lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220608111221.373833-1-roberto.sassu@huawei.com>
Date:   Wed, 8 Jun 2022 13:12:18 +0200
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     <ast@...nel.org>, <daniel@...earbox.net>, <andrii@...nel.org>,
        <kpsingh@...nel.org>
CC:     <bpf@...r.kernel.org>, <netdev@...r.kernel.org>,
        <linux-kselftest@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        Roberto Sassu <roberto.sassu@...wei.com>
Subject: [PATCH v2 0/3] bpf: Add bpf_verify_pkcs7_signature() helper

One of the desirable features in security is the ability to restrict import
of data to a given system based on data authenticity. If data import can be
restricted, it would be possible to enforce a system-wide policy based on
the signing keys the system owner trusts.

This feature is widely used in the kernel. For example, if the restriction
is enabled, kernel modules can be plugged in only if they are signed with a
key whose public part is in the primary or secondary keyring.

For eBPF, it can be useful as well. For example, it might be useful to
authenticate data an eBPF program makes security decisions on.

After a discussion in the eBPF mailing list, it was decided that the stated
goal should be accomplished by introducing a new helper:
bpf_verify_pkcs7_signature(). It is simply a wrapper of
verify_pkcs7_signature(), and does the signature verification with a key in
the selected keyring (primary, secondary or platform).

Since verify_pkcs7_signature() is doing crypto operations, it must be
called by a sleepable program. This restricts the set of functions that can
call the associated helper (for example, lsm.s/bpf is suitable,
fexit/array_map_update_elem is not).

The added test check the ability of an eBPF program to verify module-style
appended signatures, as produced by the kernel tool sign-file, currently
used to sign kernel modules.

The patch set is organized as follows.

Patch 1 introduces the new helper. Patch 2 adds two new options to
test_progs (the eBPF selftest binary), to specify the path of sign-file and
the file containing the kernel private key and certificate. Finally,
patch 3 adds the test for the new helper.

Roberto Sassu (3):
  bpf: Add bpf_verify_pkcs7_signature() helper
  selftests/bpf: Add test_progs opts for sign-file and kernel priv key +
    cert
  selftests/bpf: Add test for bpf_verify_pkcs7_signature() helper

 include/uapi/linux/bpf.h                      |   8 +
 kernel/bpf/bpf_lsm.c                          |  32 ++++
 tools/include/uapi/linux/bpf.h                |   8 +
 tools/testing/selftests/bpf/config            |   2 +
 .../bpf/prog_tests/verify_pkcs7_sig.c         | 149 ++++++++++++++++++
 .../bpf/progs/test_verify_pkcs7_sig.c         | 127 +++++++++++++++
 tools/testing/selftests/bpf/test_progs.c      |  12 ++
 tools/testing/selftests/bpf/test_progs.h      |   3 +
 8 files changed, 341 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c

-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ