Thread (16 messages) 16 messages, 3 authors, 2022-08-16

RE: [PATCH v11 0/9] bpf: Add kfuncs for PKCS#7 signature verification

From: Roberto Sassu <roberto.sassu@huawei.com>
Date: 2022-08-16 12:18:26
Also in: bpf, keyrings, linux-doc, linux-kselftest, lkml 

From: Daniel Borkmann [mailto:daniel@iogearbox.net]
Sent: Tuesday, August 16, 2022 12:05 PM
On 8/16/22 9:12 AM, Roberto Sassu wrote:
quoted
quoted
From: Daniel Borkmann [mailto:daniel@iogearbox.net]
Sent: Monday, August 15, 2022 6:10 PM
On 8/12/22 12:18 PM, Roberto Sassu wrote:
quoted
One of the desirable features in security is the ability to restrict import
of data to a given system based on data authenticity. If data import can be
restricted, it would be possible to enforce a system-wide policy based on
the signing keys the system owner trusts.
[...]
quoted
Changelog

v10:
   - Introduce key_lookup_flags_check() and system_keyring_id_check()
inline
quoted
quoted
quoted
     functions to check parameters (suggested by KP)
   - Fix descriptions and comment of key-related kfuncs (suggested by KP)
   - Register kfunc set only once (suggested by Alexei)
   - Move needed kernel options to the architecture-independent
configuration
quoted
quoted
quoted
     for testing
Looks like from BPF CI side, the selftest throws a WARN in test_progs /
test_progs-no_alu32
and subsequently fails with error, ptal:

    https://github.com/kernel-
patches/bpf/runs/7804422038?check_suite_focus=true
it is due to the missing SHA256 kernel module (not copied to
the virtual machine).

I made a small patch in libbpf/ci to change kernel options =m
into =y. With that patch, my instance of vmtest gives success
(except for z15, which requires adding openssl and keyctl
to the virtual machine image).
The code in pkcs1pad_verify() triggering the warning is:

     [...]
         if (WARN_ON(req->dst) || WARN_ON(!digest_size) ||
             !ctx->key_size || sig_size != ctx->key_size)
                 return -EINVAL;
     [...]

It is not obvious at all to users that sha256 module is missing in their kernel,
how will they be able to figure it out?
Yes, it was not trivial to find.

Should the helper be gated if dependency is not available, or return a -
EOPNOTSUPP
if the specific request cannot be satisfied (but others can..)?
Uhm, the failure is not related to the kfuncs I introduced. The add_key()
system call failed.

Also, it seems not easy to determine if dependencies are satisfied.
If SHA512 is supported, that might be sufficient. It depends on how
the certificate is generated.

What is your opinion on the solution, change all config options
to =y, or use sed like I did?

Thanks

Roberto
quoted
quoted
    [...]
    #235     verif_scale_xdp_loop:OK
    #236     verif_stats:OK
    #237     verif_twfw:OK
    [  760.448652] ------------[ cut here ]------------
    [  760.449506] WARNING: CPU: 3 PID: 930 at crypto/rsa-pkcs1pad.c:544
pkcs1pad_verify+0x184/0x190
    [  760.450806] Modules linked in: bpf_testmod(OE) [last unloaded:
bpf_testmod]
    [  760.452340] CPU: 3 PID: 930 Comm: keyctl Tainted: G           OE      5.19.0-
g9f0260338e31-dirty #1
    [  760.453626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS
quoted
quoted
1.13.0-1ubuntu1.1 04/01/2014
    [  760.454801] RIP: 0010:pkcs1pad_verify+0x184/0x190
    [  760.455380] Code: 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df 89 c6
5b 41
quoted
quoted
5c 41 5d 41 5e 41 5f 5d e9 a5 04 00 00 0f 0b b8 ea ff ff ff eb d4 <0f> 0b b8 ea
ff
quoted
quoted
ff ff eb cb 0f 0b 90 0f 1f 44 00 00 53 48 89 fb c7
    [  760.456866] RSP: 0018:ffffad55478dbb58 EFLAGS: 00000246
    [  760.457684] RAX: ffff9b3c43c42458 RBX: ffff9b3c48975b00 RCX:
0000000000000000
    [  760.458672] RDX: ffffffffa7277438 RSI: ffffffffa5275510 RDI:
0000000000000000
    [  760.459670] RBP: ffffad55478dbcf8 R08: 0000000000000002 R09:
0000000000000000
    [  760.460688] R10: ffffad55478dbc20 R11: ffffffffa44dde10 R12:
ffff9b3c43de2e80
    [  760.461695] R13: ffff9b3c58459ea0 R14: ffff9b3c44d59600 R15:
ffffad55478dbc20
    [  760.462270] FS:  00007ff1ee0eb740(0000) GS:ffff9b3cf9cc0000(0000)
knlGS:0000000000000000
    [  760.462722] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  760.463026] CR2: 000055b9a4c17588 CR3: 0000000107bb2000 CR4:
00000000000006e0
    [  760.464039] Call Trace:
    [  760.464465]  <TASK>
    [  760.464749]  public_key_verify_signature+0x4a2/0x570
    [  760.465623]  x509_check_for_self_signed+0x4e/0xd0
    [  760.465937]  x509_cert_parse+0x193/0x220
    [  760.466656]  x509_key_preparse+0x20/0x1f0
    [  760.466975]  asymmetric_key_preparse+0x43/0x80
    [  760.467552]  key_create_or_update+0x24e/0x510
    [  760.468366]  __x64_sys_add_key+0x19b/0x220
    [  760.468704]  ? syscall_enter_from_user_mode+0x24/0x1f0
    [  760.469056]  do_syscall_64+0x43/0x90
    [  760.469657]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
    [  760.470413] RIP: 0033:0x7ff1edf0ba9d
    [  760.470832] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48
89 f8
quoted
quoted
48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff
quoted
quoted
ff 73 01 c3 48 8b 0d cb e2 0e 00 f7 d8 64 89 01 48
    [  760.472742] RSP: 002b:00007ffe635e7a18 EFLAGS: 00000246 ORIG_RAX:
00000000000000f8
    [  760.473355] RAX: ffffffffffffffda RBX: 00007ffe635e7be0 RCX:
00007ff1edf0ba9d
    [  760.474523] RDX: 000055982fed80c0 RSI: 00007ffe635e7f17 RDI:
00007ffe635e7f0c
    [  760.475500] RBP: 00007ffe635e7a38 R08: 00000000fffffffd R09:
0000000000000000
    [  760.475913] R10: 0000000000000355 R11: 0000000000000246 R12:
0000000000000000
    [  760.476594] R13: 00007ffe635e7bd8 R14: 000055982fed48ae R15:
000055982fed76e8
    [  760.477579]  </TASK>
    [  760.477769] irq event stamp: 4727
    [  760.477963] hardirqs last  enabled at (4735): [<ffffffffa4101df5>]
__up_console_sem+0x75/0xa0
    [  760.479036] hardirqs last disabled at (4744): [<ffffffffa4a31cca>]
sysvec_apic_timer_interrupt+0xa/0xb0
    [  760.480403] softirqs last  enabled at (4762): [<ffffffffa4085172>]
__irq_exit_rcu+0xb2/0x140
    [  760.480869] softirqs last disabled at (4755): [<ffffffffa4085172>]
__irq_exit_rcu+0xb2/0x140
    [  760.481706] ---[ end trace 0000000000000000 ]---
    Generating a RSA private key
    .+++++
    ..................................................+++++
    writing new private key to '/tmp/verify_sigXdOL5V/signing_key.pem'
    -----
    add_key: Invalid argument
    test_verify_pkcs7_sig:PASS:mkdtemp 0 nsec
    test_verify_pkcs7_sig:FAIL:_run_setup_process unexpected error: 1 (errno
126)
    #238     verify_pkcs7_sig:FAIL
    #239     vmlinux:OK
    #240     xdp:OK
    #241/1   xdp_adjust_frags/xdp_adjust_frags:OK
    #241     xdp_adjust_frags:OK
    #242/1   xdp_adjust_tail/xdp_adjust_tail_shrink:OK
    #242/2   xdp_adjust_tail/xdp_adjust_tail_grow:OK
    [...]
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help