diff mbox series

[v13,05/10] bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs

Message ID 20220823150035.711534-6-roberto.sassu@huaweicloud.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series bpf: Add kfuncs for PKCS#7 signature verification | expand

Checks

Context Check Description
netdev/tree_selection success Guessing tree name failed - patch did not apply, async
bpf/vmtest-bpf-PR fail merge-conflict
bpf/vmtest-bpf-next-PR fail PR summary
bpf/vmtest-bpf-next-VM_Test-1 success Logs for Kernel LATEST on ubuntu-latest with gcc
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Kernel LATEST on ubuntu-latest with llvm-16
bpf/vmtest-bpf-next-VM_Test-3 fail Logs for Kernel LATEST on z15 with gcc
bpf/vmtest-bpf-next-VM_Test-4 success Logs for llvm-toolchain
bpf/vmtest-bpf-next-VM_Test-5 success Logs for set-matrix

Commit Message

Roberto Sassu Aug. 23, 2022, 3 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>

Add the bpf_lookup_user_key(), bpf_lookup_system_key() and bpf_key_put()
kfuncs, to respectively search a key with a given key handle serial number
and flags, obtain a key from a pre-determined ID defined in
include/linux/verification.h, and cleanup.

Introduce system_keyring_id_check() to validate the keyring ID parameter of
bpf_lookup_system_key().

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/bpf.h          |   6 ++
 include/linux/verification.h |   8 +++
 kernel/trace/bpf_trace.c     | 135 +++++++++++++++++++++++++++++++++++
 3 files changed, 149 insertions(+)

Comments

Song Liu Aug. 26, 2022, 5:56 a.m. UTC | #1
On Tue, Aug 23, 2022 at 8:02 AM Roberto Sassu
<roberto.sassu@huaweicloud.com> wrote:
>
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Add the bpf_lookup_user_key(), bpf_lookup_system_key() and bpf_key_put()
> kfuncs, to respectively search a key with a given key handle serial number
> and flags, obtain a key from a pre-determined ID defined in
> include/linux/verification.h, and cleanup.
>
> Introduce system_keyring_id_check() to validate the keyring ID parameter of
> bpf_lookup_system_key().
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  include/linux/bpf.h          |   6 ++
>  include/linux/verification.h |   8 +++
>  kernel/trace/bpf_trace.c     | 135 +++++++++++++++++++++++++++++++++++
>  3 files changed, 149 insertions(+)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 6041304b402e..991da09a5858 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2586,4 +2586,10 @@ static inline void bpf_cgroup_atype_get(u32 attach_btf_id, int cgroup_atype) {}
>  static inline void bpf_cgroup_atype_put(int cgroup_atype) {}
>  #endif /* CONFIG_BPF_LSM */
>
> +#ifdef CONFIG_KEYS

Do we need to declare struct key here?

> +struct bpf_key {
> +       struct key *key;
> +       bool has_ref;
> +};
> +#endif /* CONFIG_KEYS */
>  #endif /* _LINUX_BPF_H */
>
Roberto Sassu Aug. 26, 2022, 7:21 a.m. UTC | #2
On Thu, 2022-08-25 at 22:56 -0700, Song Liu wrote:
> On Tue, Aug 23, 2022 at 8:02 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Add the bpf_lookup_user_key(), bpf_lookup_system_key() and
> > bpf_key_put()
> > kfuncs, to respectively search a key with a given key handle serial
> > number
> > and flags, obtain a key from a pre-determined ID defined in
> > include/linux/verification.h, and cleanup.
> > 
> > Introduce system_keyring_id_check() to validate the keyring ID
> > parameter of
> > bpf_lookup_system_key().
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> >  include/linux/bpf.h          |   6 ++
> >  include/linux/verification.h |   8 +++
> >  kernel/trace/bpf_trace.c     | 135
> > +++++++++++++++++++++++++++++++++++
> >  3 files changed, 149 insertions(+)
> > 
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index 6041304b402e..991da09a5858 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -2586,4 +2586,10 @@ static inline void bpf_cgroup_atype_get(u32
> > attach_btf_id, int cgroup_atype) {}
> >  static inline void bpf_cgroup_atype_put(int cgroup_atype) {}
> >  #endif /* CONFIG_BPF_LSM */
> > 
> > +#ifdef CONFIG_KEYS
> 
> Do we need to declare struct key here?
> 
> > +struct bpf_key {
> > +       struct key *key;
> > +       bool has_ref;
> > +};
> > +#endif /* CONFIG_KEYS */
> >  #endif /* _LINUX_BPF_H */
> > 

If there is a better place, I will move there.

Thanks

Roberto
Song Liu Aug. 26, 2022, 7:25 a.m. UTC | #3
On Fri, Aug 26, 2022 at 12:22 AM Roberto Sassu
<roberto.sassu@huaweicloud.com> wrote:
>
> On Thu, 2022-08-25 at 22:56 -0700, Song Liu wrote:
> > On Tue, Aug 23, 2022 at 8:02 AM Roberto Sassu
> > <roberto.sassu@huaweicloud.com> wrote:
> > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > >
> > > Add the bpf_lookup_user_key(), bpf_lookup_system_key() and
> > > bpf_key_put()
> > > kfuncs, to respectively search a key with a given key handle serial
> > > number
> > > and flags, obtain a key from a pre-determined ID defined in
> > > include/linux/verification.h, and cleanup.
> > >
> > > Introduce system_keyring_id_check() to validate the keyring ID
> > > parameter of
> > > bpf_lookup_system_key().
> > >
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > ---
> > >  include/linux/bpf.h          |   6 ++
> > >  include/linux/verification.h |   8 +++
> > >  kernel/trace/bpf_trace.c     | 135
> > > +++++++++++++++++++++++++++++++++++
> > >  3 files changed, 149 insertions(+)
> > >
> > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > > index 6041304b402e..991da09a5858 100644
> > > --- a/include/linux/bpf.h
> > > +++ b/include/linux/bpf.h
> > > @@ -2586,4 +2586,10 @@ static inline void bpf_cgroup_atype_get(u32
> > > attach_btf_id, int cgroup_atype) {}
> > >  static inline void bpf_cgroup_atype_put(int cgroup_atype) {}
> > >  #endif /* CONFIG_BPF_LSM */
> > >
> > > +#ifdef CONFIG_KEYS
> >
> > Do we need to declare struct key here?
> >
> > > +struct bpf_key {
> > > +       struct key *key;
> > > +       bool has_ref;
> > > +};
> > > +#endif /* CONFIG_KEYS */
> > >  #endif /* _LINUX_BPF_H */
> > >
>
> If there is a better place, I will move there.

I guess you misunderstood. I meant we need

struct key;

struct bpf_key {
       struct key *key;
       bool has_ref;
};

Otherwise, we may get some warning with certain config.

Thanks,
Song
Roberto Sassu Aug. 26, 2022, 7:31 a.m. UTC | #4
On Fri, 2022-08-26 at 00:25 -0700, Song Liu wrote:
> On Fri, Aug 26, 2022 at 12:22 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> > On Thu, 2022-08-25 at 22:56 -0700, Song Liu wrote:
> > > On Tue, Aug 23, 2022 at 8:02 AM Roberto Sassu
> > > <roberto.sassu@huaweicloud.com> wrote:
> > > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > > 
> > > > Add the bpf_lookup_user_key(), bpf_lookup_system_key() and
> > > > bpf_key_put()
> > > > kfuncs, to respectively search a key with a given key handle
> > > > serial
> > > > number
> > > > and flags, obtain a key from a pre-determined ID defined in
> > > > include/linux/verification.h, and cleanup.
> > > > 
> > > > Introduce system_keyring_id_check() to validate the keyring ID
> > > > parameter of
> > > > bpf_lookup_system_key().
> > > > 
> > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > > ---
> > > >  include/linux/bpf.h          |   6 ++
> > > >  include/linux/verification.h |   8 +++
> > > >  kernel/trace/bpf_trace.c     | 135
> > > > +++++++++++++++++++++++++++++++++++
> > > >  3 files changed, 149 insertions(+)
> > > > 
> > > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > > > index 6041304b402e..991da09a5858 100644
> > > > --- a/include/linux/bpf.h
> > > > +++ b/include/linux/bpf.h
> > > > @@ -2586,4 +2586,10 @@ static inline void
> > > > bpf_cgroup_atype_get(u32
> > > > attach_btf_id, int cgroup_atype) {}
> > > >  static inline void bpf_cgroup_atype_put(int cgroup_atype) {}
> > > >  #endif /* CONFIG_BPF_LSM */
> > > > 
> > > > +#ifdef CONFIG_KEYS
> > > 
> > > Do we need to declare struct key here?
> > > 
> > > > +struct bpf_key {
> > > > +       struct key *key;
> > > > +       bool has_ref;
> > > > +};
> > > > +#endif /* CONFIG_KEYS */
> > > >  #endif /* _LINUX_BPF_H */
> > > > 
> > 
> > If there is a better place, I will move there.
> 
> I guess you misunderstood. I meant we need
> 
> struct key;
> 
> struct bpf_key {
>        struct key *key;
>        bool has_ref;
> };
> 
> Otherwise, we may get some warning with certain config.

Argh, thanks!

Will add it.

Roberto
diff mbox series

Patch

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 6041304b402e..991da09a5858 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -2586,4 +2586,10 @@  static inline void bpf_cgroup_atype_get(u32 attach_btf_id, int cgroup_atype) {}
 static inline void bpf_cgroup_atype_put(int cgroup_atype) {}
 #endif /* CONFIG_BPF_LSM */
 
+#ifdef CONFIG_KEYS
+struct bpf_key {
+	struct key *key;
+	bool has_ref;
+};
+#endif /* CONFIG_KEYS */
 #endif /* _LINUX_BPF_H */
diff --git a/include/linux/verification.h b/include/linux/verification.h
index a655923335ae..f34e50ebcf60 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -17,6 +17,14 @@ 
 #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
 #define VERIFY_USE_PLATFORM_KEYRING  ((struct key *)2UL)
 
+static inline int system_keyring_id_check(u64 id)
+{
+	if (id > (unsigned long)VERIFY_USE_PLATFORM_KEYRING)
+		return -EINVAL;
+
+	return 0;
+}
+
 /*
  * The use to which an asymmetric key is being put.
  */
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 68e5cdd24cef..dfea85c7f4f0 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -20,6 +20,8 @@ 
 #include <linux/fprobe.h>
 #include <linux/bsearch.h>
 #include <linux/sort.h>
+#include <linux/key.h>
+#include <linux/verification.h>
 
 #include <net/bpf_sk_storage.h>
 
@@ -1181,6 +1183,139 @@  static const struct bpf_func_proto bpf_get_func_arg_cnt_proto = {
 	.arg1_type	= ARG_PTR_TO_CTX,
 };
 
+#ifdef CONFIG_KEYS
+__diag_push();
+__diag_ignore_all("-Wmissing-prototypes",
+		  "kfuncs which will be used in BPF programs");
+
+/**
+ * bpf_lookup_user_key - lookup a key by its serial
+ * @serial: key handle serial number
+ * @flags: lookup-specific flags
+ *
+ * Search a key with a given *serial* and the provided *flags*.
+ * If found, increment the reference count of the key by one, and
+ * return it in the bpf_key structure.
+ *
+ * The bpf_key structure must be passed to bpf_key_put() when done
+ * with it, so that the key reference count is decremented and the
+ * bpf_key structure is freed.
+ *
+ * Permission checks are deferred to the time the key is used by
+ * one of the available key-specific kfuncs.
+ *
+ * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a requested
+ * special keyring (e.g. session keyring), if it doesn't yet exist.
+ * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without waiting
+ * for the key construction, and to retrieve uninstantiated keys (keys
+ * without data attached to them).
+ *
+ * Return: a bpf_key pointer with a valid key pointer if the key is found, a
+ *         NULL pointer otherwise.
+ */
+struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags)
+{
+	key_ref_t key_ref;
+	struct bpf_key *bkey;
+
+	if (key_lookup_flags_check(flags) < 0)
+		return NULL;
+
+	/*
+	 * Permission check is deferred until the key is used, as the
+	 * intent of the caller is unknown here.
+	 */
+	key_ref = lookup_user_key(serial, flags, KEY_DEFER_PERM_CHECK);
+	if (IS_ERR(key_ref))
+		return NULL;
+
+	bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC);
+	if (!bkey) {
+		key_put(key_ref_to_ptr(key_ref));
+		return NULL;
+	}
+
+	bkey->key = key_ref_to_ptr(key_ref);
+	bkey->has_ref = true;
+
+	return bkey;
+}
+
+/**
+ * bpf_lookup_system_key - lookup a key by a system-defined ID
+ * @id: key ID
+ *
+ * Obtain a bpf_key structure with a key pointer set to the passed key ID.
+ * The key pointer is marked as invalid, to prevent bpf_key_put() from
+ * attempting to decrement the key reference count on that pointer. The key
+ * pointer set in such way is currently understood only by
+ * verify_pkcs7_signature().
+ *
+ * Set *id* to one of the values defined in include/linux/verification.h:
+ * 0 for the primary keyring (immutable keyring of system keys);
+ * VERIFY_USE_SECONDARY_KEYRING for both the primary and secondary keyring
+ * (where keys can be added only if they are vouched for by existing keys
+ * in those keyrings); VERIFY_USE_PLATFORM_KEYRING for the platform
+ * keyring (primarily used by the integrity subsystem to verify a kexec'ed
+ * kerned image and, possibly, the initramfs signature).
+ *
+ * Return: a bpf_key pointer with an invalid key pointer set from the
+ *         pre-determined ID on success, a NULL pointer otherwise
+ */
+struct bpf_key *bpf_lookup_system_key(u64 id)
+{
+	struct bpf_key *bkey;
+
+	if (system_keyring_id_check(id) < 0)
+		return NULL;
+
+	bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC);
+	if (!bkey)
+		return NULL;
+
+	bkey->key = (struct key *)(unsigned long)id;
+	bkey->has_ref = false;
+
+	return bkey;
+}
+
+/**
+ * bpf_key_put - decrement key reference count if key is valid and free bpf_key
+ * @bkey: bpf_key structure
+ *
+ * Decrement the reference count of the key inside *bkey*, if the pointer
+ * is valid, and free *bkey*.
+ */
+void bpf_key_put(struct bpf_key *bkey)
+{
+	if (bkey->has_ref)
+		key_put(bkey->key);
+
+	kfree(bkey);
+}
+
+__diag_pop();
+
+BTF_SET8_START(key_sig_kfunc_set)
+BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL)
+BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE)
+BTF_SET8_END(key_sig_kfunc_set)
+
+static const struct btf_kfunc_id_set bpf_key_sig_kfunc_set = {
+	.owner = THIS_MODULE,
+	.set = &key_sig_kfunc_set,
+};
+
+static int __init bpf_key_sig_kfuncs_init(void)
+{
+	return register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING,
+					 &bpf_key_sig_kfunc_set);
+}
+
+late_initcall(bpf_key_sig_kfuncs_init);
+#endif /* CONFIG_KEYS */
+
 static const struct bpf_func_proto *
 bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 {