Re: [PATCH v16 11/20] block|security: add LSM blob to block_device

From: Paul Moore
Date: Mon Apr 01 2024 - 21:26:53 EST


On Mar 28, 2024 Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> wrote:
>
> Some block devices have valuable security properties that is only
> accessible during the creation time.

You should mention the new hook in the subject line, something like
the following: "block,lsm: add LSM blob and new LSM hook for block
devices".

> For example, when creating a dm-verity block device, the dm-verity's
> roothash and roothash signature, which are extreme important security
> metadata, are passed to the kernel. However, the roothash will be saved
> privately in dm-verity, which prevents the security subsystem to easily
> access that information. Worse, in the current implementation the
> roothash signature will be discarded after the verification, making it
> impossible to utilize the roothash signature by the security subsystem.
>
> With this patch, an LSM blob is added to the block_device structure.
> This enables the security subsystem to store security-sensitive data
> related to block devices within the security blob. For example, LSM can
> use the new LSM blob to save the roothash signature of a dm-verity,
> and LSM can make access decision based on the data inside the signature,
> like the signer certificate.
>
> The implementation follows the same approach used for security blobs in
> other structures like struct file, struct inode, and struct superblock.
> The initialization of the security blob occurs after the creation of the
> struct block_device, performed by the security subsystem. Similarly, the
> security blob is freed by the security subsystem before the struct
> block_device is deallocated or freed.
>
> This patch also introduces a new hook to save block device's integrity
> data. For example, for dm-verity, LSMs can use this hook to save
> the roothash signature of a dm-verity into the security blob,
> and LSMs can make access decisions based on the data inside
> the signature, like the signer certificate.
>
> Signed-off-by: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx>
> ---
> v2:
> + No Changes
>
> v3:
> + Minor style changes from checkpatch --strict
>
> v4:
> + No Changes
>
> v5:
> + Allow multiple callers to call security_bdev_setsecurity
>
> v6:
> + Simplify security_bdev_setsecurity break condition
>
> v7:
> + Squash all dm-verity related patches to two patches,
> the additions to dm-verity/fs, and the consumption of
> the additions.
>
> v8:
> + Split dm-verity related patches squashed in v7 to 3 commits based on
> topic:
> + New LSM hook
> + Consumption of hook outside LSM
> + Consumption of hook inside LSM.
>
> + change return of security_bdev_alloc / security_bdev_setsecurity
> to LSM_RET_DEFAULT instead of 0.
>
> + Change return code to -EOPNOTSUPP, bring inline with other
> setsecurity hooks.
>
> v9:
> + Add Reviewed-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> + Remove unlikely when calling LSM hook
> + Make the security field dependent on CONFIG_SECURITY
>
> v10:
> + No changes
>
> v11:
> + No changes
>
> v12:
> + No changes
>
> v13:
> + No changes
>
> v14:
> + No changes
>
> v15:
> + Drop security_bdev_setsecurity() for new hook
> security_bdev_setintegrity() in the next commit
> + Update call_int_hook() for 260017f
>
> v16:
> + Drop Reviewed-by tag for the new changes
> + Squash the security_bdev_setintegrity() into this commit
> + Rename enum from lsm_intgr_type to lsm_integrity_type
> + Switch to use call_int_hook() for bdev_setintegrity()
> + Correct comment
> + Fix return in security_bdev_alloc()
> ---
> block/bdev.c | 7 +++
> include/linux/blk_types.h | 3 ++
> include/linux/lsm_hook_defs.h | 5 ++
> include/linux/lsm_hooks.h | 1 +
> include/linux/security.h | 26 ++++++++++
> security/security.c | 89 +++++++++++++++++++++++++++++++++++
> 6 files changed, 131 insertions(+)



> diff --git a/include/linux/security.h b/include/linux/security.h
> index f35af7b6cfba..8e646189740e 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1483,6 +1492,23 @@ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
> {
> return -EOPNOTSUPP;
> }
> +
> +static inline int security_bdev_alloc(struct block_device *bdev)
> +{
> + return 0;
> +}
> +
> +static inline void security_bdev_free(struct block_device *bdev)
> +{
> +}
> +
> +static inline int security_bdev_setintegrity(struct block_device *bdev,
> + enum lsm_integrity_type, type,

I'm sure by now you've seen the reports about the errant comma ...

> + const void *value, size_t size)
> +{
> + return 0;
> +}
> +
> #endif /* CONFIG_SECURITY */

--
paul-moore.com