[PATCHv2,25/59] keys/mktme: Preparse the MKTME key payload

Message ID	20190731150813.26289-26-kirill.shutemov@linux.intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <kvm-owner@kernel.org> From: "Kirill A. Shutemov" <kirill@shutemov.name> To: Andrew Morton <akpm@linux-foundation.org>, x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@alien8.de>, Peter Zijlstra <peterz@infradead.org>, Andy Lutomirski <luto@amacapital.net>, David Howells <dhowells@redhat.com> Cc: Kees Cook <keescook@chromium.org>, Dave Hansen <dave.hansen@intel.com>, Kai Huang <kai.huang@linux.intel.com>, Jacob Pan <jacob.jun.pan@linux.intel.com>, Alison Schofield <alison.schofield@intel.com>, linux-mm@kvack.org, kvm@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com> Subject: [PATCHv2 25/59] keys/mktme: Preparse the MKTME key payload Date: Wed, 31 Jul 2019 18:07:39 +0300 Message-Id: <20190731150813.26289-26-kirill.shutemov@linux.intel.com> In-Reply-To: <20190731150813.26289-1-kirill.shutemov@linux.intel.com> References: <20190731150813.26289-1-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: kvm-owner@vger.kernel.org Precedence: bulk
Series	Intel MKTME enabling \| expand [PATCHv2,00/59] Intel MKTME enabling [PATCHv2,01/59] mm: Do no merge VMAs with different encryption KeyIDs [PATCHv2,02/59] mm: Add helpers to setup zero page mappings [PATCHv2,03/59] mm/ksm: Do not merge pages with different KeyIDs [PATCHv2,04/59] mm/page_alloc: Unify alloc_hugepage_vma() [PATCHv2,05/59] mm/page_alloc: Handle allocation for encrypted memory [PATCHv2,06/59] mm/khugepaged: Handle encrypted pages [PATCHv2,07/59] x86/mm: Mask out KeyID bits from page table entry pfn [PATCHv2,08/59] x86/mm: Introduce helpers to read number, shift and mask of KeyIDs [PATCHv2,09/59] x86/mm: Store bitmask of the encryption algorithms supported by MKTME [PATCHv2,10/59] x86/mm: Preserve KeyID on pte_modify() and pgprot_modify() [PATCHv2,11/59] x86/mm: Detect MKTME early [PATCHv2,12/59] x86/mm: Add a helper to retrieve KeyID for a page [PATCHv2,13/59] x86/mm: Add a helper to retrieve KeyID for a VMA [PATCHv2,14/59] x86/mm: Add hooks to allocate and free encrypted pages [PATCHv2,15/59] x86/mm: Map zero pages into encrypted mappings correctly [PATCHv2,16/59] x86/mm: Rename CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING [PATCHv2,17/59] x86/mm: Allow to disable MKTME after enumeration [PATCHv2,18/59] x86/mm: Calculate direct mapping size [PATCHv2,19/59] x86/mm: Implement syncing per-KeyID direct mappings [PATCHv2,20/59] x86/mm: Handle encrypted memory in page_to_virt() and __pa() [PATCHv2,21/59] mm/page_ext: Export lookup_page_ext() symbol [PATCHv2,22/59] mm/rmap: Clear vma->anon_vma on unlink_anon_vmas() [PATCHv2,23/59] x86/pconfig: Set an activated algorithm in all MKTME commands [PATCHv2,24/59] keys/mktme: Introduce a Kernel Key Service for MKTME [PATCHv2,25/59] keys/mktme: Preparse the MKTME key payload [PATCHv2,26/59] keys/mktme: Instantiate MKTME keys [PATCHv2,27/59] keys/mktme: Destroy MKTME keys [PATCHv2,28/59] keys/mktme: Move the MKTME payload into a cache aligned structure [PATCHv2,29/59] keys/mktme: Set up PCONFIG programming targets for MKTME keys [PATCHv2,30/59] keys/mktme: Program MKTME keys into the platform hardware [PATCHv2,31/59] keys/mktme: Set up a percpu_ref_count for MKTME keys [PATCHv2,32/59] keys/mktme: Clear the key programming from the MKTME hardware [PATCHv2,33/59] keys/mktme: Require CAP_SYS_RESOURCE capability for MKTME keys [PATCHv2,34/59] acpi: Remove __init from acpi table parsing functions [PATCHv2,35/59] acpi/hmat: Determine existence of an ACPI HMAT [PATCHv2,36/59] keys/mktme: Require ACPI HMAT to register the MKTME Key Service [PATCHv2,37/59] acpi/hmat: Evaluate topology presented in ACPI HMAT for MKTME [PATCHv2,38/59] keys/mktme: Do not allow key creation in unsafe topologies [PATCHv2,39/59] keys/mktme: Support CPU hotplug for MKTME key service [PATCHv2,40/59] keys/mktme: Block memory hotplug additions when MKTME is enabled [PATCHv2,41/59] mm: Generalize the mprotect implementation to support extensions [PATCHv2,42/59] syscall/x86: Wire up a system call for MKTME encryption keys [PATCHv2,43/59] x86/mm: Set KeyIDs in encrypted VMAs for MKTME [PATCHv2,44/59] mm: Add the encrypt_mprotect() system call for MKTME [PATCHv2,45/59] x86/mm: Keep reference counts on hardware key usage for MKTME [PATCHv2,46/59] mm: Restrict MKTME memory encryption to anonymous VMAs [PATCHv2,47/59] kvm, x86, mmu: setup MKTME keyID to spte for given PFN [PATCHv2,48/59] iommu/vt-d: Support MKTME in DMA remapping [PATCHv2,49/59] x86/mm: introduce common code for mem encryption [PATCHv2,50/59] x86/mm: Use common code for DMA memory encryption [PATCHv2,51/59] x86/mm: Disable MKTME on incompatible platform configurations [PATCHv2,52/59] x86/mm: Disable MKTME if not all system memory supports encryption [PATCHv2,53/59] x86: Introduce CONFIG_X86_INTEL_MKTME [PATCHv2,54/59] x86/mktme: Overview of Multi-Key Total Memory Encryption [PATCHv2,55/59] x86/mktme: Document the MKTME provided security mitigations [PATCHv2,56/59] x86/mktme: Document the MKTME kernel configuration requirements [PATCHv2,57/59] x86/mktme: Document the MKTME Key Service API [PATCHv2,58/59] x86/mktme: Document the MKTME API for anonymous memory encryption [PATCHv2,59/59] x86/mktme: Demonstration program using the MKTME APIs

Message ID

20190731150813.26289-26-kirill.shutemov@linux.intel.com (mailing list archive)

State

New, archived

Headers

From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Andrew Morton <akpm@linux-foundation.org>, x86@kernel.org,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@alien8.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Andy Lutomirski <luto@amacapital.net>,
        David Howells <dhowells@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
        Dave Hansen <dave.hansen@intel.com>,
        Kai Huang <kai.huang@linux.intel.com>,
        Jacob Pan <jacob.jun.pan@linux.intel.com>,
        Alison Schofield <alison.schofield@intel.com>,
        linux-mm@kvack.org, kvm@vger.kernel.org, keyrings@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Subject: [PATCHv2 25/59] keys/mktme: Preparse the MKTME key payload
Date: Wed, 31 Jul 2019 18:07:39 +0300
Message-Id: <20190731150813.26289-26-kirill.shutemov@linux.intel.com>
In-Reply-To: <20190731150813.26289-1-kirill.shutemov@linux.intel.com>
References: <20190731150813.26289-1-kirill.shutemov@linux.intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: kvm-owner@vger.kernel.org
Precedence: bulk

Series

Intel MKTME enabling | expand

Commit Message

Kirill A . Shutemov July 31, 2019, 3:07 p.m. UTC

From: Alison Schofield <alison.schofield@intel.com>

It is a requirement of the Kernel Keys subsystem to provide a
preparse method that validates payloads before key instantiate
methods are called.

Verify that userspace provides valid MKTME options and prepare
the payload for use at key instantiate time.

Create a method to free the preparsed payload. The Kernel Key
subsystem will that to clean up after the key is instantiated.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 include/keys/mktme-type.h  |  31 +++++++++
 security/keys/mktme_keys.c | 134 +++++++++++++++++++++++++++++++++++++
 2 files changed, 165 insertions(+)
 create mode 100644 include/keys/mktme-type.h

Comments

Ben Boeckel Aug. 5, 2019, 11:58 a.m. UTC | #1

On Wed, Jul 31, 2019 at 18:07:39 +0300, Kirill A. Shutemov wrote:
> From: Alison Schofield <alison.schofield@intel.com>
> +/* Make sure arguments are correct for the TYPE of key requested */
> +static int mktme_check_options(u32 *payload, unsigned long token_mask,
> +			       enum mktme_type type, enum mktme_alg alg)
> +{
> +	if (!token_mask)
> +		return -EINVAL;
> +
> +	switch (type) {
> +	case MKTME_TYPE_CPU:
> +		if (test_bit(OPT_ALGORITHM, &token_mask))
> +			*payload |= (1 << alg) << 8;
> +		else
> +			return -EINVAL;
> +
> +		*payload |= MKTME_KEYID_SET_KEY_RANDOM;
> +		break;
> +
> +	case MKTME_TYPE_NO_ENCRYPT:
> +		*payload |= MKTME_KEYID_NO_ENCRYPT;
> +		break;

The documentation states that for `type=no-encrypt`, algorithm must not
be specified at all. Where is that checked?

--Ben

Alison Schofield Aug. 5, 2019, 8:31 p.m. UTC | #2

On Mon, Aug 05, 2019 at 07:58:19AM -0400, Ben Boeckel wrote:
> On Wed, Jul 31, 2019 at 18:07:39 +0300, Kirill A. Shutemov wrote:
> > From: Alison Schofield <alison.schofield@intel.com>
> > +/* Make sure arguments are correct for the TYPE of key requested */
> > +static int mktme_check_options(u32 *payload, unsigned long token_mask,
> > +			       enum mktme_type type, enum mktme_alg alg)
> > +{
> > +	if (!token_mask)
> > +		return -EINVAL;
> > +
> > +	switch (type) {
> > +	case MKTME_TYPE_CPU:
> > +		if (test_bit(OPT_ALGORITHM, &token_mask))
> > +			*payload |= (1 << alg) << 8;
> > +		else
> > +			return -EINVAL;
> > +
> > +		*payload |= MKTME_KEYID_SET_KEY_RANDOM;
> > +		break;
> > +
> > +	case MKTME_TYPE_NO_ENCRYPT:
		if (test_bit(OPT_ALGORITHM, &token_mask))
			return -EINVAL;
> > +		*payload |= MKTME_KEYID_NO_ENCRYPT;
> > +		break;
> 
> The documentation states that for `type=no-encrypt`, algorithm must not
> be specified at all. Where is that checked?
> 
> --Ben
It's not currently checked, but should be. 
I'll add it as shown above.
Thanks for the review,
Alison

Ben Boeckel Aug. 13, 2019, 1:06 p.m. UTC | #3

On Mon, Aug 05, 2019 at 13:31:02 -0700, Alison Schofield wrote:
> It's not currently checked, but should be. 
> I'll add it as shown above.
> Thanks for the review,

Thanks. Seeing how this works elsewhere now, feel free to add my review
with the proposed check to the new patch.

Reviewed-by: Ben Boeckel <mathstuf@gmail.com>

--Ben

diff --git a/include/keys/mktme-type.h b/include/keys/mktme-type.h
new file mode 100644
index 000000000000..9dad92f17179
--- /dev/null
+++ b/include/keys/mktme-type.h
@@ -0,0 +1,31 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/* Key service for Multi-KEY Total Memory Encryption */
+
+#ifndef _KEYS_MKTME_TYPE_H
+#define _KEYS_MKTME_TYPE_H
+
+#include <linux/key.h>
+
+enum mktme_alg {
+	MKTME_ALG_AES_XTS_128,
+};
+
+const char *const mktme_alg_names[] = {
+	[MKTME_ALG_AES_XTS_128]	= "aes-xts-128",
+};
+
+enum mktme_type {
+	MKTME_TYPE_ERROR = -1,
+	MKTME_TYPE_CPU,
+	MKTME_TYPE_NO_ENCRYPT,
+};
+
+const char *const mktme_type_names[] = {
+	[MKTME_TYPE_CPU]	= "cpu",
+	[MKTME_TYPE_NO_ENCRYPT]	= "no-encrypt",
+};
+
+extern struct key_type key_type_mktme;
+
+#endif /* _KEYS_MKTME_TYPE_H */
diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c
index d262e0f348e4..fe119a155235 100644
--- a/security/keys/mktme_keys.c
+++ b/security/keys/mktme_keys.c
@@ -6,6 +6,10 @@ 
 #include <linux/key.h>
 #include <linux/key-type.h>
 #include <linux/mm.h>
+#include <linux/parser.h>
+#include <linux/string.h>
+#include <asm/intel_pconfig.h>
+#include <keys/mktme-type.h>
 #include <keys/user-type.h>
 
 #include "internal.h"
@@ -27,8 +31,138 @@  struct mktme_mapping {
 
 static struct mktme_mapping *mktme_map;
 
+enum mktme_opt_id {
+	OPT_ERROR,
+	OPT_TYPE,
+	OPT_ALGORITHM,
+};
+
+static const match_table_t mktme_token = {
+	{OPT_TYPE, "type=%s"},
+	{OPT_ALGORITHM, "algorithm=%s"},
+	{OPT_ERROR, NULL}
+};
+
+/* Make sure arguments are correct for the TYPE of key requested */
+static int mktme_check_options(u32 *payload, unsigned long token_mask,
+			       enum mktme_type type, enum mktme_alg alg)
+{
+	if (!token_mask)
+		return -EINVAL;
+
+	switch (type) {
+	case MKTME_TYPE_CPU:
+		if (test_bit(OPT_ALGORITHM, &token_mask))
+			*payload |= (1 << alg) << 8;
+		else
+			return -EINVAL;
+
+		*payload |= MKTME_KEYID_SET_KEY_RANDOM;
+		break;
+
+	case MKTME_TYPE_NO_ENCRYPT:
+		*payload |= MKTME_KEYID_NO_ENCRYPT;
+		break;
+
+	default:
+		return -EINVAL;
+	}
+	return 0;
+}
+
+/* Parse the options and store the key programming data in the payload. */
+static int mktme_get_options(char *options, u32 *payload)
+{
+	enum mktme_alg alg = MKTME_ALG_AES_XTS_128;
+	enum mktme_type type = MKTME_TYPE_ERROR;
+	substring_t args[MAX_OPT_ARGS];
+	unsigned long token_mask = 0;
+	char *p = options;
+	int token;
+
+	while ((p = strsep(&options, " \t"))) {
+		if (*p == '\0' || *p == ' ' || *p == '\t')
+			continue;
+		token = match_token(p, mktme_token, args);
+		if (token == OPT_ERROR)
+			return -EINVAL;
+		if (test_and_set_bit(token, &token_mask))
+			return -EINVAL;
+
+		switch (token) {
+		case OPT_TYPE:
+			type = match_string(mktme_type_names,
+					    ARRAY_SIZE(mktme_type_names),
+					    args[0].from);
+			if (type < 0)
+				return -EINVAL;
+			break;
+
+		case OPT_ALGORITHM:
+			/* Algorithm must be generally supported */
+			alg = match_string(mktme_alg_names,
+					   ARRAY_SIZE(mktme_alg_names),
+					   args[0].from);
+			if (alg < 0)
+				return -EINVAL;
+
+			/* Algorithm must be activated on this platform */
+			if (!(mktme_algs & (1 << alg)))
+				return -EINVAL;
+			break;
+
+		default:
+			return -EINVAL;
+		}
+	}
+	return mktme_check_options(payload, token_mask, type, alg);
+}
+
+void mktme_free_preparsed_payload(struct key_preparsed_payload *prep)
+{
+	kzfree(prep->payload.data[0]);
+}
+
+/*
+ * Key Service Method to preparse a payload before a key is created.
+ * Check permissions and the options. Load the proposed key field
+ * data into the payload for use by the instantiate method.
+ */
+int mktme_preparse_payload(struct key_preparsed_payload *prep)
+{
+	size_t datalen = prep->datalen;
+	u32 *mktme_payload;
+	char *options;
+	int ret;
+
+	if (datalen <= 0 || datalen > 1024 || !prep->data)
+		return -EINVAL;
+
+	options = kmemdup_nul(prep->data, datalen, GFP_KERNEL);
+	if (!options)
+		return -ENOMEM;
+
+	mktme_payload = kzalloc(sizeof(*mktme_payload), GFP_KERNEL);
+	if (!mktme_payload) {
+		ret = -ENOMEM;
+		goto out;
+	}
+	ret = mktme_get_options(options, mktme_payload);
+	if (ret < 0) {
+		kzfree(mktme_payload);
+		goto out;
+	}
+	prep->quotalen = sizeof(mktme_payload);
+	prep->payload.data[0] = mktme_payload;
+out:
+	kzfree(options);
+	return ret;
+}
+
 struct key_type key_type_mktme = {
 	.name		= "mktme",
+	.preparse	= mktme_preparse_payload,
+	.free_preparse	= mktme_free_preparsed_payload,
 	.describe	= user_describe,
 };

[PATCHv2,25/59] keys/mktme: Preparse the MKTME key payload

Commit Message

Comments

Patch