On 8/12/22 12:18 PM, Roberto Sassu wrote:
One of the desirable features in security is the ability to restrict import of data to a given system based on data authenticity. If data import can be restricted, it would be possible to enforce a system-wide policy based on the signing keys the system owner trusts.
[...]
Changelog
v10:
- Introduce key_lookup_flags_check() and system_keyring_id_check() inline functions to check parameters (suggested by KP)
- Fix descriptions and comment of key-related kfuncs (suggested by KP)
- Register kfunc set only once (suggested by Alexei)
- Move needed kernel options to the architecture-independent configuration for testing
Looks like from BPF CI side, the selftest throws a WARN in test_progs / test_progs-no_alu32 and subsequently fails with error, ptal:
https://github.com/kernel-patches/bpf/runs/7804422038?check_suite_focus=true
[...] #235 verif_scale_xdp_loop:OK #236 verif_stats:OK #237 verif_twfw:OK [ 760.448652] ------------[ cut here ]------------ [ 760.449506] WARNING: CPU: 3 PID: 930 at crypto/rsa-pkcs1pad.c:544 pkcs1pad_verify+0x184/0x190 [ 760.450806] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod] [ 760.452340] CPU: 3 PID: 930 Comm: keyctl Tainted: G OE 5.19.0-g9f0260338e31-dirty #1 [ 760.453626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 760.454801] RIP: 0010:pkcs1pad_verify+0x184/0x190 [ 760.455380] Code: 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df 89 c6 5b 41 5c 41 5d 41 5e 41 5f 5d e9 a5 04 00 00 0f 0b b8 ea ff ff ff eb d4 <0f> 0b b8 ea ff ff ff eb cb 0f 0b 90 0f 1f 44 00 00 53 48 89 fb c7 [ 760.456866] RSP: 0018:ffffad55478dbb58 EFLAGS: 00000246 [ 760.457684] RAX: ffff9b3c43c42458 RBX: ffff9b3c48975b00 RCX: 0000000000000000 [ 760.458672] RDX: ffffffffa7277438 RSI: ffffffffa5275510 RDI: 0000000000000000 [ 760.459670] RBP: ffffad55478dbcf8 R08: 0000000000000002 R09: 0000000000000000 [ 760.460688] R10: ffffad55478dbc20 R11: ffffffffa44dde10 R12: ffff9b3c43de2e80 [ 760.461695] R13: ffff9b3c58459ea0 R14: ffff9b3c44d59600 R15: ffffad55478dbc20 [ 760.462270] FS: 00007ff1ee0eb740(0000) GS:ffff9b3cf9cc0000(0000) knlGS:0000000000000000 [ 760.462722] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 760.463026] CR2: 000055b9a4c17588 CR3: 0000000107bb2000 CR4: 00000000000006e0 [ 760.464039] Call Trace: [ 760.464465] <TASK> [ 760.464749] public_key_verify_signature+0x4a2/0x570 [ 760.465623] x509_check_for_self_signed+0x4e/0xd0 [ 760.465937] x509_cert_parse+0x193/0x220 [ 760.466656] x509_key_preparse+0x20/0x1f0 [ 760.466975] asymmetric_key_preparse+0x43/0x80 [ 760.467552] key_create_or_update+0x24e/0x510 [ 760.468366] __x64_sys_add_key+0x19b/0x220 [ 760.468704] ? syscall_enter_from_user_mode+0x24/0x1f0 [ 760.469056] do_syscall_64+0x43/0x90 [ 760.469657] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 760.470413] RIP: 0033:0x7ff1edf0ba9d [ 760.470832] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb e2 0e 00 f7 d8 64 89 01 48 [ 760.472742] RSP: 002b:00007ffe635e7a18 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 [ 760.473355] RAX: ffffffffffffffda RBX: 00007ffe635e7be0 RCX: 00007ff1edf0ba9d [ 760.474523] RDX: 000055982fed80c0 RSI: 00007ffe635e7f17 RDI: 00007ffe635e7f0c [ 760.475500] RBP: 00007ffe635e7a38 R08: 00000000fffffffd R09: 0000000000000000 [ 760.475913] R10: 0000000000000355 R11: 0000000000000246 R12: 0000000000000000 [ 760.476594] R13: 00007ffe635e7bd8 R14: 000055982fed48ae R15: 000055982fed76e8 [ 760.477579] </TASK> [ 760.477769] irq event stamp: 4727 [ 760.477963] hardirqs last enabled at (4735): [<ffffffffa4101df5>] __up_console_sem+0x75/0xa0 [ 760.479036] hardirqs last disabled at (4744): [<ffffffffa4a31cca>] sysvec_apic_timer_interrupt+0xa/0xb0 [ 760.480403] softirqs last enabled at (4762): [<ffffffffa4085172>] __irq_exit_rcu+0xb2/0x140 [ 760.480869] softirqs last disabled at (4755): [<ffffffffa4085172>] __irq_exit_rcu+0xb2/0x140 [ 760.481706] ---[ end trace 0000000000000000 ]--- Generating a RSA private key .+++++ ..................................................+++++ writing new private key to '/tmp/verify_sigXdOL5V/signing_key.pem' ----- add_key: Invalid argument test_verify_pkcs7_sig:PASS:mkdtemp 0 nsec test_verify_pkcs7_sig:FAIL:_run_setup_process unexpected error: 1 (errno 126) #238 verify_pkcs7_sig:FAIL #239 vmlinux:OK #240 xdp:OK #241/1 xdp_adjust_frags/xdp_adjust_frags:OK #241 xdp_adjust_frags:OK #242/1 xdp_adjust_tail/xdp_adjust_tail_shrink:OK #242/2 xdp_adjust_tail/xdp_adjust_tail_grow:OK [...]