From patchwork Wed Sep 7 20:30:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Kaehlcke X-Patchwork-Id: 12969357 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC504C38145 for ; Wed, 7 Sep 2022 20:31:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229703AbiIGUbG (ORCPT ); Wed, 7 Sep 2022 16:31:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229472AbiIGUbF (ORCPT ); Wed, 7 Sep 2022 16:31:05 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3006EA8CFA for ; Wed, 7 Sep 2022 13:31:04 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id p1-20020a17090a2d8100b0020040a3f75eso110538pjd.4 for ; Wed, 07 Sep 2022 13:31:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=6pTFRiLK72lDLdL/CFtwCq6GJd3SSyre7C8utHPxd+4=; b=fvL/o8B1ENY3XHHeVrn/YgUX6sbs4i4wkEy6cHe09y4QFdkPVA4E9R/TSlNItba4wZ DS1TRmY8StylFp0fThfo8H9qlliuIHD+9CcdLaWW/YebyUEXh47hMRH13qvciTJ7NfkP SENfaYeiSPd7zeBmlKcnJP+4hdwNLiVxYYC6M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=6pTFRiLK72lDLdL/CFtwCq6GJd3SSyre7C8utHPxd+4=; b=O21KdTRGxvGheq0YeikK2hBi2/zx3Z4couOchyMKQdW+L/uBaNRMl0EtVCRczhlPVu ls3OZWhV5or4GWYYjI0b0pGa4VP6OCwyW0urjXG7p8MQ79XMTgfA3vog5HOdGQ82Zw8R q51PysoulvO8iwjzBCsvImlY7RXzKsV0FMAjwow25EupFhb7qOdHbbt/rR6KUoqI5lV4 RlmMe6ddBohg2DJG6CaXfP5JSZcWYq6/8YgUR9O1iptNsS6AS+wPZM6W9hUd4bZMuQ48 T4CHUMzA9lN99OuuNESrTCK5NffhWsio7Fg8thHyTL8/lhmtPrQXznjtLMcwRY4TDaHA k/1w== X-Gm-Message-State: ACgBeo0mxCzFfsQfxFQ/YTSLS2SC7sBqfZATxCqrZ58aqrDb5t+NLVne APterPpKONs29/f0DU6Shl+qoA== X-Google-Smtp-Source: AA6agR4Jj+aDoQUpu0UnfmMWUM+18y8TybSFaxZUO1YTlB7aUNe4vRMzcskBpJQXeKKRvJ290Hr/3w== X-Received: by 2002:a17:90a:aa87:b0:200:68d8:17b8 with SMTP id l7-20020a17090aaa8700b0020068d817b8mr313448pjq.110.1662582663653; Wed, 07 Sep 2022 13:31:03 -0700 (PDT) Received: from localhost ([2620:15c:11a:202:7731:4d19:a7d1:20d]) by smtp.gmail.com with UTF8SMTPSA id ik20-20020a170902ab1400b001769e7062c0sm8955667plb.249.2022.09.07.13.31.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Sep 2022 13:31:03 -0700 (PDT) From: Matthias Kaehlcke To: Alasdair Kergon , Mike Snitzer , Kees Cook Cc: linux-security-module@vger.kernel.org, dm-devel@redhat.com, Douglas Anderson , linux-kernel@vger.kernel.org, Sarthak Kukreti , Matthias Kaehlcke Subject: [PATCH] dm: verity-loadpin: Only trust verity targets with enforcement Date: Wed, 7 Sep 2022 13:30:58 -0700 Message-Id: <20220907133055.1.Ic8a1dafe960dc0f8302e189642bc88ebb785d274@changeid> X-Mailer: git-send-email 2.37.2.789.g6183377224-goog MIME-Version: 1.0 Precedence: bulk List-ID: Verity targets can be configured to ignore corrupted data blocks. LoadPin must only trust verity targets that are configured to perform some kind of enforcement when data corruption is detected, like returning an error, restarting the system or triggering a panic. Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin") Reported-by: Sarthak Kukreti Signed-off-by: Matthias Kaehlcke Reviewed-by: Sarthak Kukreti --- drivers/md/dm-verity-loadpin.c | 8 ++++++++ drivers/md/dm-verity-target.c | 16 ++++++++++++++++ drivers/md/dm-verity.h | 1 + 3 files changed, 25 insertions(+) diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c index 387ec43aef72..4f78cc55c251 100644 --- a/drivers/md/dm-verity-loadpin.c +++ b/drivers/md/dm-verity-loadpin.c @@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests); static bool is_trusted_verity_target(struct dm_target *ti) { + int verity_mode; u8 *root_digest; unsigned int digest_size; struct dm_verity_loadpin_trusted_root_digest *trd; @@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti) if (!dm_is_verity_target(ti)) return false; + verity_mode = dm_verity_get_mode(ti); + + if ((verity_mode != DM_VERITY_MODE_EIO) && + (verity_mode != DM_VERITY_MODE_RESTART) && + (verity_mode != DM_VERITY_MODE_PANIC)) + return false; + if (dm_verity_get_root_digest(ti, &root_digest, &digest_size)) return false; diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c index 94b6cb599db4..8a00cc42e498 100644 --- a/drivers/md/dm-verity-target.c +++ b/drivers/md/dm-verity-target.c @@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti) return ti->type->module == THIS_MODULE; } +/* + * Get the verity mode (error behavior) of a verity target. + * + * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity + * target. + */ +int dm_verity_get_mode(struct dm_target *ti) +{ + struct dm_verity *v = ti->private; + + if (!dm_is_verity_target(ti)) + return -EINVAL; + + return v->mode; +} + /* * Get the root digest of a verity target. * diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h index 45455de1b4bc..98f306ec6a33 100644 --- a/drivers/md/dm-verity.h +++ b/drivers/md/dm-verity.h @@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io, sector_t block, u8 *digest, bool *is_zero); extern bool dm_is_verity_target(struct dm_target *ti); +extern int dm_verity_get_mode(struct dm_target *ti); extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, unsigned int *digest_size);