1. 01 Jun, 2021 1 commit
    • Roberto Sassu's avatar
      evm: Allow setxattr() and setattr() for unmodified metadata · 1886ab01
      Roberto Sassu authored
      With the patch to allow xattr/attr operations if a portable signature
      verification fails, cp and tar can copy all xattrs/attrs so that at the
      end of the process verification succeeds.
      
      However, it might happen that the xattrs/attrs are already set to the
      correct value (taken at signing time) and signature verification succeeds
      before the copy has completed. For example, an archive might contains files
      owned by root and the archive is extracted by root.
      
      Then, since portable signatures are immutable, all subsequent operations
      fail (e.g. fchown()), even if the operation is legitimate (does not alter
      the current value).
      
      This patch avoids this problem by reporting successful operation to user
      space when that operation does not alter the current value of xattrs/attrs.
      
      With this patch, the one that introduces evm_hmac_disabled() and the one
      that allows a metadata operation on the INTEGRITY_FAIL_IMMUTABLE error, EVM
      portable signatures can be used without disabling metadata verification
      (by setting EVM_ALLOW_METADATA_WRITES). Due to keeping metadata
      verification enabled, altering immutable metadata protected with a portable
      signature that was successfully verified will be denied (existing
      behavior).
      
      Reported-by: kernel test robot <lkp@intel.com> [implicit declaration of function]
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Reviewed-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Cc: Andreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      1886ab01
  2. 21 May, 2021 7 commits
    • Roberto Sassu's avatar
      evm: Pass user namespace to set/remove xattr hooks · 7e135dc7
      Roberto Sassu authored
      In preparation for 'evm: Allow setxattr() and setattr() for unmodified
      metadata', this patch passes mnt_userns to the inode set/remove xattr hooks
      so that the GID of the inode on an idmapped mount is correctly determined
      by posix_acl_update_mode().
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Reviewed-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Cc: Andreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      7e135dc7
    • Roberto Sassu's avatar
      evm: Allow xattr/attr operations for portable signatures · cdef685b
      Roberto Sassu authored
      If files with portable signatures are copied from one location to another
      or are extracted from an archive, verification can temporarily fail until
      all xattrs/attrs are set in the destination. Only portable signatures may
      be moved or copied from one file to another, as they don't depend on
      system-specific information such as the inode generation. Instead portable
      signatures must include security.ima.
      
      Unlike other security.evm types, EVM portable signatures are also
      immutable. Thus, it wouldn't be a problem to allow xattr/attr operations
      when verification fails, as portable signatures will never be replaced with
      the HMAC on possibly corrupted xattrs/attrs.
      
      This patch first introduces a new integrity status called
      INTEGRITY_FAIL_IMMUTABLE, that allows callers of
      evm_verify_current_integrity() to detect that a portable signature didn't
      pass verification and then adds an exception in evm_protect_xattr() and
      evm_inode_setattr() for this status and returns 0 instead of -EPERM.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      cdef685b
    • Roberto Sassu's avatar
      evm: Introduce evm_hmac_disabled() to safely ignore verification errors · 4a804b8a
      Roberto Sassu authored
      When a file is being created, LSMs can set the initial label with the
      inode_init_security hook. If no HMAC key is loaded, the new file will have
      LSM xattrs but not the HMAC. It is also possible that the file remains
      without protected xattrs after creation if no active LSM provided it, or
      because the filesystem does not support them.
      
      Unfortunately, EVM will deny any further metadata operation on new files,
      as evm_protect_xattr() will return the INTEGRITY_NOLABEL error if protected
      xattrs exist without security.evm, INTEGRITY_NOXATTRS if no protected
      xattrs exist or INTEGRITY_UNKNOWN if xattrs are not supported. This would
      limit the usability of EVM when only a public key is loaded, as commands
      such as cp or tar with the option to preserve xattrs won't work.
      
      This patch introduces the evm_hmac_disabled() function to determine whether
      or not it is safe to ignore verification errors, based on the ability of
      EVM to calculate HMACs. If the HMAC key is not loaded, and it cannot be
      loaded in the future due to the EVM_SETUP_COMPLETE initialization flag,
      allowing an operation despite the attrs/xattrs being found invalid will not
      make them valid.
      
      Since the post hooks can be executed even when the HMAC key is not loaded,
      this patch also ensures that the EVM_INIT_HMAC initialization flag is set
      before the post hooks call evm_update_evmxattr().
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Suggested-by: Mimi Zohar <zohar@linux.ibm.com> (for ensuring EVM_INIT_HMAC is set)
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      4a804b8a
    • Roberto Sassu's avatar
      evm: Introduce evm_revalidate_status() · e3ccfe1a
      Roberto Sassu authored
      When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation on
      metadata. Its main purpose is to allow users to freely set metadata when it
      is protected by a portable signature, until an HMAC key is loaded.
      
      However, callers of evm_verifyxattr() are not notified about metadata
      changes and continue to rely on the last status returned by the function.
      For example IMA, since it caches the appraisal result, will not call again
      evm_verifyxattr() until the appraisal flags are cleared, and will grant
      access to the file even if there was a metadata operation that made the
      portable signature invalid.
      
      This patch introduces evm_revalidate_status(), which callers of
      evm_verifyxattr() can use in their xattr hooks to determine whether
      re-validation is necessary and to do the proper actions. IMA calls it in
      its xattr hooks to reset the appraisal flags, so that the EVM status is
      re-evaluated after a metadata operation.
      
      Lastly, this patch also adds a call to evm_reset_status() in
      evm_inode_post_setattr() to invalidate the cached EVM status after a
      setattr operation.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      e3ccfe1a
    • Roberto Sassu's avatar
      evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded · 9acc89d3
      Roberto Sassu authored
      EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
      temporarily disable metadata verification until all xattrs/attrs necessary
      to verify an EVM portable signature are copied to the file. This flag is
      cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
      calculated on unverified xattrs/attrs.
      
      Currently EVM unnecessarily denies setting this flag if EVM is initialized
      with a public key, which is not a concern as it cannot be used to trust
      xattrs/attrs updates. This patch removes this limitation.
      
      Fixes: ae1ba167 ("EVM: Allow userland to permit modification of EVM-protected metadata")
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Cc: stable@vger.kernel.org # 4.16.x
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      9acc89d3
    • Roberto Sassu's avatar
      evm: Load EVM key in ima_load_x509() to avoid appraisal · aa2ead71
      Roberto Sassu authored
      The public builtin keys do not need to be appraised by IMA as the
      restriction on the IMA/EVM trusted keyrings ensures that a key can be
      loaded only if it is signed with a key on the builtin or secondary
      keyrings.
      
      However, when evm_load_x509() is called, appraisal is already enabled and
      a valid IMA signature must be added to the EVM key to pass verification.
      
      Since the restriction is applied on both IMA and EVM trusted keyrings, it
      is safe to disable appraisal also when the EVM key is loaded. This patch
      calls evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is
      enabled, which crosses the normal IMA and EVM boundary.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      aa2ead71
    • Roberto Sassu's avatar
      evm: Execute evm_inode_init_security() only when an HMAC key is loaded · 9eea2904
      Roberto Sassu authored
      evm_inode_init_security() requires an HMAC key to calculate the HMAC on
      initial xattrs provided by LSMs. However, it checks generically whether a
      key has been loaded, including also public keys, which is not correct as
      public keys are not suitable to calculate the HMAC.
      
      Originally, support for signature verification was introduced to verify a
      possibly immutable initial ram disk, when no new files are created, and to
      switch to HMAC for the root filesystem. By that time, an HMAC key should
      have been loaded and usable to calculate HMACs for new files.
      
      More recently support for requiring an HMAC key was removed from the
      kernel, so that signature verification can be used alone. Since this is a
      legitimate use case, evm_inode_init_security() should not return an error
      when no HMAC key has been loaded.
      
      This patch fixes this problem by replacing the evm_key_loaded() check with
      a check of the EVM_INIT_HMAC flag in evm_initialized.
      
      Fixes: 26ddabfe ("evm: enable EVM when X509 certificate is loaded")
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Cc: stable@vger.kernel.org # 4.5.x
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      9eea2904
  3. 20 May, 2021 1 commit
    • Mimi Zohar's avatar
      evm: fix writing <securityfs>/evm overflow · 49219d9b
      Mimi Zohar authored
      EVM_SETUP_COMPLETE is defined as 0x80000000, which is larger than INT_MAX.
      The "-fno-strict-overflow" compiler option properly prevents signaling
      EVM that the EVM policy setup is complete.  Define and read an unsigned
      int.
      
      Fixes: f00d7975 ("EVM: Allow userspace to signal an RSA key has been loaded")
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      49219d9b
  4. 16 May, 2021 7 commits
    • Linus Torvalds's avatar
      Linux 5.13-rc2 · d07f6ca9
      Linus Torvalds authored
      d07f6ca9
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.13-rc2' of... · 28183dbf
      Linus Torvalds authored
      Merge tag 'driver-core-5.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fixes from Greg KH:
       "Here are two driver fixes for driver core changes that happened in
        5.13-rc1.
      
        The clk driver fix resolves a many-reported issue with booting some
        devices, and the USB typec fix resolves the reported problem of USB
        systems on some embedded boards.
      
        Both of these have been in linux-next this week with no reported
        issues"
      
      * tag 'driver-core-5.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        clk: Skip clk provider registration when np is NULL
        usb: typec: tcpm: Don't block probing of consumers of "connector" nodes
      28183dbf
    • Linus Torvalds's avatar
      Merge tag 'staging-5.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 6942d81a
      Linus Torvalds authored
      Pull staging and IIO driver fixes from Greg KH:
       "Here are some small IIO driver fixes and one Staging driver fix for
        5.13-rc2.
      
        Nothing major, just some resolutions for reported problems:
      
         - gcc-11 bogus warning fix for rtl8723bs
      
         - iio driver tiny fixes
      
        All of these have been in linux-next for many days with no reported
        issues"
      
      * tag 'staging-5.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio: tsl2583: Fix division by a zero lux_val
        iio: core: return ENODEV if ioctl is unknown
        iio: core: fix ioctl handlers removal
        iio: gyro: mpu3050: Fix reported temperature value
        iio: hid-sensors: select IIO_TRIGGERED_BUFFER under HID_SENSOR_IIO_TRIGGER
        iio: proximity: pulsedlight: Fix rumtime PM imbalance on error
        iio: light: gp2ap002: Fix rumtime PM imbalance on error
        staging: rtl8723bs: avoid bogus gcc warning
      6942d81a
    • Linus Torvalds's avatar
      Merge tag 'usb-5.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 4a668429
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes for 5.13-rc2. They consist of a number
        of resolutions for reported issues:
      
         - typec fixes for found problems
      
         - xhci fixes and quirk additions
      
         - dwc3 driver fixes
      
         - minor fixes found by Coverity
      
         - cdc-wdm fixes for reported problems
      
        All of these have been in linux-next for a few days with no reported
        issues"
      
      * tag 'usb-5.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (28 commits)
        usb: core: hub: fix race condition about TRSMRCY of resume
        usb: typec: tcpm: Fix SINK_DISCOVERY current limit for Rp-default
        xhci: Add reset resume quirk for AMD xhci controller.
        usb: xhci: Increase timeout for HC halt
        xhci: Do not use GFP_KERNEL in (potentially) atomic context
        xhci: Fix giving back cancelled URBs even if halted endpoint can't reset
        xhci-pci: Allow host runtime PM as default for Intel Alder Lake xHCI
        usb: musb: Fix an error message
        usb: typec: tcpm: Fix wrong handling for Not_Supported in VDM AMS
        usb: typec: tcpm: Send DISCOVER_IDENTITY from dedicated work
        usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4
        usb: fotg210-hcd: Fix an error message
        docs: usb: function: Modify path name
        usb: dwc3: omap: improve extcon initialization
        usb: typec: ucsi: Put fwnode in any case during ->probe()
        usb: typec: tcpm: Fix wrong handling in GET_SINK_CAP
        usb: dwc2: Remove obsolete MODULE_ constants from platform.c
        usb: dwc3: imx8mp: fix error return code in dwc3_imx8mp_probe()
        usb: dwc3: imx8mp: detect dwc3 core node via compatible string
        usb: dwc3: gadget: Return success always for kick transfer in ep queue
        ...
      4a668429
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2021-05-16' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8ce36481
      Linus Torvalds authored
      Pull timer fixes from Thomas Gleixner:
       "Two fixes for timers:
      
         - Use the ALARM feature check in the alarmtimer core code insted of
           the old method of checking for the set_alarm() callback.
      
           Drivers can have that callback set but the feature bit cleared. If
           such a RTC device is selected then alarms wont work.
      
         - Use a proper define to let the preprocessor check whether Hyper-V
           VDSO clocksource should be active.
      
           The code used a constant in an enum with #ifdef, which evaluates to
           always false and disabled the clocksource for VDSO"
      
      * tag 'timers-urgent-2021-05-16' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource/drivers/hyper-v: Re-enable VDSO_CLOCKMODE_HVCLOCK on X86
        alarmtimer: Check RTC features instead of ops
      8ce36481
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.13b-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · f44e58bb
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
      
       - two patches for error path fixes
      
       - a small series for fixing a regression with swiotlb with Xen on Arm
      
      * tag 'for-linus-5.13b-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/swiotlb: check if the swiotlb has already been initialized
        arm64: do not set SWIOTLB_NO_FORCE when swiotlb is required
        xen/arm: move xen_swiotlb_detect to arm/swiotlb-xen.h
        xen/unpopulated-alloc: fix error return code in fill_list()
        xen/gntdev: fix gntdev_mmap() error exit path
      f44e58bb
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ccb013c2
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
       "The three SEV commits are not really urgent material. But we figured
        since getting them in now will avoid a huge amount of conflicts
        between future SEV changes touching tip, the kvm and probably other
        trees, sending them to you now would be best.
      
        The idea is that the tip, kvm etc branches for 5.14 will all base
        ontop of -rc2 and thus everything will be peachy. What is more, those
        changes are purely mechanical and defines movement so they should be
        fine to go now (famous last words).
      
        Summary:
      
         - Enable -Wundef for the compressed kernel build stage
      
         - Reorganize SEV code to streamline and simplify future development"
      
      * tag 'x86_urgent_for_v5.13_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/boot/compressed: Enable -Wundef
        x86/msr: Rename MSR_K8_SYSCFG to MSR_AMD64_SYSCFG
        x86/sev: Move GHCB MSR protocol and NAE definitions in a common header
        x86/sev-es: Rename sev-es.{ch} to sev.{ch}
      ccb013c2
  5. 15 May, 2021 24 commits