Kernel developers working on confidential computing for virtualized
environments in x86 operate under a set of assumptions regarding the Linux
kernel threat model that differs from the traditional view. Historically,
the Linux threat model acknowledges attackers residing in userspace, as
well as a limited set of external attackers that are able to interact with
the kernel through networking or limited HW-specific exposed interfaces
(e.g. USB, thunderbolt). The goal of this document is to explain additional
attack vectors that arise in the virtualized confidential computing space.
Reviewed-by: Larry Dewey <larry.dewey@amd.com>
Reviewed-by: David Kaplan <david.kaplan@amd.com>
Co-developed-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Carlos Bilbao <carlos.bilbao@amd.com>
Message-ID: <98804f27-c2e7-74d6-d671-1eda927e19fe@amd.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Fix one kernel-doc warning, but invesigating that led to other
kernel-doc movement (lsm_hooks.h to security.c) that needs to be
fixed also.
include/linux/lsm_hooks.h:1: warning: no structured comments found
Fixes: e261301c85 ("lsm: move the remaining LSM hook comments to security/security.c")
Fixes: 1cd2aca64a ("lsm: move the io_uring hook comments to security/security.c")
Fixes: 452b670c72 ("lsm: move the perf hook comments to security/security.c")
Fixes: 55e853201a ("lsm: move the bpf hook comments to security/security.c")
Fixes: b14faf9c94 ("lsm: move the audit hook comments to security/security.c")
Fixes: 1427ddbe5c ("lsm: move the binder hook comments to security/security.c")
Fixes: 43fad28218 ("lsm: move the sysv hook comments to security/security.c")
Fixes: ecc419a445 ("lsm: move the key hook comments to security/security.c")
Fixes: 742b99456e ("lsm: move the xfrm hook comments to security/security.c")
Fixes: ac318aed54 ("lsm: move the Infiniband hook comments to security/security.c")
Fixes: 4a49f592e9 ("lsm: move the SCTP hook comments to security/security.c")
Fixes: 6b6bbe8c02 ("lsm: move the socket hook comments to security/security.c")
Fixes: 2c2442fd46 ("lsm: move the AF_UNIX hook comments to security/security.c")
Fixes: 2bcf51bf2f ("lsm: move the netlink hook comments to security/security.c")
Fixes: 130c53bfee ("lsm: move the task hook comments to security/security.c")
Fixes: a0fd6480de ("lsm: move the file hook comments to security/security.c")
Fixes: 9348944b77 ("lsm: move the kernfs hook comments to security/security.c")
Fixes: 916e32584d ("lsm: move the inode hook comments to security/security.c")
Fixes: 08526a902c ("lsm: move the filesystem hook comments to security/security.c")
Fixes: 36819f1855 ("lsm: move the fs_context hook comments to security/security.c")
Fixes: 1661372c91 ("lsm: move the program execution hook comments to security/security.c")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Cc: KP Singh <kpsingh@kernel.org>
Cc: bpf@vger.kernel.org
Signed-off-by: Paul Moore <paul@paul-moore.com>
Starting with LANDLOCK_ACCESS_FS_TRUNCATE, it is worth explaining why we
choose to restrict access checks at open time. This new "File
descriptor access rights" section is complementary to the existing
"Inode access rights" section. Add a new guiding principle related to
this section.
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20221209193813.972012-1-mic@digikod.net
[mic: Include the latest Günther's suggestion, and fix spelling]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Commit cd3bc044af ("KEYS: encrypted: Instantiate key with
user-provided decrypted data") added key instantiation with user
provided decrypted data. The user data is hex-ascii-encoded but was
just memcpy'ed to the binary buffer. Fix this to use hex2bin instead.
Old keys created from user provided decrypted data saved with "keyctl
pipe" are still valid, however if the key is recreated from decrypted
data the old key must be converted to the correct format. This can be
done with a small shell script, e.g.:
BROKENKEY=abcdefABCDEF1234567890aaaaaaaaaa
NEWKEY=$(echo -ne $BROKENKEY | xxd -p -c32)
keyctl add user masterkey "$(cat masterkey.bin)" @u
keyctl add encrypted testkey "new user:masterkey 32 $NEWKEY" @u
However, NEWKEY is still broken: If for BROKENKEY 32 bytes were
specified, a brute force attacker knowing the key properties would only
need to try at most 2^(16*8) keys, as if the key was only 16 bytes long.
The security issue is a result of the combination of limiting the input
range to hex-ascii and using memcpy() instead of hex2bin(). It could
have been fixed either by allowing binary input or using hex2bin() (and
doubling the ascii input key length). This patch implements the latter.
The corresponding test for the Linux Test Project ltp has also been
fixed (see link below).
Fixes: cd3bc044af ("KEYS: encrypted: Instantiate key with user-provided decrypted data")
Cc: stable@kernel.org
Link: https://lore.kernel.org/ltp/20221006081709.92303897@mail.steuer-voss.de/
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Nikolaus Voss <nikolaus.voss@haag-streit.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Pull IMA updates from Mimi Zohar:
"New is IMA support for including fs-verity file digests and signatures
in the IMA measurement list as well as verifying the fs-verity file
digest based signatures, both based on policy.
In addition, are two bug fixes:
- avoid reading UEFI variables, which cause a page fault, on Apple
Macs with T2 chips.
- remove the original "ima" template Kconfig option to address a boot
command line ordering issue.
The rest is a mixture of code/documentation cleanup"
* tag 'integrity-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
integrity: Fix sparse warnings in keyring_handler
evm: Clean up some variables
evm: Return INTEGRITY_PASS for enum integrity_status value '0'
efi: Do not import certificates from UEFI Secure Boot for T2 Macs
fsverity: update the documentation
ima: support fs-verity file digest based version 3 signatures
ima: permit fsverity's file digests in the IMA measurement list
ima: define a new template field named 'd-ngv2' and templates
fs-verity: define a function to return the integrity protected file digest
ima: use IMA default hash algorithm for integrity violations
ima: fix 'd-ng' comments and documentation
ima: remove the IMA_TEMPLATE Kconfig option
ima: remove redundant initialization of pointer 'file'.
Pull tpm updates from Jarkko Sakkinen:
- Tightened validation of key hashes for SYSTEM_BLACKLIST_HASH_LIST. An
invalid hash format causes a compilation error. Previously, they got
included to the kernel binary but were silently ignored at run-time.
- Allow root user to append new hashes to the blacklist keyring.
- Trusted keys backed with Cryptographic Acceleration and Assurance
Module (CAAM), which part of some of the new NXP's SoC's. Now there
is total three hardware backends for trusted keys: TPM, ARM TEE and
CAAM.
- A scattered set of fixes and small improvements for the TPM driver.
* tag 'tpmdd-next-v5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
MAINTAINERS: add KEYS-TRUSTED-CAAM
doc: trusted-encrypted: describe new CAAM trust source
KEYS: trusted: Introduce support for NXP CAAM-based trusted keys
crypto: caam - add in-kernel interface for blob generator
crypto: caam - determine whether CAAM supports blob encap/decap
KEYS: trusted: allow use of kernel RNG for key material
KEYS: trusted: allow use of TEE as backend without TCG_TPM support
tpm: Add field upgrade mode support for Infineon TPM2 modules
tpm: Fix buffer access in tpm2_get_tpm_pt()
char: tpm: cr50_i2c: Suppress duplicated error message in .remove()
tpm: cr50: Add new device/vendor ID 0x504a6666
tpm: Remove read16/read32/write32 calls from tpm_tis_phy_ops
tpm: ibmvtpm: Correct the return value in tpm_ibmvtpm_probe()
tpm/tpm_ftpm_tee: Return true/false (not 1/0) from bool functions
certs: Explain the rationale to call panic()
certs: Allow root user to append signed hashes to the blacklist keyring
certs: Check that builtin blacklist hashes are valid
certs: Make blacklist_vet_description() more strict
certs: Factor out the blacklist hash creation
tools/certs: Add print-cert-tbs-hash.sh
Pull Landlock updates from Mickaël Salaün:
- improve the path_rename LSM hook implementations for RENAME_EXCHANGE;
- fix a too-restrictive filesystem control for a rare corner case;
- set the nested sandbox limitation to 16 layers;
- add a new LANDLOCK_ACCESS_FS_REFER access right to properly handle
file reparenting (i.e. full rename and link support);
- add new tests and documentation;
- format code with clang-format to make it easier to maintain and
contribute.
* tag 'landlock-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (30 commits)
landlock: Explain how to support Landlock
landlock: Add design choices documentation for filesystem access rights
landlock: Document good practices about filesystem policies
landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning
samples/landlock: Add support for file reparenting
selftests/landlock: Add 11 new test suites dedicated to file reparenting
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
LSM: Remove double path_rename hook calls for RENAME_EXCHANGE
landlock: Move filesystem helpers and add a new one
landlock: Fix same-layer rule unions
landlock: Create find_rule() from unmask_layers()
landlock: Reduce the maximum number of layers to 16
landlock: Define access_mask_t to enforce a consistent access mask size
selftests/landlock: Test landlock_create_ruleset(2) argument check ordering
landlock: Change landlock_restrict_self(2) check ordering
landlock: Change landlock_add_rule(2) argument check ordering
selftests/landlock: Add tests for O_PATH
selftests/landlock: Fully test file rename with "remove" access
selftests/landlock: Extend access right tests to directories
selftests/landlock: Add tests for unknown access rights
...
Pull EFI updates from Ard Biesheuvel:
- Allow runtime services to be re-enabled at boot on RT kernels.
- Provide access to secrets injected into the boot image by CoCo
hypervisors (COnfidential COmputing)
- Use DXE services on x86 to make the boot image executable after
relocation, if needed.
- Prefer mirrored memory for randomized allocations.
- Only randomize the placement of the kernel image on arm64 if the
loader has not already done so.
- Add support for obtaining the boot hartid from EFI on RISC-V.
* tag 'efi-next-for-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
riscv/efi_stub: Add support for RISCV_EFI_BOOT_PROTOCOL
efi: stub: prefer mirrored memory for randomized allocations
efi/arm64: libstub: run image in place if randomized by the loader
efi: libstub: pass image handle to handle_kernel_image()
efi: x86: Set the NX-compatibility flag in the PE header
efi: libstub: ensure allocated memory to be executable
efi: libstub: declare DXE services table
efi: Add missing prototype for efi_capsule_setup_info
docs: security: Add secrets/coco documentation
efi: Register efi_secret platform device if EFI secret area is declared
virt: Add efi_secret module to expose confidential computing secrets
efi: Save location of EFI confidential computing area
efi: Allow to enable EFI runtime services by default on RT
Update documentation for trusted key use with the Cryptographic
Acceleration and Assurance Module (CAAM), an IP on NXP SoCs.
Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
The two existing trusted key sources don't make use of the kernel RNG,
but instead let the hardware doing the sealing/unsealing also
generate the random key material. However, both users and future
backends may want to place less trust into the quality of the trust
source's random number generator and instead reuse the kernel entropy
pool, which can be seeded from multiple entropy sources.
Make this possible by adding a new trusted.rng parameter,
that will force use of the kernel RNG. In its absence, it's up
to the trust source to decide, which random numbers to use,
maintaining the existing behavior.
Suggested-by: Jarkko Sakkinen <jarkko@kernel.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Reviewed-by: David Gstir <david@sigma-star.at>
Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Tested-by: Michael Walle <michael@walle.cc> # on ls1028a (non-E and E)
Tested-by: John Ernberg <john.ernberg@actia.se> # iMX8QXP
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
IMA may verify a file's integrity against a "good" value stored in the
'security.ima' xattr or as an appended signature, based on policy. When
the "good value" is stored in the xattr, the xattr may contain a file
hash or signature. In either case, the "good" value is preceded by a
header. The first byte of the xattr header indicates the type of data
- hash, signature - stored in the xattr. To support storing fs-verity
signatures in the 'security.ima' xattr requires further differentiating
the fs-verity signature from the existing IMA signature.
In addition the signatures stored in 'security.ima' xattr, need to be
disambiguated. Instead of directly signing the fs-verity digest, a new
signature format version 3 is defined as the hash of the ima_file_id
structure, which identifies the type of signature and the digest.
The IMA policy defines "which" files are to be measured, verified, and/or
audited. For those files being verified, the policy rules indicate "how"
the file should be verified. For example to require a file be signed,
the appraise policy rule must include the 'appraise_type' option.
appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
where 'imasig' is the original or signature format v2 (default),
where 'modsig' is an appended signature,
where 'sigv3' is the signature format v3.
The policy rule must also indicate the type of digest, if not the IMA
default, by first specifying the digest type:
digest_type:= [verity]
The following policy rule requires fsverity signatures. The rule may be
constrained, for example based on a fsuuid or LSM label.
appraise func=BPRM_CHECK digest_type=verity appraise_type=sigv3
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Permit fsverity's file digest (a hash of struct fsverity_descriptor) to
be included in the IMA measurement list, based on the new measurement
policy rule 'digest_type=verity' option.
To differentiate between a regular IMA file hash from an fsverity's
file digest, use the new d-ngv2 format field included in the ima-ngv2
template.
The following policy rule requires fsverity file digests and specifies
the new 'ima-ngv2' template, which contains the new 'd-ngv2' field. The
policy rule may be constrained, for example based on a fsuuid or LSM
label.
measure func=FILE_CHECK digest_type=verity template=ima-ngv2
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
In preparation to differentiate between unsigned regular IMA file
hashes and fs-verity's file digests in the IMA measurement list,
define a new template field named 'd-ngv2'.
Also define two new templates named 'ima-ngv2' and 'ima-sigv2', which
include the new 'd-ngv2' field.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Initially the 'd-ng' template field did not prefix the digest with either
"md5" or "sha1" hash algorithms. Prior to being upstreamed this changed,
but the comments and documentation were not updated. Fix the comments
and documentation.
Fixes: 4d7aeee73f ("ima: define new template ima-ng and template fields d-ng and n-ng")
Reported-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Fix the documentation for the hsiphash functions to avoid conflating the
HalfSipHash algorithm with the hsiphash functions, since these functions
actually implement either HalfSipHash or SipHash, and random.c now uses
HalfSipHash (in a very special way) without the hsiphash functions.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
