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
        linux-efi@...r.kernel.org, linux-integrity@...r.kernel.org
Subject: [RFC PATCH v3 11/13] clavis: Prevent boot param change during kexec

If found, use the new Clavis EFI RT variable to validate the clavis boot
param didn't change during a reboot.  If the boot param is different or
missing, use the one stored in EFI instead.  This will prevent a pivot
in the root of trust for the upcoming Clavis LSM. If CONFIG_EARLY_CLAVIS
is not enabled, the Clavis EFI RT variable will never be set and
therefore not used.

Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
 security/clavis/Makefile         |  4 +++
 security/clavis/clavis.h         |  9 ++++++
 security/clavis/clavis_efi.c     | 50 ++++++++++++++++++++++++++++++++
 security/clavis/clavis_keyring.c | 11 ++++++-
 4 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 security/clavis/clavis_efi.c

diff --git a/security/clavis/Makefile b/security/clavis/Makefile
index 082e6d3c0934..af68a44a0cb4 100644
--- a/security/clavis/Makefile
+++ b/security/clavis/Makefile
@@ -18,3 +18,7 @@ $(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE
 	$(call if_changed,make_builtin_acl)
 
 $(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl
+
+ifeq ($(CONFIG_EFI),y)
+obj-$(CONFIG_SECURITY_CLAVIS) += clavis_efi.o
+endif
diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h
index 7099a517b111..6f68b560311e 100644
--- a/security/clavis/clavis.h
+++ b/security/clavis/clavis.h
@@ -24,6 +24,15 @@ const char __initconst *const clavis_module_acl[] = {
 extern const char __initconst *const clavis_module_acl[];
 #endif
 
+#ifdef CONFIG_EFI
+int clavis_efi_param(struct asymmetric_key_id *kid, int len);
+#else
+static inline int __init clavis_efi_param(struct asymmetric_key_id *kid, int len)
+{
+	return -EINVAL;
+}
+#endif
+
 int __init clavis_keyring_init(void);
 int clavis_sig_verify(const struct key *key, const struct public_key_signature *sig);
 #endif /* _SECURITY_CLAVIS_H_ */
diff --git a/security/clavis/clavis_efi.c b/security/clavis/clavis_efi.c
new file mode 100644
index 000000000000..0d9c392f4697
--- /dev/null
+++ b/security/clavis/clavis_efi.c
@@ -0,0 +1,50 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <keys/asymmetric-type.h>
+#include <linux/efi.h>
+#include "clavis.h"
+
+static efi_char16_t clavis_param_name[] = L"Clavis";
+static efi_guid_t clavis_guid = LINUX_EFI_CLAVIS_GUID;
+
+int __init clavis_efi_param(struct asymmetric_key_id *kid, int len)
+{
+	unsigned char buf[64];
+	unsigned long ascii_len = sizeof(buf);
+	efi_status_t error;
+	int hex_len;
+	u32 attr;
+
+	if (!efi_enabled(EFI_BOOT)) {
+		pr_debug("efi_enabled(EFI_BOOT) not set");
+		return -EPERM;
+	}
+
+	if (!efi_enabled(EFI_RUNTIME_SERVICES)) {
+		pr_debug("%s : EFI runtime services are not enabled\n", __func__);
+		return -EPERM;
+	}
+
+	error = efi.get_variable(clavis_param_name, &clavis_guid, &attr, &ascii_len, &buf);
+
+	if (error) {
+		pr_debug("Error reading clavis parm or not found\n");
+		return -EINVAL;
+	}
+
+	if (attr & EFI_VARIABLE_NON_VOLATILE)  {
+		pr_debug("Error: NV access set\n");
+		return -EINVAL;
+	} else if (ascii_len > 0) {
+		hex_len = ascii_len / 2;
+
+		if (hex_len > len) {
+			pr_debug("invalid length\n");
+			return -EINVAL;
+		}
+		kid->len = hex_len;
+		return hex2bin(kid->data, buf, kid->len);
+	}
+
+	pr_debug("Error: invalid size\n");
+	return -EINVAL;
+}
diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c
index a4a95a931b50..81bfc3ed02a3 100644
--- a/security/clavis/clavis_keyring.c
+++ b/security/clavis/clavis_keyring.c
@@ -307,9 +307,18 @@ int __init clavis_keyring_init(void)
 
 void __init late_init_clavis_setup(void)
 {
-	if (!clavis_boot_akid)
+	struct asymmetric_setup_kid efi_keyid;
+	struct asymmetric_key_id *keyid = &efi_keyid.id;
+	int error;
+
+	error = clavis_efi_param(keyid, ARRAY_SIZE(efi_keyid.data));
+
+	if (error && !clavis_boot_akid)
 		return;
 
+	if (error)
+		keyid = clavis_boot_akid;
+
 	system_key_link(clavis_keyring, clavis_boot_akid);
 }
 
-- 
2.45.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ