mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
synced 2026-04-18 03:23:53 -04:00
31f8c8682f
Enable IPE policy authors to indicate trust for a singular fsverity file, identified by the digest information, through "fsverity_digest" and all files using valid fsverity builtin signatures via "fsverity_signature". This enables file-level integrity claims to be expressed in IPE, allowing individual files to be authorized, giving some flexibility for policy authors. Such file-level claims are important to be expressed for enforcing the integrity of packages, as well as address some of the scalability issues in a sole dm-verity based solution (# of loop back devices, etc). This solution cannot be done in userspace as the minimum threat that IPE should mitigate is an attacker downloads malicious payload with all required dependencies. These dependencies can lack the userspace check, bypassing the protection entirely. A similar attack succeeds if the userspace component is replaced with a version that does not perform the check. As a result, this can only be done in the common entry point - the kernel. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
88 lines
2.3 KiB
C
88 lines
2.3 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
|
|
*/
|
|
#include <uapi/linux/lsm.h>
|
|
|
|
#include "ipe.h"
|
|
#include "eval.h"
|
|
#include "hooks.h"
|
|
#include "eval.h"
|
|
|
|
bool ipe_enabled;
|
|
|
|
static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
|
|
.lbs_superblock = sizeof(struct ipe_superblock),
|
|
#ifdef CONFIG_IPE_PROP_DM_VERITY
|
|
.lbs_bdev = sizeof(struct ipe_bdev),
|
|
#endif /* CONFIG_IPE_PROP_DM_VERITY */
|
|
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
.lbs_inode = sizeof(struct ipe_inode),
|
|
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
|
|
};
|
|
|
|
static const struct lsm_id ipe_lsmid = {
|
|
.name = "ipe",
|
|
.id = LSM_ID_IPE,
|
|
};
|
|
|
|
struct ipe_superblock *ipe_sb(const struct super_block *sb)
|
|
{
|
|
return sb->s_security + ipe_blobs.lbs_superblock;
|
|
}
|
|
|
|
#ifdef CONFIG_IPE_PROP_DM_VERITY
|
|
struct ipe_bdev *ipe_bdev(struct block_device *b)
|
|
{
|
|
return b->bd_security + ipe_blobs.lbs_bdev;
|
|
}
|
|
#endif /* CONFIG_IPE_PROP_DM_VERITY */
|
|
|
|
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
struct ipe_inode *ipe_inode(const struct inode *inode)
|
|
{
|
|
return inode->i_security + ipe_blobs.lbs_inode;
|
|
}
|
|
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
|
|
|
|
static struct security_hook_list ipe_hooks[] __ro_after_init = {
|
|
LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
|
|
LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
|
|
LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
|
|
LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
|
|
LSM_HOOK_INIT(kernel_load_data, ipe_kernel_load_data),
|
|
LSM_HOOK_INIT(initramfs_populated, ipe_unpack_initramfs),
|
|
#ifdef CONFIG_IPE_PROP_DM_VERITY
|
|
LSM_HOOK_INIT(bdev_free_security, ipe_bdev_free_security),
|
|
LSM_HOOK_INIT(bdev_setintegrity, ipe_bdev_setintegrity),
|
|
#endif /* CONFIG_IPE_PROP_DM_VERITY */
|
|
#ifdef CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
LSM_HOOK_INIT(inode_setintegrity, ipe_inode_setintegrity),
|
|
#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
|
|
};
|
|
|
|
/**
|
|
* ipe_init() - Entry point of IPE.
|
|
*
|
|
* This is called at LSM init, which happens occurs early during kernel
|
|
* start up. During this phase, IPE registers its hooks and loads the
|
|
* builtin boot policy.
|
|
*
|
|
* Return:
|
|
* * %0 - OK
|
|
* * %-ENOMEM - Out of memory (OOM)
|
|
*/
|
|
static int __init ipe_init(void)
|
|
{
|
|
security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), &ipe_lsmid);
|
|
ipe_enabled = true;
|
|
|
|
return 0;
|
|
}
|
|
|
|
DEFINE_LSM(ipe) = {
|
|
.name = "ipe",
|
|
.init = ipe_init,
|
|
.blobs = &ipe_blobs,
|
|
};
|