[PATCH v11 0/9] bpf: Add kfuncs for PKCS#7 signature verification

Daniel Borkmann daniel at iogearbox.net
Tue Aug 16 10:05:08 UTC 2022


On 8/16/22 9:12 AM, Roberto Sassu wrote:
>> From: Daniel Borkmann [mailto:daniel at iogearbox.net]
>> Sent: Monday, August 15, 2022 6:10 PM
>> On 8/12/22 12:18 PM, Roberto Sassu wrote:
>>> One of the desirable features in security is the ability to restrict import
>>> of data to a given system based on data authenticity. If data import can be
>>> restricted, it would be possible to enforce a system-wide policy based on
>>> the signing keys the system owner trusts.
>>>
>> [...]
>>> Changelog
>>>
>>> v10:
>>>    - Introduce key_lookup_flags_check() and system_keyring_id_check() inline
>>>      functions to check parameters (suggested by KP)
>>>    - Fix descriptions and comment of key-related kfuncs (suggested by KP)
>>>    - Register kfunc set only once (suggested by Alexei)
>>>    - Move needed kernel options to the architecture-independent configuration
>>>      for testing
>>
>> Looks like from BPF CI side, the selftest throws a WARN in test_progs /
>> test_progs-no_alu32
>> and subsequently fails with error, ptal:
>>
>>     https://github.com/kernel-
>> patches/bpf/runs/7804422038?check_suite_focus=true
> 
> it is due to the missing SHA256 kernel module (not copied to
> the virtual machine).
> 
> I made a small patch in libbpf/ci to change kernel options =m
> into =y. With that patch, my instance of vmtest gives success
> (except for z15, which requires adding openssl and keyctl
> to the virtual machine image).

The code in pkcs1pad_verify() triggering the warning is:

     [...]
         if (WARN_ON(req->dst) || WARN_ON(!digest_size) ||
             !ctx->key_size || sig_size != ctx->key_size)
                 return -EINVAL;
     [...]

It is not obvious at all to users that sha256 module is missing in their kernel,
how will they be able to figure it out?

Should the helper be gated if dependency is not available, or return a -EOPNOTSUPP
if the specific request cannot be satisfied (but others can..)?

>>     [...]
>>     #235     verif_scale_xdp_loop:OK
>>     #236     verif_stats:OK
>>     #237     verif_twfw:OK
>>     [  760.448652] ------------[ cut here ]------------
>>     [  760.449506] WARNING: CPU: 3 PID: 930 at crypto/rsa-pkcs1pad.c:544
>> pkcs1pad_verify+0x184/0x190
>>     [  760.450806] Modules linked in: bpf_testmod(OE) [last unloaded:
>> bpf_testmod]
>>     [  760.452340] CPU: 3 PID: 930 Comm: keyctl Tainted: G           OE      5.19.0-
>> g9f0260338e31-dirty #1
>>     [  760.453626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> 1.13.0-1ubuntu1.1 04/01/2014
>>     [  760.454801] RIP: 0010:pkcs1pad_verify+0x184/0x190
>>     [  760.455380] Code: 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df 89 c6 5b 41
>> 5c 41 5d 41 5e 41 5f 5d e9 a5 04 00 00 0f 0b b8 ea ff ff ff eb d4 <0f> 0b b8 ea ff
>> ff ff eb cb 0f 0b 90 0f 1f 44 00 00 53 48 89 fb c7
>>     [  760.456866] RSP: 0018:ffffad55478dbb58 EFLAGS: 00000246
>>     [  760.457684] RAX: ffff9b3c43c42458 RBX: ffff9b3c48975b00 RCX:
>> 0000000000000000
>>     [  760.458672] RDX: ffffffffa7277438 RSI: ffffffffa5275510 RDI:
>> 0000000000000000
>>     [  760.459670] RBP: ffffad55478dbcf8 R08: 0000000000000002 R09:
>> 0000000000000000
>>     [  760.460688] R10: ffffad55478dbc20 R11: ffffffffa44dde10 R12:
>> ffff9b3c43de2e80
>>     [  760.461695] R13: ffff9b3c58459ea0 R14: ffff9b3c44d59600 R15:
>> ffffad55478dbc20
>>     [  760.462270] FS:  00007ff1ee0eb740(0000) GS:ffff9b3cf9cc0000(0000)
>> knlGS:0000000000000000
>>     [  760.462722] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>     [  760.463026] CR2: 000055b9a4c17588 CR3: 0000000107bb2000 CR4:
>> 00000000000006e0
>>     [  760.464039] Call Trace:
>>     [  760.464465]  <TASK>
>>     [  760.464749]  public_key_verify_signature+0x4a2/0x570
>>     [  760.465623]  x509_check_for_self_signed+0x4e/0xd0
>>     [  760.465937]  x509_cert_parse+0x193/0x220
>>     [  760.466656]  x509_key_preparse+0x20/0x1f0
>>     [  760.466975]  asymmetric_key_preparse+0x43/0x80
>>     [  760.467552]  key_create_or_update+0x24e/0x510
>>     [  760.468366]  __x64_sys_add_key+0x19b/0x220
>>     [  760.468704]  ? syscall_enter_from_user_mode+0x24/0x1f0
>>     [  760.469056]  do_syscall_64+0x43/0x90
>>     [  760.469657]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>     [  760.470413] RIP: 0033:0x7ff1edf0ba9d
>>     [  760.470832] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8
>> 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
>> ff 73 01 c3 48 8b 0d cb e2 0e 00 f7 d8 64 89 01 48
>>     [  760.472742] RSP: 002b:00007ffe635e7a18 EFLAGS: 00000246 ORIG_RAX:
>> 00000000000000f8
>>     [  760.473355] RAX: ffffffffffffffda RBX: 00007ffe635e7be0 RCX:
>> 00007ff1edf0ba9d
>>     [  760.474523] RDX: 000055982fed80c0 RSI: 00007ffe635e7f17 RDI:
>> 00007ffe635e7f0c
>>     [  760.475500] RBP: 00007ffe635e7a38 R08: 00000000fffffffd R09:
>> 0000000000000000
>>     [  760.475913] R10: 0000000000000355 R11: 0000000000000246 R12:
>> 0000000000000000
>>     [  760.476594] R13: 00007ffe635e7bd8 R14: 000055982fed48ae R15:
>> 000055982fed76e8
>>     [  760.477579]  </TASK>
>>     [  760.477769] irq event stamp: 4727
>>     [  760.477963] hardirqs last  enabled at (4735): [<ffffffffa4101df5>]
>> __up_console_sem+0x75/0xa0
>>     [  760.479036] hardirqs last disabled at (4744): [<ffffffffa4a31cca>]
>> sysvec_apic_timer_interrupt+0xa/0xb0
>>     [  760.480403] softirqs last  enabled at (4762): [<ffffffffa4085172>]
>> __irq_exit_rcu+0xb2/0x140
>>     [  760.480869] softirqs last disabled at (4755): [<ffffffffa4085172>]
>> __irq_exit_rcu+0xb2/0x140
>>     [  760.481706] ---[ end trace 0000000000000000 ]---
>>     Generating a RSA private key
>>     .+++++
>>     ..................................................+++++
>>     writing new private key to '/tmp/verify_sigXdOL5V/signing_key.pem'
>>     -----
>>     add_key: Invalid argument
>>     test_verify_pkcs7_sig:PASS:mkdtemp 0 nsec
>>     test_verify_pkcs7_sig:FAIL:_run_setup_process unexpected error: 1 (errno
>> 126)
>>     #238     verify_pkcs7_sig:FAIL
>>     #239     vmlinux:OK
>>     #240     xdp:OK
>>     #241/1   xdp_adjust_frags/xdp_adjust_frags:OK
>>     #241     xdp_adjust_frags:OK
>>     #242/1   xdp_adjust_tail/xdp_adjust_tail_shrink:OK
>>     #242/2   xdp_adjust_tail/xdp_adjust_tail_grow:OK
>>     [...]



More information about the Linux-security-module-archive mailing list