tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fsverity: expose verified fsverity built-in signatures to LSMs

This patch enhances fsverity's capabilities to support both integrity and
authenticity protection by introducing the exposure of built-in
signatures through a new LSM hook. This functionality allows LSMs,
e.g. IPE, to enforce policies based on the authenticity and integrity of
files, specifically focusing on built-in fsverity signatures. It enables
a policy enforcement layer within LSMs for fsverity, offering granular
control over the usage of authenticity claims. For instance, a policy
could be established to only permit the execution of all files with
verified built-in fsverity signatures.

The introduction of a security_inode_setintegrity() hook call within
fsverity's workflow ensures that the verified built-in signature of a file
is exposed to LSMs. This enables LSMs to recognize and label fsverity files
that contain a verified built-in fsverity signature. This hook is invoked
subsequent to the fsverity_verify_signature() process, guaranteeing the
signature's verification against fsverity's keyring. This mechanism is
crucial for maintaining system security, as it operates in kernel space,
effectively thwarting attempts by malicious binaries to bypass user space
stack interactions.

The second to last commit in this patch set will add a link to the IPE
documentation in fsverity.rst.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Acked-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Fan Wu and committed by
Paul Moore 7c373e4f fb55e177

+39 -3
+21 -2
Documentation/filesystems/fsverity.rst
··· 86 86 signature in their "security.ima" extended attribute, as controlled 87 87 by the IMA policy. For more information, see the IMA documentation. 88 88 89 + - Integrity Policy Enforcement (IPE). IPE supports enforcing access 90 + control decisions based on immutable security properties of files, 91 + including those protected by fs-verity's built-in signatures. 92 + "IPE policy" specifically allows for the authorization of fs-verity 93 + files using properties ``fsverity_digest`` for identifying 94 + files by their verity digest, and ``fsverity_signature`` to authorize 95 + files with a verified fs-verity's built-in signature. 96 + 89 97 - Trusted userspace code in combination with `Built-in signature 90 98 verification`_. This approach should be used only with great care. 91 99 ··· 465 457 On success, the ioctl persists the signature alongside the Merkle 466 458 tree. Then, any time the file is opened, the kernel verifies the 467 459 file's actual digest against this signature, using the certificates 468 - in the ".fs-verity" keyring. 460 + in the ".fs-verity" keyring. This verification happens as long as the 461 + file's signature exists, regardless of the state of the sysctl variable 462 + "fs.verity.require_signatures" described in the next item. The IPE LSM 463 + relies on this behavior to recognize and label fsverity files 464 + that contain a verified built-in fsverity signature. 469 465 470 466 3. A new sysctl "fs.verity.require_signatures" is made available. 471 467 When set to 1, the kernel requires that all verity files have a ··· 493 481 494 482 - Builtin signature verification does *not* make the kernel enforce 495 483 that any files actually have fs-verity enabled. Thus, it is not a 496 - complete authentication policy. Currently, if it is used, the only 484 + complete authentication policy. Currently, if it is used, one 497 485 way to complete the authentication policy is for trusted userspace 498 486 code to explicitly check whether files have fs-verity enabled with a 499 487 signature before they are accessed. (With ··· 501 489 enabled suffices.) But, in this case the trusted userspace code 502 490 could just store the signature alongside the file and verify it 503 491 itself using a cryptographic library, instead of using this feature. 492 + 493 + - Another approach is to utilize fs-verity builtin signature 494 + verification in conjunction with the IPE LSM, which supports defining 495 + a kernel-enforced, system-wide authentication policy that allows only 496 + files with a verified fs-verity builtin signature to perform certain 497 + operations, such as execution. Note that IPE doesn't require 498 + fs.verity.require_signatures=1. 504 499 505 500 - A file's builtin signature can only be set at the same time that 506 501 fs-verity is being enabled on the file. Changing or deleting the
+17 -1
fs/verity/signature.c
··· 17 17 18 18 #include <linux/cred.h> 19 19 #include <linux/key.h> 20 + #include <linux/security.h> 20 21 #include <linux/slab.h> 21 22 #include <linux/verification.h> 22 23 ··· 42 41 * @sig_size: size of signature in bytes, or 0 if no signature 43 42 * 44 43 * If the file includes a signature of its fs-verity file digest, verify it 45 - * against the certificates in the fs-verity keyring. 44 + * against the certificates in the fs-verity keyring. Note that signatures 45 + * are verified regardless of the state of the 'fsverity_require_signatures' 46 + * variable and the LSM subsystem relies on this behavior to help enforce 47 + * file integrity policies. Please discuss changes with the LSM list 48 + * (thank you!). 46 49 * 47 50 * Return: 0 on success (signature valid or not required); -errno on failure 48 51 */ ··· 108 103 else 109 104 fsverity_err(inode, "Error %d verifying file signature", 110 105 err); 106 + return err; 107 + } 108 + 109 + err = security_inode_setintegrity(inode, 110 + LSM_INT_FSVERITY_BUILTINSIG_VALID, 111 + signature, 112 + sig_size); 113 + 114 + if (err) { 115 + fsverity_err(inode, "Error %d exposing file signature to LSMs", 116 + err); 111 117 return err; 112 118 } 113 119
+1
include/linux/security.h
··· 92 92 enum lsm_integrity_type { 93 93 LSM_INT_DMVERITY_SIG_VALID, 94 94 LSM_INT_DMVERITY_ROOTHASH, 95 + LSM_INT_FSVERITY_BUILTINSIG_VALID, 95 96 }; 96 97 97 98 /*