Re: [RFC PATCH v15 17/21] fsverity: consume builtin signature via LSM hook
From: Paul Moore
Date: Tue Mar 19 2024 - 19:02:08 EST
On Mon, Mar 18, 2024 at 1:29 AM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> On Fri, Mar 15, 2024 at 08:35:47PM -0700, Fan Wu wrote:
> > fsverity represents a mechanism to support both integrity and
> > authenticity protection of a file, supporting both signed and unsigned
> > digests.
..
> > diff --git a/fs/verity/signature.c b/fs/verity/signature.c
> > index 90c07573dd77..d4ed03a114e9 100644
> > --- a/fs/verity/signature.c
> > +++ b/fs/verity/signature.c
> > @@ -41,7 +41,10 @@ static struct key *fsverity_keyring;
> > * @sig_size: size of signature in bytes, or 0 if no signature
> > *
> > * If the file includes a signature of its fs-verity file digest, verify it
> > - * against the certificates in the fs-verity keyring.
> > + * against the certificates in the fs-verity keyring. Note that verification
> > + * happens as long as the file's signature exists regardless of the state of
> > + * fsverity_require_signatures, and the IPE LSM relies on this behavior
> > + * to save the verified file signature of the file into security blobs.
>
> "save the verified file signature of the file into security blobs" isn't what
> IPE actually does, though. And even if it was, it would not explain why IPE
> expects the signature to be verified.
We probably need to abstract away the IPE specific comments here as
these are general LSM hooks and could be used by additional LSMs in
the future. How about something like the following?
"Note that signatures are verified regardless of the state of the
'fsverity_require_signatures' variable and the LSM subsystem relies
on this behavior to help enforce file integrity policies. Please
discuss changes with the LSM list (thank you!)."
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index 0885866b261e..edd12c0a673a 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -86,6 +86,7 @@ enum lsm_event {
> > enum lsm_intgr_type {
> > LSM_INTGR_DMV_SIG,
> > LSM_INTGR_DMV_ROOTHASH,
> > + LSM_INTGR_FSV_SIG,
> > __LSM_INTGR_MAX
> > };
>
> These are hard to understand because they are abbreviated too much. And again,
> there are multiple type of fsverity signatures. How about:
>
> enum lsm_integrity_type {
> LSM_INTEGRITY_DM_VERITY_SIG,
> LSM_INTEGRITY_DM_VERITY_ROOT_HASH,
> LSM_INTEGRITY_FS_VERITY_BUILTIN_SIG,
> __LSM_INTEGRITY_MAX
> };
Ugh. I'm willing to concede that the existing enums are probably a
bit too terse, but the suggestions above are a bit too long for my
tastes (and my typin' fingers). How about a compromise like that
below?
enum lsm_integrity_type {
LSM_INT_DMVERITY_SIG,
LSM_INT_DMVERITY_ROOTHASH,
LSM_INT_FSVERITY_BUILTINSIG,
};
--
paul-moore.com