Message ID | 20220905143318.1592015-7-roberto.sassu@huaweicloud.com |
---|---|
State | Superseded |
Headers | show |
Series | bpf: Add kfuncs for PKCS#7 signature verification | expand |
On Mon, 5 Sept 2022 at 16:35, Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > Add the bpf_lookup_user_key(), bpf_lookup_system_key() and bpf_key_put() > kfuncs, to respectively search a key with a given key handle serial number > and flags, obtain a key from a pre-determined ID defined in > include/linux/verification.h, and cleanup. > > Introduce system_keyring_id_check() to validate the keyring ID parameter of > bpf_lookup_system_key(). > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- With a small nit below, Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> > include/linux/bpf.h | 8 +++ > include/linux/verification.h | 8 +++ > kernel/trace/bpf_trace.c | 135 +++++++++++++++++++++++++++++++++++ > 3 files changed, 151 insertions(+) > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index 9dbd7c3f8929..f3db614aece6 100644 > --- a/include/linux/bpf.h > +++ b/include/linux/bpf.h > @@ -2595,4 +2595,12 @@ static inline void bpf_cgroup_atype_get(u32 attach_btf_id, int cgroup_atype) {} > static inline void bpf_cgroup_atype_put(int cgroup_atype) {} > #endif /* CONFIG_BPF_LSM */ > > +struct key; > + > +#ifdef CONFIG_KEYS > +struct bpf_key { > + struct key *key; > + bool has_ref; > +}; > +#endif /* CONFIG_KEYS */ > #endif /* _LINUX_BPF_H */ > diff --git a/include/linux/verification.h b/include/linux/verification.h > index a655923335ae..f34e50ebcf60 100644 > --- a/include/linux/verification.h > +++ b/include/linux/verification.h > @@ -17,6 +17,14 @@ > #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) > #define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) > > +static inline int system_keyring_id_check(u64 id) > +{ > + if (id > (unsigned long)VERIFY_USE_PLATFORM_KEYRING) > + return -EINVAL; > + > + return 0; > +} > + > /* > * The use to which an asymmetric key is being put. > */ > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > index 68e5cdd24cef..7a7023704ac2 100644 > --- a/kernel/trace/bpf_trace.c > +++ b/kernel/trace/bpf_trace.c > @@ -20,6 +20,8 @@ > #include <linux/fprobe.h> > #include <linux/bsearch.h> > #include <linux/sort.h> > +#include <linux/key.h> > +#include <linux/verification.h> > > #include <net/bpf_sk_storage.h> > > @@ -1181,6 +1183,139 @@ static const struct bpf_func_proto bpf_get_func_arg_cnt_proto = { > .arg1_type = ARG_PTR_TO_CTX, > }; > > +#ifdef CONFIG_KEYS > +__diag_push(); > +__diag_ignore_all("-Wmissing-prototypes", > + "kfuncs which will be used in BPF programs"); > + > +/** > + * bpf_lookup_user_key - lookup a key by its serial > + * @serial: key handle serial number > + * @flags: lookup-specific flags > + * > + * Search a key with a given *serial* and the provided *flags*. > + * If found, increment the reference count of the key by one, and > + * return it in the bpf_key structure. > + * > + * The bpf_key structure must be passed to bpf_key_put() when done > + * with it, so that the key reference count is decremented and the > + * bpf_key structure is freed. > + * > + * Permission checks are deferred to the time the key is used by > + * one of the available key-specific kfuncs. > + * > + * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a requested > + * special keyring (e.g. session keyring), if it doesn't yet exist. > + * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without waiting > + * for the key construction, and to retrieve uninstantiated keys (keys > + * without data attached to them). > + * > + * Return: a bpf_key pointer with a valid key pointer if the key is found, a > + * NULL pointer otherwise. > + */ > +struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags) > +{ > + key_ref_t key_ref; > + struct bpf_key *bkey; > + > + if (flags & ~KEY_LOOKUP_ALL) > + return NULL; > + > + /* > + * Permission check is deferred until the key is used, as the > + * intent of the caller is unknown here. > + */ > + key_ref = lookup_user_key(serial, flags, KEY_DEFER_PERM_CHECK); > + if (IS_ERR(key_ref)) > + return NULL; > + > + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); Since this function (due to lookup_user_key) is sleepable, do we really need GFP_ATOMIC here? > + if (!bkey) { > + key_put(key_ref_to_ptr(key_ref)); > + return NULL; > + } > + > + bkey->key = key_ref_to_ptr(key_ref); > + bkey->has_ref = true; > + > + return bkey; > +} > + > +/** > + * bpf_lookup_system_key - lookup a key by a system-defined ID > + * @id: key ID > + * > + * Obtain a bpf_key structure with a key pointer set to the passed key ID. > + * The key pointer is marked as invalid, to prevent bpf_key_put() from > + * attempting to decrement the key reference count on that pointer. The key > + * pointer set in such way is currently understood only by > + * verify_pkcs7_signature(). > + * > + * Set *id* to one of the values defined in include/linux/verification.h: > + * 0 for the primary keyring (immutable keyring of system keys); > + * VERIFY_USE_SECONDARY_KEYRING for both the primary and secondary keyring > + * (where keys can be added only if they are vouched for by existing keys > + * in those keyrings); VERIFY_USE_PLATFORM_KEYRING for the platform > + * keyring (primarily used by the integrity subsystem to verify a kexec'ed > + * kerned image and, possibly, the initramfs signature). > + * > + * Return: a bpf_key pointer with an invalid key pointer set from the > + * pre-determined ID on success, a NULL pointer otherwise > + */ > +struct bpf_key *bpf_lookup_system_key(u64 id) > +{ > + struct bpf_key *bkey; > + > + if (system_keyring_id_check(id) < 0) > + return NULL; > + > + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); > + if (!bkey) > + return NULL; > + > + bkey->key = (struct key *)(unsigned long)id; > + bkey->has_ref = false; > + > + return bkey; > +} > + > +/** > + * bpf_key_put - decrement key reference count if key is valid and free bpf_key > + * @bkey: bpf_key structure > + * > + * Decrement the reference count of the key inside *bkey*, if the pointer > + * is valid, and free *bkey*. > + */ > +void bpf_key_put(struct bpf_key *bkey) > +{ > + if (bkey->has_ref) > + key_put(bkey->key); > + > + kfree(bkey); > +} > + > +__diag_pop(); > + > +BTF_SET8_START(key_sig_kfunc_set) > +BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE) > +BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL) > +BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE) > +BTF_SET8_END(key_sig_kfunc_set) > + > +static const struct btf_kfunc_id_set bpf_key_sig_kfunc_set = { > + .owner = THIS_MODULE, > + .set = &key_sig_kfunc_set, > +}; > + > +static int __init bpf_key_sig_kfuncs_init(void) > +{ > + return register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING, > + &bpf_key_sig_kfunc_set); > +} > + > +late_initcall(bpf_key_sig_kfuncs_init); > +#endif /* CONFIG_KEYS */ > + > static const struct bpf_func_proto * > bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) > { > -- > 2.25.1 >
On Tue, 2022-09-06 at 04:43 +0200, Kumar Kartikeya Dwivedi wrote: > On Mon, 5 Sept 2022 at 16:35, Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > Add the bpf_lookup_user_key(), bpf_lookup_system_key() and > > bpf_key_put() > > kfuncs, to respectively search a key with a given key handle serial > > number > > and flags, obtain a key from a pre-determined ID defined in > > include/linux/verification.h, and cleanup. > > > > Introduce system_keyring_id_check() to validate the keyring ID > > parameter of > > bpf_lookup_system_key(). > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > --- > > With a small nit below, > Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> > > > include/linux/bpf.h | 8 +++ > > include/linux/verification.h | 8 +++ > > kernel/trace/bpf_trace.c | 135 > > +++++++++++++++++++++++++++++++++++ > > 3 files changed, 151 insertions(+) > > > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > > index 9dbd7c3f8929..f3db614aece6 100644 > > --- a/include/linux/bpf.h > > +++ b/include/linux/bpf.h > > @@ -2595,4 +2595,12 @@ static inline void bpf_cgroup_atype_get(u32 > > attach_btf_id, int cgroup_atype) {} > > static inline void bpf_cgroup_atype_put(int cgroup_atype) {} > > #endif /* CONFIG_BPF_LSM */ > > > > +struct key; > > + > > +#ifdef CONFIG_KEYS > > +struct bpf_key { > > + struct key *key; > > + bool has_ref; > > +}; > > +#endif /* CONFIG_KEYS */ > > #endif /* _LINUX_BPF_H */ > > diff --git a/include/linux/verification.h > > b/include/linux/verification.h > > index a655923335ae..f34e50ebcf60 100644 > > --- a/include/linux/verification.h > > +++ b/include/linux/verification.h > > @@ -17,6 +17,14 @@ > > #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) > > #define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) > > > > +static inline int system_keyring_id_check(u64 id) > > +{ > > + if (id > (unsigned long)VERIFY_USE_PLATFORM_KEYRING) > > + return -EINVAL; > > + > > + return 0; > > +} > > + > > /* > > * The use to which an asymmetric key is being put. > > */ > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > > index 68e5cdd24cef..7a7023704ac2 100644 > > --- a/kernel/trace/bpf_trace.c > > +++ b/kernel/trace/bpf_trace.c > > @@ -20,6 +20,8 @@ > > #include <linux/fprobe.h> > > #include <linux/bsearch.h> > > #include <linux/sort.h> > > +#include <linux/key.h> > > +#include <linux/verification.h> > > > > #include <net/bpf_sk_storage.h> > > > > @@ -1181,6 +1183,139 @@ static const struct bpf_func_proto > > bpf_get_func_arg_cnt_proto = { > > .arg1_type = ARG_PTR_TO_CTX, > > }; > > > > +#ifdef CONFIG_KEYS > > +__diag_push(); > > +__diag_ignore_all("-Wmissing-prototypes", > > + "kfuncs which will be used in BPF programs"); > > + > > +/** > > + * bpf_lookup_user_key - lookup a key by its serial > > + * @serial: key handle serial number > > + * @flags: lookup-specific flags > > + * > > + * Search a key with a given *serial* and the provided *flags*. > > + * If found, increment the reference count of the key by one, and > > + * return it in the bpf_key structure. > > + * > > + * The bpf_key structure must be passed to bpf_key_put() when done > > + * with it, so that the key reference count is decremented and the > > + * bpf_key structure is freed. > > + * > > + * Permission checks are deferred to the time the key is used by > > + * one of the available key-specific kfuncs. > > + * > > + * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a > > requested > > + * special keyring (e.g. session keyring), if it doesn't yet > > exist. > > + * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without > > waiting > > + * for the key construction, and to retrieve uninstantiated keys > > (keys > > + * without data attached to them). > > + * > > + * Return: a bpf_key pointer with a valid key pointer if the key > > is found, a > > + * NULL pointer otherwise. > > + */ > > +struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags) > > +{ > > + key_ref_t key_ref; > > + struct bpf_key *bkey; > > + > > + if (flags & ~KEY_LOOKUP_ALL) > > + return NULL; > > + > > + /* > > + * Permission check is deferred until the key is used, as > > the > > + * intent of the caller is unknown here. > > + */ > > + key_ref = lookup_user_key(serial, flags, > > KEY_DEFER_PERM_CHECK); > > + if (IS_ERR(key_ref)) > > + return NULL; > > + > > + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); > > Since this function (due to lookup_user_key) is sleepable, do we > really need GFP_ATOMIC here? Daniel suggested it for bpf_lookup_system_key(), so that the kfunc does not have to be sleepable. For symmetry, I did the same to bpf_lookup_user_key(). Will switch back to GFP_KERNEL. Thanks Roberto
On Tue, Sep 6, 2022 at 1:01 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > > > +struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags) > > > +{ > > > + key_ref_t key_ref; > > > + struct bpf_key *bkey; > > > + > > > + if (flags & ~KEY_LOOKUP_ALL) > > > + return NULL; > > > + > > > + /* > > > + * Permission check is deferred until the key is used, as > > > the > > > + * intent of the caller is unknown here. > > > + */ > > > + key_ref = lookup_user_key(serial, flags, > > > KEY_DEFER_PERM_CHECK); > > > + if (IS_ERR(key_ref)) > > > + return NULL; > > > + > > > + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); > > > > Since this function (due to lookup_user_key) is sleepable, do we > > really need GFP_ATOMIC here? > > Daniel suggested it for bpf_lookup_system_key(), so that the kfunc does > not have to be sleepable. Hold on. It has to be sleepable. Just take a look at what lookup_user_key is doing inside. > For symmetry, I did the same to > bpf_lookup_user_key(). Will switch back to GFP_KERNEL. > > Thanks > > Roberto >
On Tue, 2022-09-06 at 11:45 -0700, Alexei Starovoitov wrote: > On Tue, Sep 6, 2022 at 1:01 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > > > +struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags) > > > > +{ > > > > + key_ref_t key_ref; > > > > + struct bpf_key *bkey; > > > > + > > > > + if (flags & ~KEY_LOOKUP_ALL) > > > > + return NULL; > > > > + > > > > + /* > > > > + * Permission check is deferred until the key is used, > > > > as > > > > the > > > > + * intent of the caller is unknown here. > > > > + */ > > > > + key_ref = lookup_user_key(serial, flags, > > > > KEY_DEFER_PERM_CHECK); > > > > + if (IS_ERR(key_ref)) > > > > + return NULL; > > > > + > > > > + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); > > > > > > Since this function (due to lookup_user_key) is sleepable, do we > > > really need GFP_ATOMIC here? > > > > Daniel suggested it for bpf_lookup_system_key(), so that the kfunc > > does > > not have to be sleepable. > > Hold on. It has to be sleepable. Just take a look > at what lookup_user_key is doing inside. > https://lore.kernel.org/bpf/2b1d62ad-af4b-4694-ecc8-639fbd821a05@iogearbox.net/ Roberto
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 9dbd7c3f8929..f3db614aece6 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2595,4 +2595,12 @@ static inline void bpf_cgroup_atype_get(u32 attach_btf_id, int cgroup_atype) {} static inline void bpf_cgroup_atype_put(int cgroup_atype) {} #endif /* CONFIG_BPF_LSM */ +struct key; + +#ifdef CONFIG_KEYS +struct bpf_key { + struct key *key; + bool has_ref; +}; +#endif /* CONFIG_KEYS */ #endif /* _LINUX_BPF_H */ diff --git a/include/linux/verification.h b/include/linux/verification.h index a655923335ae..f34e50ebcf60 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -17,6 +17,14 @@ #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) #define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) +static inline int system_keyring_id_check(u64 id) +{ + if (id > (unsigned long)VERIFY_USE_PLATFORM_KEYRING) + return -EINVAL; + + return 0; +} + /* * The use to which an asymmetric key is being put. */ diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 68e5cdd24cef..7a7023704ac2 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -20,6 +20,8 @@ #include <linux/fprobe.h> #include <linux/bsearch.h> #include <linux/sort.h> +#include <linux/key.h> +#include <linux/verification.h> #include <net/bpf_sk_storage.h> @@ -1181,6 +1183,139 @@ static const struct bpf_func_proto bpf_get_func_arg_cnt_proto = { .arg1_type = ARG_PTR_TO_CTX, }; +#ifdef CONFIG_KEYS +__diag_push(); +__diag_ignore_all("-Wmissing-prototypes", + "kfuncs which will be used in BPF programs"); + +/** + * bpf_lookup_user_key - lookup a key by its serial + * @serial: key handle serial number + * @flags: lookup-specific flags + * + * Search a key with a given *serial* and the provided *flags*. + * If found, increment the reference count of the key by one, and + * return it in the bpf_key structure. + * + * The bpf_key structure must be passed to bpf_key_put() when done + * with it, so that the key reference count is decremented and the + * bpf_key structure is freed. + * + * Permission checks are deferred to the time the key is used by + * one of the available key-specific kfuncs. + * + * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a requested + * special keyring (e.g. session keyring), if it doesn't yet exist. + * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without waiting + * for the key construction, and to retrieve uninstantiated keys (keys + * without data attached to them). + * + * Return: a bpf_key pointer with a valid key pointer if the key is found, a + * NULL pointer otherwise. + */ +struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags) +{ + key_ref_t key_ref; + struct bpf_key *bkey; + + if (flags & ~KEY_LOOKUP_ALL) + return NULL; + + /* + * Permission check is deferred until the key is used, as the + * intent of the caller is unknown here. + */ + key_ref = lookup_user_key(serial, flags, KEY_DEFER_PERM_CHECK); + if (IS_ERR(key_ref)) + return NULL; + + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); + if (!bkey) { + key_put(key_ref_to_ptr(key_ref)); + return NULL; + } + + bkey->key = key_ref_to_ptr(key_ref); + bkey->has_ref = true; + + return bkey; +} + +/** + * bpf_lookup_system_key - lookup a key by a system-defined ID + * @id: key ID + * + * Obtain a bpf_key structure with a key pointer set to the passed key ID. + * The key pointer is marked as invalid, to prevent bpf_key_put() from + * attempting to decrement the key reference count on that pointer. The key + * pointer set in such way is currently understood only by + * verify_pkcs7_signature(). + * + * Set *id* to one of the values defined in include/linux/verification.h: + * 0 for the primary keyring (immutable keyring of system keys); + * VERIFY_USE_SECONDARY_KEYRING for both the primary and secondary keyring + * (where keys can be added only if they are vouched for by existing keys + * in those keyrings); VERIFY_USE_PLATFORM_KEYRING for the platform + * keyring (primarily used by the integrity subsystem to verify a kexec'ed + * kerned image and, possibly, the initramfs signature). + * + * Return: a bpf_key pointer with an invalid key pointer set from the + * pre-determined ID on success, a NULL pointer otherwise + */ +struct bpf_key *bpf_lookup_system_key(u64 id) +{ + struct bpf_key *bkey; + + if (system_keyring_id_check(id) < 0) + return NULL; + + bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC); + if (!bkey) + return NULL; + + bkey->key = (struct key *)(unsigned long)id; + bkey->has_ref = false; + + return bkey; +} + +/** + * bpf_key_put - decrement key reference count if key is valid and free bpf_key + * @bkey: bpf_key structure + * + * Decrement the reference count of the key inside *bkey*, if the pointer + * is valid, and free *bkey*. + */ +void bpf_key_put(struct bpf_key *bkey) +{ + if (bkey->has_ref) + key_put(bkey->key); + + kfree(bkey); +} + +__diag_pop(); + +BTF_SET8_START(key_sig_kfunc_set) +BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE) +BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL) +BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE) +BTF_SET8_END(key_sig_kfunc_set) + +static const struct btf_kfunc_id_set bpf_key_sig_kfunc_set = { + .owner = THIS_MODULE, + .set = &key_sig_kfunc_set, +}; + +static int __init bpf_key_sig_kfuncs_init(void) +{ + return register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING, + &bpf_key_sig_kfunc_set); +} + +late_initcall(bpf_key_sig_kfuncs_init); +#endif /* CONFIG_KEYS */ + static const struct bpf_func_proto * bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) {