[PATCH v11 0/9] bpf: Add kfuncs for PKCS#7 signature verification

Daniel Borkmann daniel at iogearbox.net
Mon Aug 15 16:10:16 UTC 2022 

On 8/12/22 12:18 PM, Roberto Sassu wrote:
> One of the desirable features in security is the ability to restrict import
> of data to a given system based on data authenticity. If data import can be
> restricted, it would be possible to enforce a system-wide policy based on
> the signing keys the system owner trusts.
> 
[...]
> Changelog
> 
> v10:
>   - Introduce key_lookup_flags_check() and system_keyring_id_check() inline
>     functions to check parameters (suggested by KP)
>   - Fix descriptions and comment of key-related kfuncs (suggested by KP)
>   - Register kfunc set only once (suggested by Alexei)
>   - Move needed kernel options to the architecture-independent configuration
>     for testing

Looks like from BPF CI side, the selftest throws a WARN in test_progs / test_progs-no_alu32
and subsequently fails with error, ptal:

   https://github.com/kernel-patches/bpf/runs/7804422038?check_suite_focus=true

   [...]
   #235     verif_scale_xdp_loop:OK
   #236     verif_stats:OK
   #237     verif_twfw:OK
   [  760.448652] ------------[ cut here ]------------
   [  760.449506] WARNING: CPU: 3 PID: 930 at crypto/rsa-pkcs1pad.c:544 pkcs1pad_verify+0x184/0x190
   [  760.450806] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod]
   [  760.452340] CPU: 3 PID: 930 Comm: keyctl Tainted: G           OE      5.19.0-g9f0260338e31-dirty #1
   [  760.453626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
   [  760.454801] RIP: 0010:pkcs1pad_verify+0x184/0x190
   [  760.455380] Code: 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df 89 c6 5b 41 5c 41 5d 41 5e 41 5f 5d e9 a5 04 00 00 0f 0b b8 ea ff ff ff eb d4 <0f> 0b b8 ea ff ff ff eb cb 0f 0b 90 0f 1f 44 00 00 53 48 89 fb c7
   [  760.456866] RSP: 0018:ffffad55478dbb58 EFLAGS: 00000246
   [  760.457684] RAX: ffff9b3c43c42458 RBX: ffff9b3c48975b00 RCX: 0000000000000000
   [  760.458672] RDX: ffffffffa7277438 RSI: ffffffffa5275510 RDI: 0000000000000000
   [  760.459670] RBP: ffffad55478dbcf8 R08: 0000000000000002 R09: 0000000000000000
   [  760.460688] R10: ffffad55478dbc20 R11: ffffffffa44dde10 R12: ffff9b3c43de2e80
   [  760.461695] R13: ffff9b3c58459ea0 R14: ffff9b3c44d59600 R15: ffffad55478dbc20
   [  760.462270] FS:  00007ff1ee0eb740(0000) GS:ffff9b3cf9cc0000(0000) knlGS:0000000000000000
   [  760.462722] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   [  760.463026] CR2: 000055b9a4c17588 CR3: 0000000107bb2000 CR4: 00000000000006e0
   [  760.464039] Call Trace:
   [  760.464465]  <TASK>
   [  760.464749]  public_key_verify_signature+0x4a2/0x570
   [  760.465623]  x509_check_for_self_signed+0x4e/0xd0
   [  760.465937]  x509_cert_parse+0x193/0x220
   [  760.466656]  x509_key_preparse+0x20/0x1f0
   [  760.466975]  asymmetric_key_preparse+0x43/0x80
   [  760.467552]  key_create_or_update+0x24e/0x510
   [  760.468366]  __x64_sys_add_key+0x19b/0x220
   [  760.468704]  ? syscall_enter_from_user_mode+0x24/0x1f0
   [  760.469056]  do_syscall_64+0x43/0x90
   [  760.469657]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
   [  760.470413] RIP: 0033:0x7ff1edf0ba9d
   [  760.470832] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb e2 0e 00 f7 d8 64 89 01 48
   [  760.472742] RSP: 002b:00007ffe635e7a18 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
   [  760.473355] RAX: ffffffffffffffda RBX: 00007ffe635e7be0 RCX: 00007ff1edf0ba9d
   [  760.474523] RDX: 000055982fed80c0 RSI: 00007ffe635e7f17 RDI: 00007ffe635e7f0c
   [  760.475500] RBP: 00007ffe635e7a38 R08: 00000000fffffffd R09: 0000000000000000
   [  760.475913] R10: 0000000000000355 R11: 0000000000000246 R12: 0000000000000000
   [  760.476594] R13: 00007ffe635e7bd8 R14: 000055982fed48ae R15: 000055982fed76e8
   [  760.477579]  </TASK>
   [  760.477769] irq event stamp: 4727
   [  760.477963] hardirqs last  enabled at (4735): [<ffffffffa4101df5>] __up_console_sem+0x75/0xa0
   [  760.479036] hardirqs last disabled at (4744): [<ffffffffa4a31cca>] sysvec_apic_timer_interrupt+0xa/0xb0
   [  760.480403] softirqs last  enabled at (4762): [<ffffffffa4085172>] __irq_exit_rcu+0xb2/0x140
   [  760.480869] softirqs last disabled at (4755): [<ffffffffa4085172>] __irq_exit_rcu+0xb2/0x140
   [  760.481706] ---[ end trace 0000000000000000 ]---
   Generating a RSA private key
   .+++++
   ..................................................+++++
   writing new private key to '/tmp/verify_sigXdOL5V/signing_key.pem'
   -----
   add_key: Invalid argument
   test_verify_pkcs7_sig:PASS:mkdtemp 0 nsec
   test_verify_pkcs7_sig:FAIL:_run_setup_process unexpected error: 1 (errno 126)
   #238     verify_pkcs7_sig:FAIL
   #239     vmlinux:OK
   #240     xdp:OK
   #241/1   xdp_adjust_frags/xdp_adjust_frags:OK
   #241     xdp_adjust_frags:OK
   #242/1   xdp_adjust_tail/xdp_adjust_tail_shrink:OK
   #242/2   xdp_adjust_tail/xdp_adjust_tail_grow:OK
   [...]

More information about the Linux-security-module-archive mailing list