[v4,06/14] digest_cache: Parse tlv digest lists

Message ID	20240415142436.2545003-7-roberto.sassu@huaweicloud.com (mailing list archive)
State	New, archived
Headers	show Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C725176045; Mon, 15 Apr 2024 14:26:47 +0000 (UTC) From: Roberto Sassu <roberto.sassu@huaweicloud.com> To: corbet@lwn.net, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, akpm@linux-foundation.org, shuah@kernel.org, mcoquelin.stm32@gmail.com, alexandre.torgue@foss.st.com, mic@digikod.net Cc: linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, bpf@vger.kernel.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, linux-integrity@vger.kernel.org, wufan@linux.microsoft.com, pbrobinson@gmail.com, zbyszek@in.waw.pl, hch@lst.de, mjg59@srcf.ucam.org, pmatilai@redhat.com, jannh@google.com, dhowells@redhat.com, jikos@kernel.org, mkoutny@suse.com, ppavlu@suse.com, petr.vorel@gmail.com, mzerqung@0pointer.de, kgold@linux.ibm.com, Roberto Sassu <roberto.sassu@huawei.com> Subject: [PATCH v4 06/14] digest_cache: Parse tlv digest lists Date: Mon, 15 Apr 2024 16:24:28 +0200 Message-Id: <20240415142436.2545003-7-roberto.sassu@huaweicloud.com> In-Reply-To: <20240415142436.2545003-1-roberto.sassu@huaweicloud.com> References: <20240415142436.2545003-1-roberto.sassu@huaweicloud.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	security: digest_cache LSM \| expand [v4,00/14] security: digest_cache LSM [v4,01/14] lib: Add TLV parser [v4,02/14] security: Introduce the digest_cache LSM [v4,03/14] digest_cache: Add securityfs interface [v4,04/14] digest_cache: Add hash tables and operations [v4,05/14] digest_cache: Populate the digest cache from a digest list [v4,06/14] digest_cache: Parse tlv digest lists [v4,07/14] digest_cache: Parse rpm digest lists [v4,08/14] digest_cache: Add management of verification data [v4,09/14] digest_cache: Add support for directories [v4,10/14] digest cache: Prefetch digest lists if requested [v4,11/14] digest_cache: Reset digest cache on file/directory change [v4,12/14] digest_cache: Notify digest cache events [v4,13/14] selftests/digest_cache: Add selftests for digest_cache LSM [v4,14/14] docs: Add documentation of the digest_cache LSM

diff --git a/include/uapi/linux/tlv_digest_list.h b/include/uapi/linux/tlv_digest_list.h new file mode 100644 index 000000000000..8c97a46901c1 --- /dev/null +++ b/include/uapi/linux/tlv_digest_list.h @@ -0,0 +1,72 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +/* + * Copyright (C) 2017-2024 Huawei Technologies Duesseldorf GmbH + * + * Author: Roberto Sassu <roberto.sassu@huawei.com> + * + * Export definitions of the tlv digest list. + */ + +#ifndef _UAPI_LINUX_TLV_DIGEST_LIST_H +#define _UAPI_LINUX_TLV_DIGEST_LIST_H + +#include <linux/types.h> + +#define FOR_EACH_DIGEST_LIST_TYPE(DIGEST_LIST_TYPE) \ + DIGEST_LIST_TYPE(DIGEST_LIST_FILE) \ + DIGEST_LIST_TYPE(DIGEST_LIST__LAST) + +#define FOR_EACH_DIGEST_LIST_FIELD(DIGEST_LIST_FIELD) \ + DIGEST_LIST_FIELD(DIGEST_LIST_ALGO) \ + DIGEST_LIST_FIELD(DIGEST_LIST_ENTRY) \ + DIGEST_LIST_FIELD(DIGEST_LIST_FIELD__LAST) + +#define FOR_EACH_DIGEST_LIST_ENTRY_TYPE(DIGEST_LIST_ENTRY_TYPE) \ + DIGEST_LIST_ENTRY_TYPE(DIGEST_LIST_ENTRY_DATA) \ + DIGEST_LIST_ENTRY_TYPE(DIGEST_LIST_ENTRY__LAST) + +#define FOR_EACH_DIGEST_LIST_ENTRY_FIELD(DIGEST_LIST_ENTRY_FIELD) \ + DIGEST_LIST_ENTRY_FIELD(DIGEST_LIST_ENTRY_DIGEST) \ + DIGEST_LIST_ENTRY_FIELD(DIGEST_LIST_ENTRY_PATH) \ + DIGEST_LIST_ENTRY_FIELD(DIGEST_LIST_ENTRY_FIELD__LAST) + +#define GENERATE_ENUM(ENUM) ENUM, +#define GENERATE_STRING(STRING) #STRING, + +/** + * enum digest_list_types - Types of digest list + * + * Enumerates the types of digest list to parse. + */ +enum digest_list_types { + FOR_EACH_DIGEST_LIST_TYPE(GENERATE_ENUM) +}; + +/** + * enum digest_list_fields - Digest list fields + * + * Enumerates the digest list fields. + */ +enum digest_list_fields { + FOR_EACH_DIGEST_LIST_FIELD(GENERATE_ENUM) +}; + +/** + * enum digest_list_entry_types - Types of data stored in DIGEST_LIST_ENTRY + * + * Enumerates the types of data stored in DIGEST_LIST_ENTRY (nested TLV data). + */ +enum digest_list_entry_types { + FOR_EACH_DIGEST_LIST_ENTRY_TYPE(GENERATE_ENUM) +}; + +/** + * enum digest_list_entry_fields - DIGEST_LIST_ENTRY fields + * + * Enumerates the DIGEST_LIST_ENTRY fields. + */ +enum digest_list_entry_fields { + FOR_EACH_DIGEST_LIST_ENTRY_FIELD(GENERATE_ENUM) +}; + +#endif /* _UAPI_LINUX_TLV_DIGEST_LIST_H */ diff --git a/security/digest_cache/Kconfig b/security/digest_cache/Kconfig index 71017954e5c5..cb4fa44e8f2a 100644 --- a/security/digest_cache/Kconfig +++ b/security/digest_cache/Kconfig @@ -1,6 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 config SECURITY_DIGEST_CACHE bool "Digest_cache LSM" + select TLV_PARSER default n help This option enables an LSM maintaining a cache of digests diff --git a/security/digest_cache/Makefile b/security/digest_cache/Makefile index c1452437d02f..a383b6ef2550 100644 --- a/security/digest_cache/Makefile +++ b/security/digest_cache/Makefile @@ -5,3 +5,5 @@ obj-$(CONFIG_SECURITY_DIGEST_CACHE) += digest_cache.o digest_cache-y := main.o secfs.o htable.o populate.o modsig.o + +digest_cache-y += parsers/tlv.o diff --git a/security/digest_cache/parsers/parsers.h b/security/digest_cache/parsers/parsers.h new file mode 100644 index 000000000000..1bbae426ab9f --- /dev/null +++ b/security/digest_cache/parsers/parsers.h @@ -0,0 +1,13 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) 2023-2024 Huawei Technologies Duesseldorf GmbH + * + * Author: Roberto Sassu <roberto.sassu@huawei.com> + * + * Digest list parsers. + */ + +#include "../internal.h" + +int digest_list_parse_tlv(struct digest_cache *digest_cache, const u8 *data, + size_t data_len); diff --git a/security/digest_cache/parsers/tlv.c b/security/digest_cache/parsers/tlv.c new file mode 100644 index 000000000000..97e2c36b93a8 --- /dev/null +++ b/security/digest_cache/parsers/tlv.c @@ -0,0 +1,299 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2017-2024 Huawei Technologies Duesseldorf GmbH + * + * Author: Roberto Sassu <roberto.sassu@huawei.com> + * + * Parse a tlv digest list. + */ + +#define pr_fmt(fmt) "TLV DIGEST LIST: "fmt +#include <linux/tlv_parser.h> +#include <uapi/linux/tlv_digest_list.h> + +#include "parsers.h" + +#define kenter(FMT, ...) \ + pr_debug("==> %s(" FMT ")\n", __func__, ##__VA_ARGS__) +#define kleave(FMT, ...) \ + pr_debug("<== %s()" FMT "\n", __func__, ##__VA_ARGS__) + +const char *digest_list_types_str[] = { + FOR_EACH_DIGEST_LIST_TYPE(GENERATE_STRING) +}; + +const char *digest_list_fields_str[] = { + FOR_EACH_DIGEST_LIST_FIELD(GENERATE_STRING) +}; + +const char *digest_list_entry_types_str[] = { + FOR_EACH_DIGEST_LIST_ENTRY_TYPE(GENERATE_STRING) +}; + +const char *digest_list_entry_fields_str[] = { + FOR_EACH_DIGEST_LIST_ENTRY_FIELD(GENERATE_STRING) +}; + +struct tlv_callback_data { + struct digest_cache *digest_cache; + u64 parsed_data_type; + u64 parsed_num_entries; + u64 parsed_total_len; + enum hash_algo algo; +}; + +/** + * parse_digest_list_entry_digest - Parse DIGEST_LIST_ENTRY_DIGEST field + * @tlv_data: Parser callback data + * @field: Field identifier + * @field_data: Field data + * @field_data_len: Length of @field_data + * + * This function parses the DIGEST_LIST_ENTRY_DIGEST field (file digest). + * + * Return: Zero on success, a POSIX error code otherwise. + */ +static int parse_digest_list_entry_digest(struct tlv_callback_data *tlv_data, + enum digest_list_entry_fields field, + const u8 *field_data, + u64 field_data_len) +{ + int ret; + + kenter(",%u,%llu", field, field_data_len); + + if (tlv_data->algo == HASH_ALGO__LAST) { + pr_debug("Digest algo not set\n"); + ret = -EBADMSG; + goto out; + } + + if (field_data_len != hash_digest_size[tlv_data->algo]) { + pr_debug("Unexpected data length %llu, expected %d\n", + field_data_len, hash_digest_size[tlv_data->algo]); + ret = -EBADMSG; + goto out; + } + + ret = digest_cache_htable_add(tlv_data->digest_cache, (u8 *)field_data, + tlv_data->algo); +out: + kleave(" = %d", ret); + return ret; +} + +/** + * parse_digest_list_entry_path - Parse DIGEST_LIST_ENTRY_PATH field + * @tlv_data: Parser callback data + * @field: Field identifier + * @field_data: Field data + * @field_data_len: Length of @field_data + * + * This function handles the DIGEST_LIST_ENTRY_PATH field (file path). It + * currently does not parse the data. + * + * Return: Zero on success, a POSIX error code otherwise. + */ +static int parse_digest_list_entry_path(struct tlv_callback_data *tlv_data, + enum digest_list_entry_fields field, + const u8 *field_data, + u64 field_data_len) +{ + kenter(",%u,%llu", field, field_data_len); + + kleave(" = 0"); + return 0; +} + +/** + * digest_list_entry_data_callback - DIGEST_LIST_ENTRY_DATA callback + * @callback_data: Callback data + * @field: Field identifier + * @field_data: Field data + * @field_data_len: Length of @field_data + * + * This callback handles the fields of DIGEST_LIST_ENTRY_DATA (nested) data, + * and calls the appropriate parser. + * + * Return: Zero on success, a POSIX error code otherwise. + */ +static int digest_list_entry_data_callback(void *callback_data, u64 field, + const u8 *field_data, + u64 field_data_len) +{ + struct tlv_callback_data *tlv_data; + int ret; + + tlv_data = (struct tlv_callback_data *)callback_data; + + switch (field) { + case DIGEST_LIST_ENTRY_DIGEST: + ret = parse_digest_list_entry_digest(tlv_data, field, + field_data, + field_data_len); + break; + case DIGEST_LIST_ENTRY_PATH: + ret = parse_digest_list_entry_path(tlv_data, field, field_data, + field_data_len); + break; + default: + pr_debug("Unhandled field %s\n", + digest_list_entry_fields_str[field]); + /* Just ignore non-relevant fields. */ + ret = 0; + break; + } + + return ret; +} + +/** + * parse_digest_list_algo - Parse DIGEST_LIST_ALGO field + * @tlv_data: Parser callback data + * @field: Field identifier + * @field_data: Field data + * @field_data_len: Length of @field_data + * + * This function parses the DIGEST_LIST_ALGO field (digest algorithm). + * + * Return: Zero on success, a POSIX error code otherwise. + */ +static int parse_digest_list_algo(struct tlv_callback_data *tlv_data, + enum digest_list_fields field, + const u8 *field_data, u64 field_data_len) +{ + u64 algo; + int ret; + + kenter(",%u,%llu", field, field_data_len); + + if (field_data_len != sizeof(u64)) { + pr_debug("Unexpected data length %llu, expected %lu\n", + field_data_len, sizeof(u64)); + ret = -EBADMSG; + goto out; + } + + algo = __be64_to_cpu(*(u64 *)field_data); + + if (algo >= HASH_ALGO__LAST) { + pr_debug("Unexpected digest algo %llu\n", algo); + ret = -EBADMSG; + goto out; + } + + ret = digest_cache_htable_init(tlv_data->digest_cache, + tlv_data->parsed_num_entries, algo); + if (ret < 0) + goto out; + + tlv_data->algo = algo; + + pr_debug("Digest algo: %s\n", hash_algo_name[algo]); +out: + kleave(" = %d", ret); + return ret; +} + +/** + * parse_digest_list_entry - Parse DIGEST_LIST_ENTRY field + * @tlv_data: Parser callback data + * @field: Field identifier + * @field_data: Field data + * @field_data_len: Length of @field_data + * + * This function parses the DIGEST_LIST_ENTRY field. + * + * Return: Zero on success, a POSIX error code otherwise. + */ +static int parse_digest_list_entry(struct tlv_callback_data *tlv_data, + enum digest_list_fields field, + const u8 *field_data, u64 field_data_len) +{ + int ret; + + kenter(",%u,%llu", field, field_data_len); + + ret = tlv_parse(DIGEST_LIST_ENTRY_DATA, digest_list_entry_data_callback, + tlv_data, field_data, field_data_len, + digest_list_entry_types_str, DIGEST_LIST_ENTRY__LAST, + digest_list_entry_fields_str, + DIGEST_LIST_ENTRY_FIELD__LAST); + + kleave(" = %d", ret); + return ret; +} + +/** + * digest_list_file_callback - DIGEST_LIST_FILE callback + * @callback_data: Callback data + * @field: Field identifier + * @field_data: Field data + * @field_data_len: Length of @field_data + * + * This callback handles the fields of DIGEST_LIST_FILE data, and calls the + * appropriate parser. + * + * Return: Zero on success, a POSIX error code otherwise. + */ +static int digest_list_file_callback(void *callback_data, u64 field, + const u8 *field_data, u64 field_data_len) +{ + struct tlv_callback_data *tlv_data; + int ret; + + tlv_data = (struct tlv_callback_data *)callback_data; + + switch (field) { + case DIGEST_LIST_ALGO: + ret = parse_digest_list_algo(tlv_data, field, field_data, + field_data_len); + break; + case DIGEST_LIST_ENTRY: + ret = parse_digest_list_entry(tlv_data, field, field_data, + field_data_len); + break; + default: + pr_debug("Unhandled field %s\n", + digest_list_fields_str[field]); + /* Just ignore non-relevant fields. */ + ret = 0; + break; + } + + return ret; +} + +/** + * digest_list_parse_tlv - Parse a tlv digest list + * @digest_cache: Digest cache + * @data: Data to parse + * @data_len: Length of @data + * + * This function parses a tlv digest list. + * + * Return: Zero on success, a POSIX error code otherwise. + */ +int digest_list_parse_tlv(struct digest_cache *digest_cache, const u8 *data, + size_t data_len) +{ + struct tlv_callback_data tlv_data = { + .digest_cache = digest_cache, + .algo = HASH_ALGO__LAST + }; + int ret; + + ret = tlv_parse_hdr(&data, &data_len, &tlv_data.parsed_data_type, + &tlv_data.parsed_num_entries, + &tlv_data.parsed_total_len, + digest_list_types_str, DIGEST_LIST__LAST); + if (ret < 0) + return ret; + + if (tlv_data.parsed_data_type != DIGEST_LIST_FILE) + return 0; + + return tlv_parse_data(digest_list_file_callback, &tlv_data, + tlv_data.parsed_num_entries, data, data_len, + digest_list_fields_str, DIGEST_LIST_FIELD__LAST); +} diff --git a/security/digest_cache/populate.c b/security/digest_cache/populate.c index 415e638f587b..13645ec4bb2b 100644 --- a/security/digest_cache/populate.c +++ b/security/digest_cache/populate.c @@ -12,6 +12,7 @@ #include <linux/kernel_read_file.h> #include "internal.h" +#include "parsers/parsers.h" /** * digest_cache_parse_digest_list - Parse a digest list @@ -65,6 +66,9 @@ static int digest_cache_parse_digest_list(struct digest_cache *digest_cache, filename[0] ? "/" : "", filename, (int)(next_sep - format), format, data_len); + if (!strncmp(format, "tlv-", 4)) + ret = digest_list_parse_tlv(digest_cache, data, data_len); + return ret; }

[v4,06/14] digest_cache: Parse tlv digest lists

Commit Message

Patch