| Message ID | 1696457386-3010-18-git-send-email-wufan@linux.microsoft.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | Integrity Policy Enforcement LSM (IPE) | expand |
On Oct 4, 2023 Fan Wu <wufan@linux.microsoft.com> wrote: > > Enables an IPE policy to be enforced from kernel start, enabling access > control based on trust from kernel startup. This is accomplished by > transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a > c-string literal that is parsed at kernel startup as an unsigned policy. > > Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> > Signed-off-by: Fan Wu <wufan@linux.microsoft.com> > --- > v2: > + No Changes > > v3: > + No Changes > > v4: > + No Changes > > v5: > + No Changes > > v6: > + No Changes > > v7: > + Move from 01/11 to 14/16 > + Don't return errno directly. > + Make output of script more user-friendly > + Add escaping for tab and '?' > + Mark argv pointer const > + Invert return code check in the boot policy parsing code path. > > v8: > + No significant changes. > > v9: > + No changes > > v10: > + Update the init part code for rcu changes in the eval loop patch > > v11: > + Fix code style issues > --- > MAINTAINERS | 1 + > scripts/Makefile | 1 + > scripts/ipe/Makefile | 2 + > scripts/ipe/polgen/.gitignore | 1 + > scripts/ipe/polgen/Makefile | 6 ++ > scripts/ipe/polgen/polgen.c | 145 ++++++++++++++++++++++++++++++++++ > security/ipe/.gitignore | 1 + > security/ipe/Kconfig | 10 +++ > security/ipe/Makefile | 11 +++ > security/ipe/fs.c | 8 ++ > security/ipe/ipe.c | 12 +++ > 11 files changed, 198 insertions(+) > create mode 100644 scripts/ipe/Makefile > create mode 100644 scripts/ipe/polgen/.gitignore > create mode 100644 scripts/ipe/polgen/Makefile > create mode 100644 scripts/ipe/polgen/polgen.c > create mode 100644 security/ipe/.gitignore ... > diff --git a/scripts/ipe/polgen/polgen.c b/scripts/ipe/polgen/polgen.c > new file mode 100644 > index 000000000000..40b6fe07f47b > --- /dev/null > +++ b/scripts/ipe/polgen/polgen.c > @@ -0,0 +1,145 @@ ... > +static int write_boot_policy(const char *pathname, const char *buf, size_t size) > +{ > + int rc = 0; > + FILE *fd; > + size_t i; > + > + fd = fopen(pathname, "w"); > + if (!fd) { > + rc = errno; > + goto err; > + } > + > + fprintf(fd, "/* This file is automatically generated."); > + fprintf(fd, " Do not edit. */\n"); > + fprintf(fd, "#include <linux/stddef.h>\n"); > + fprintf(fd, "\nextern const char *const ipe_boot_policy;\n\n"); > + fprintf(fd, "const char *const ipe_boot_policy =\n"); > + > + if (!buf || size == 0) { > + fprintf(fd, "\tNULL;\n"); > + fclose(fd); > + return 0; > + } > + > + fprintf(fd, "\t\""); > + > + for (i = 0; i < size; ++i) { > + switch (buf[i]) { > + case '"': > + fprintf(fd, "\\\""); > + break; > + case '\'': > + fprintf(fd, "'"); > + break; The revision of IPE proposed in this patchset doesn't support parsing single or double quotes, yes? > + case '\n': > + fprintf(fd, "\\n\"\n\t\""); > + break; > + case '\\': > + fprintf(fd, "\\\\"); > + break; > + case '\t': > + fprintf(fd, "\\t"); > + break; > + case '\?': > + fprintf(fd, "\\?"); > + break; Similar, are question marks supported by the parser? > + default: > + fprintf(fd, "%c", buf[i]); > + } > + } > + fprintf(fd, "\";\n"); > + fclose(fd); > + > + return 0; > + > +err: > + if (fd) > + fclose(fd); > + return rc; > +} ... > diff --git a/security/ipe/.gitignore b/security/ipe/.gitignore > new file mode 100644 > index 000000000000..eca22ad5ed22 > --- /dev/null > +++ b/security/ipe/.gitignore > @@ -0,0 +1 @@ > +boot-policy.c > \ No newline at end of file Add a newline please. -- paul-moore.com
On 10/23/2023 8:52 PM, Paul Moore wrote: > On Oct 4, 2023 Fan Wu <wufan@linux.microsoft.com> wrote: >> >> Enables an IPE policy to be enforced from kernel start, enabling access >> control based on trust from kernel startup. This is accomplished by >> transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a >> c-string literal that is parsed at kernel startup as an unsigned policy. >> >> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> >> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> >> --- >> v2: >> + No Changes >> >> v3: >> + No Changes >> >> v4: >> + No Changes >> >> v5: >> + No Changes >> >> v6: >> + No Changes >> >> v7: >> + Move from 01/11 to 14/16 >> + Don't return errno directly. >> + Make output of script more user-friendly >> + Add escaping for tab and '?' >> + Mark argv pointer const >> + Invert return code check in the boot policy parsing code path. >> >> v8: >> + No significant changes. >> >> v9: >> + No changes >> >> v10: >> + Update the init part code for rcu changes in the eval loop patch >> >> v11: >> + Fix code style issues >> --- >> MAINTAINERS | 1 + >> scripts/Makefile | 1 + >> scripts/ipe/Makefile | 2 + >> scripts/ipe/polgen/.gitignore | 1 + >> scripts/ipe/polgen/Makefile | 6 ++ >> scripts/ipe/polgen/polgen.c | 145 ++++++++++++++++++++++++++++++++++ >> security/ipe/.gitignore | 1 + >> security/ipe/Kconfig | 10 +++ >> security/ipe/Makefile | 11 +++ >> security/ipe/fs.c | 8 ++ >> security/ipe/ipe.c | 12 +++ >> 11 files changed, 198 insertions(+) >> create mode 100644 scripts/ipe/Makefile >> create mode 100644 scripts/ipe/polgen/.gitignore >> create mode 100644 scripts/ipe/polgen/Makefile >> create mode 100644 scripts/ipe/polgen/polgen.c >> create mode 100644 security/ipe/.gitignore > > ... > >> diff --git a/scripts/ipe/polgen/polgen.c b/scripts/ipe/polgen/polgen.c >> new file mode 100644 >> index 000000000000..40b6fe07f47b >> --- /dev/null >> +++ b/scripts/ipe/polgen/polgen.c >> @@ -0,0 +1,145 @@ > > ... > >> +static int write_boot_policy(const char *pathname, const char *buf, size_t size) >> +{ >> + int rc = 0; >> + FILE *fd; >> + size_t i; >> + >> + fd = fopen(pathname, "w"); >> + if (!fd) { >> + rc = errno; >> + goto err; >> + } >> + >> + fprintf(fd, "/* This file is automatically generated."); >> + fprintf(fd, " Do not edit. */\n"); >> + fprintf(fd, "#include <linux/stddef.h>\n"); >> + fprintf(fd, "\nextern const char *const ipe_boot_policy;\n\n"); >> + fprintf(fd, "const char *const ipe_boot_policy =\n"); >> + >> + if (!buf || size == 0) { >> + fprintf(fd, "\tNULL;\n"); >> + fclose(fd); >> + return 0; >> + } >> + >> + fprintf(fd, "\t\""); >> + >> + for (i = 0; i < size; ++i) { >> + switch (buf[i]) { >> + case '"': >> + fprintf(fd, "\\\""); >> + break; >> + case '\'': >> + fprintf(fd, "'"); >> + break; > > The revision of IPE proposed in this patchset doesn't support parsing > single or double quotes, yes? > Actually all characters can be used in the policy. The previous revision was removing the quote syntax, which supports having space in the policy name like policy_name="example policy". But that is not related to the boot policy generation code here. The code here is to generate a C source code that will be linked into IPE. Thus we have to escape these characters to conform with the C language string literal standard. -Fan >> + case '\n': >> + fprintf(fd, "\\n\"\n\t\""); >> + break; >> + case '\\': >> + fprintf(fd, "\\\\"); >> + break; >> + case '\t': >> + fprintf(fd, "\\t"); >> + break; >> + case '\?': >> + fprintf(fd, "\\?"); >> + break; > > Similar, are question marks supported by the parser? > >> + default: >> + fprintf(fd, "%c", buf[i]); >> + } >> + } >> + fprintf(fd, "\";\n"); >> + fclose(fd); >> + >> + return 0; >> + >> +err: >> + if (fd) >> + fclose(fd); >> + return rc; >> +} > > ... > >> diff --git a/security/ipe/.gitignore b/security/ipe/.gitignore >> new file mode 100644 >> index 000000000000..eca22ad5ed22 >> --- /dev/null >> +++ b/security/ipe/.gitignore >> @@ -0,0 +1 @@ >> +boot-policy.c >> \ No newline at end of file > > Add a newline please. > > -- > paul-moore.com
diff --git a/MAINTAINERS b/MAINTAINERS index b898f2f8f9c4..18b1aeea6306 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -10394,6 +10394,7 @@ M: Fan Wu <wufan@linux.microsoft.com> L: linux-security-module@vger.kernel.org S: Supported T: git https://github.com/microsoft/ipe.git +F: scripts/ipe/ F: security/ipe/ INTEL 810/815 FRAMEBUFFER DRIVER diff --git a/scripts/Makefile b/scripts/Makefile index 576cf64be667..1dbaf3a49aef 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -50,6 +50,7 @@ targets += module.lds subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins subdir-$(CONFIG_MODVERSIONS) += genksyms subdir-$(CONFIG_SECURITY_SELINUX) += selinux +subdir-$(CONFIG_SECURITY_IPE) += ipe # Let clean descend into subdirs subdir- += basic dtc gdb kconfig mod diff --git a/scripts/ipe/Makefile b/scripts/ipe/Makefile new file mode 100644 index 000000000000..e87553fbb8d6 --- /dev/null +++ b/scripts/ipe/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0-only +subdir-y := polgen diff --git a/scripts/ipe/polgen/.gitignore b/scripts/ipe/polgen/.gitignore new file mode 100644 index 000000000000..80f32f25d200 --- /dev/null +++ b/scripts/ipe/polgen/.gitignore @@ -0,0 +1 @@ +polgen diff --git a/scripts/ipe/polgen/Makefile b/scripts/ipe/polgen/Makefile new file mode 100644 index 000000000000..066060c22b4a --- /dev/null +++ b/scripts/ipe/polgen/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 +hostprogs-always-y := polgen +HOST_EXTRACFLAGS += \ + -I$(srctree)/include \ + -I$(srctree)/include/uapi \ + diff --git a/scripts/ipe/polgen/polgen.c b/scripts/ipe/polgen/polgen.c new file mode 100644 index 000000000000..40b6fe07f47b --- /dev/null +++ b/scripts/ipe/polgen/polgen.c @@ -0,0 +1,145 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) Microsoft Corporation. All rights reserved. + */ + +#include <stdlib.h> +#include <stddef.h> +#include <stdio.h> +#include <unistd.h> +#include <errno.h> + +static void usage(const char *const name) +{ + printf("Usage: %s OutputFile (PolicyFile)\n", name); + exit(EINVAL); +} + +static int policy_to_buffer(const char *pathname, char **buffer, size_t *size) +{ + int rc = 0; + FILE *fd; + char *lbuf; + size_t fsize; + size_t read; + + fd = fopen(pathname, "r"); + if (!fd) { + rc = errno; + goto out; + } + + fseek(fd, 0, SEEK_END); + fsize = ftell(fd); + rewind(fd); + + lbuf = malloc(fsize); + if (!lbuf) { + rc = ENOMEM; + goto out_close; + } + + read = fread((void *)lbuf, sizeof(*lbuf), fsize, fd); + if (read != fsize) { + rc = -1; + goto out_free; + } + + *buffer = lbuf; + *size = fsize; + fclose(fd); + + return rc; + +out_free: + free(lbuf); +out_close: + fclose(fd); +out: + return rc; +} + +static int write_boot_policy(const char *pathname, const char *buf, size_t size) +{ + int rc = 0; + FILE *fd; + size_t i; + + fd = fopen(pathname, "w"); + if (!fd) { + rc = errno; + goto err; + } + + fprintf(fd, "/* This file is automatically generated."); + fprintf(fd, " Do not edit. */\n"); + fprintf(fd, "#include <linux/stddef.h>\n"); + fprintf(fd, "\nextern const char *const ipe_boot_policy;\n\n"); + fprintf(fd, "const char *const ipe_boot_policy =\n"); + + if (!buf || size == 0) { + fprintf(fd, "\tNULL;\n"); + fclose(fd); + return 0; + } + + fprintf(fd, "\t\""); + + for (i = 0; i < size; ++i) { + switch (buf[i]) { + case '"': + fprintf(fd, "\\\""); + break; + case '\'': + fprintf(fd, "'"); + break; + case '\n': + fprintf(fd, "\\n\"\n\t\""); + break; + case '\\': + fprintf(fd, "\\\\"); + break; + case '\t': + fprintf(fd, "\\t"); + break; + case '\?': + fprintf(fd, "\\?"); + break; + default: + fprintf(fd, "%c", buf[i]); + } + } + fprintf(fd, "\";\n"); + fclose(fd); + + return 0; + +err: + if (fd) + fclose(fd); + return rc; +} + +int main(int argc, const char *const argv[]) +{ + int rc = 0; + size_t len = 0; + char *policy = NULL; + + if (argc < 2) + usage(argv[0]); + + if (argc > 2) { + rc = policy_to_buffer(argv[2], &policy, &len); + if (rc != 0) + goto cleanup; + } + + rc = write_boot_policy(argv[1], policy, len); +cleanup: + if (policy) + free(policy); + if (rc != 0) + perror("An error occurred during policy conversion: "); + return rc; +} diff --git a/security/ipe/.gitignore b/security/ipe/.gitignore new file mode 100644 index 000000000000..eca22ad5ed22 --- /dev/null +++ b/security/ipe/.gitignore @@ -0,0 +1 @@ +boot-policy.c \ No newline at end of file diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 9dd5c4769d79..a6c5d48dd0a3 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -18,6 +18,16 @@ menuconfig SECURITY_IPE If unsure, answer N. if SECURITY_IPE +config IPE_BOOT_POLICY + string "Integrity policy to apply on system startup" + help + This option specifies a filepath to a IPE policy that is compiled + into the kernel. This policy will be enforced until a policy update + is deployed via the $securityfs/ipe/policies/$policy_name/active + interface. + + If unsure, leave blank. + menu "IPE Trust Providers" config IPE_PROP_DM_VERITY diff --git a/security/ipe/Makefile b/security/ipe/Makefile index 66de53687d11..ce23101b66ba 100644 --- a/security/ipe/Makefile +++ b/security/ipe/Makefile @@ -5,7 +5,16 @@ # Makefile for building the IPE module as part of the kernel tree. # +quiet_cmd_polgen = IPE_POL $(2) + cmd_polgen = scripts/ipe/polgen/polgen security/ipe/boot-policy.c $(2) + +targets += boot-policy.c + +$(obj)/boot-policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE + $(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY)) + obj-$(CONFIG_SECURITY_IPE) += \ + boot-policy.o \ digest.o \ eval.o \ hooks.o \ @@ -15,3 +24,5 @@ obj-$(CONFIG_SECURITY_IPE) += \ policy_fs.o \ policy_parser.o \ audit.o \ + +clean-files := boot-policy.c \ diff --git a/security/ipe/fs.c b/security/ipe/fs.c index 0a1838432bd0..58584c5f3ee4 100644 --- a/security/ipe/fs.c +++ b/security/ipe/fs.c @@ -190,6 +190,7 @@ static const struct file_operations enforce_fops = { static int __init ipe_init_securityfs(void) { int rc = 0; + struct ipe_policy *ap; if (!ipe_enabled) return -EOPNOTSUPP; @@ -220,6 +221,13 @@ static int __init ipe_init_securityfs(void) goto err; } + ap = rcu_access_pointer(ipe_active_policy); + if (ap) { + rc = ipe_new_policyfs_node(ap); + if (rc) + goto err; + } + np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops); if (IS_ERR(np)) { rc = PTR_ERR(np); diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index e789f1db6f66..3d672dd57b32 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -7,6 +7,7 @@ #include "hooks.h" #include "eval.h" +extern const char *const ipe_boot_policy; bool ipe_enabled; static struct lsm_blob_sizes ipe_blobs __ro_after_init = { @@ -60,9 +61,20 @@ static struct security_hook_list ipe_hooks[] __ro_after_init = { */ static int __init ipe_init(void) { + struct ipe_policy *p = NULL; + security_add_hooks(ipe_hooks, ARRAY_SIZE(ipe_hooks), "ipe"); ipe_enabled = true; + if (ipe_boot_policy) { + p = ipe_new_policy(ipe_boot_policy, strlen(ipe_boot_policy), + NULL, 0); + if (IS_ERR(p)) + return PTR_ERR(p); + + rcu_assign_pointer(ipe_active_policy, p); + } + return 0; }