tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c

   1 // SPDX-License-Identifier: GPL-2.0
   2
   3 /*
   4  * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH
   5  *
   6  * Author: Roberto Sassu <[email protected]>
   7  */
   8
   9 #include <stdio.h>
  10 #include <errno.h>
  11 #include <stdlib.h>
  12 #include <unistd.h>
  13 #include <endian.h>
  14 #include <limits.h>
  15 #include <sys/stat.h>
  16 #include <sys/wait.h>
  17 #include <sys/mman.h>
  18 #include <linux/keyctl.h>
  19 #include <sys/xattr.h>
  20 #include <linux/fsverity.h>
  21 #include <test_progs.h>
  22
  23 #include "test_verify_pkcs7_sig.skel.h"
  24 #include "test_sig_in_xattr.skel.h"
  25
  26 #define MAX_DATA_SIZE (1024 * 1024)
  27 #define MAX_SIG_SIZE 1024
  28
  29 #define VERIFY_USE_SECONDARY_KEYRING (1UL)
  30 #define VERIFY_USE_PLATFORM_KEYRING  (2UL)
  31
  32 #ifndef SHA256_DIGEST_SIZE
  33 #define SHA256_DIGEST_SIZE      32
  34 #endif
  35
  36 /* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
  37 #define MODULE_SIG_STRING "~Module signature appended~\n"
  38
  39 /*
  40  * Module signature information block.
  41  *
  42  * The constituents of the signature section are, in order:
  43  *
  44  *      - Signer's name
  45  *      - Key identifier
  46  *      - Signature data
  47  *      - Information block
  48  */
  49 struct module_signature {
  50         __u8    algo;           /* Public-key crypto algorithm [0] */
  51         __u8    hash;           /* Digest algorithm [0] */
  52         __u8    id_type;        /* Key identifier type [PKEY_ID_PKCS7] */
  53         __u8    signer_len;     /* Length of signer's name [0] */
  54         __u8    key_id_len;     /* Length of key identifier [0] */
  55         __u8    __pad[3];
  56         __be32  sig_len;        /* Length of signature data */
  57 };
  58
  59 struct data {
  60         __u8 data[MAX_DATA_SIZE];
  61         __u32 data_len;
  62         __u8 sig[MAX_SIG_SIZE];
  63         __u32 sig_len;
  64 };
  65
  66 static bool kfunc_not_supported;
  67
  68 static int libbpf_print_cb(enum libbpf_print_level level, const char *fmt,
  69                            va_list args)
  70 {
  71         if (level == LIBBPF_WARN)
  72                 vprintf(fmt, args);
  73
  74         if (strcmp(fmt, "libbpf: extern (func ksym) '%s': not found in kernel or module BTFs\n"))
  75                 return 0;
  76
  77         if (strcmp(va_arg(args, char *), "bpf_verify_pkcs7_signature"))
  78                 return 0;
  79
  80         kfunc_not_supported = true;
  81         return 0;
  82 }
  83
  84 static int _run_setup_process(const char *setup_dir, const char *cmd)
  85 {
  86         int child_pid, child_status;
  87
  88         child_pid = fork();
  89         if (child_pid == 0) {
  90                 execlp("./verify_sig_setup.sh", "./verify_sig_setup.sh", cmd,
  91                        setup_dir, NULL);
  92                 exit(errno);
  93
  94         } else if (child_pid > 0) {
  95                 waitpid(child_pid, &child_status, 0);
  96                 return WEXITSTATUS(child_status);
  97         }
  98
  99         return -EINVAL;
 100 }
 101
 102 static int populate_data_item_str(const char *tmp_dir, struct data *data_item)
 103 {
 104         struct stat st;
 105         char data_template[] = "/tmp/dataXXXXXX";
 106         char path[PATH_MAX];
 107         int ret, fd, child_status, child_pid;
 108
 109         data_item->data_len = 4;
 110         memcpy(data_item->data, "test", data_item->data_len);
 111
 112         fd = mkstemp(data_template);
 113         if (fd == -1)
 114                 return -errno;
 115
 116         ret = write(fd, data_item->data, data_item->data_len);
 117
 118         close(fd);
 119
 120         if (ret != data_item->data_len) {
 121                 ret = -EIO;
 122                 goto out;
 123         }
 124
 125         child_pid = fork();
 126
 127         if (child_pid == -1) {
 128                 ret = -errno;
 129                 goto out;
 130         }
 131
 132         if (child_pid == 0) {
 133                 snprintf(path, sizeof(path), "%s/signing_key.pem", tmp_dir);
 134
 135                 return execlp("./sign-file", "./sign-file", "-d", "sha256",
 136                               path, path, data_template, NULL);
 137         }
 138
 139         waitpid(child_pid, &child_status, 0);
 140
 141         ret = WEXITSTATUS(child_status);
 142         if (ret)
 143                 goto out;
 144
 145         snprintf(path, sizeof(path), "%s.p7s", data_template);
 146
 147         ret = stat(path, &st);
 148         if (ret == -1) {
 149                 ret = -errno;
 150                 goto out;
 151         }
 152
 153         if (st.st_size > sizeof(data_item->sig)) {
 154                 ret = -EINVAL;
 155                 goto out_sig;
 156         }
 157
 158         data_item->sig_len = st.st_size;
 159
 160         fd = open(path, O_RDONLY);
 161         if (fd == -1) {
 162                 ret = -errno;
 163                 goto out_sig;
 164         }
 165
 166         ret = read(fd, data_item->sig, data_item->sig_len);
 167
 168         close(fd);
 169
 170         if (ret != data_item->sig_len) {
 171                 ret = -EIO;
 172                 goto out_sig;
 173         }
 174
 175         ret = 0;
 176 out_sig:
 177         unlink(path);
 178 out:
 179         unlink(data_template);
 180         return ret;
 181 }
 182
 183 static int populate_data_item_mod(struct data *data_item)
 184 {
 185         char mod_path[PATH_MAX], *mod_path_ptr;
 186         struct stat st;
 187         void *mod;
 188         FILE *fp;
 189         struct module_signature ms;
 190         int ret, fd, modlen, marker_len, sig_len;
 191
 192         data_item->data_len = 0;
 193
 194         if (stat("/lib/modules", &st) == -1)
 195                 return 0;
 196
 197         /* Requires CONFIG_TCP_CONG_BIC=m. */
 198         fp = popen("find /lib/modules/$(uname -r) -name tcp_bic.ko", "r");
 199         if (!fp)
 200                 return 0;
 201
 202         mod_path_ptr = fgets(mod_path, sizeof(mod_path), fp);
 203         pclose(fp);
 204
 205         if (!mod_path_ptr)
 206                 return 0;
 207
 208         mod_path_ptr = strchr(mod_path, '\n');
 209         if (!mod_path_ptr)
 210                 return 0;
 211
 212         *mod_path_ptr = '\0';
 213
 214         if (stat(mod_path, &st) == -1)
 215                 return 0;
 216
 217         modlen = st.st_size;
 218         marker_len = sizeof(MODULE_SIG_STRING) - 1;
 219
 220         fd = open(mod_path, O_RDONLY);
 221         if (fd == -1)
 222                 return -errno;
 223
 224         mod = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
 225
 226         close(fd);
 227
 228         if (mod == MAP_FAILED)
 229                 return -errno;
 230
 231         if (strncmp(mod + modlen - marker_len, MODULE_SIG_STRING, marker_len)) {
 232                 ret = -EINVAL;
 233                 goto out;
 234         }
 235
 236         modlen -= marker_len;
 237
 238         memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
 239
 240         sig_len = __be32_to_cpu(ms.sig_len);
 241         modlen -= sig_len + sizeof(ms);
 242
 243         if (modlen > sizeof(data_item->data)) {
 244                 ret = -E2BIG;
 245                 goto out;
 246         }
 247
 248         memcpy(data_item->data, mod, modlen);
 249         data_item->data_len = modlen;
 250
 251         if (sig_len > sizeof(data_item->sig)) {
 252                 ret = -E2BIG;
 253                 goto out;
 254         }
 255
 256         memcpy(data_item->sig, mod + modlen, sig_len);
 257         data_item->sig_len = sig_len;
 258         ret = 0;
 259 out:
 260         munmap(mod, st.st_size);
 261         return ret;
 262 }
 263
 264 static void test_verify_pkcs7_sig_from_map(void)
 265 {
 266         libbpf_print_fn_t old_print_cb;
 267         char tmp_dir_template[] = "/tmp/verify_sigXXXXXX";
 268         char *tmp_dir;
 269         struct test_verify_pkcs7_sig *skel = NULL;
 270         struct bpf_map *map;
 271         struct data data;
 272         int ret, zero = 0;
 273
 274         /* Trigger creation of session keyring. */
 275         syscall(__NR_request_key, "keyring", "_uid.0", NULL,
 276                 KEY_SPEC_SESSION_KEYRING);
 277
 278         tmp_dir = mkdtemp(tmp_dir_template);
 279         if (!ASSERT_OK_PTR(tmp_dir, "mkdtemp"))
 280                 return;
 281
 282         ret = _run_setup_process(tmp_dir, "setup");
 283         if (!ASSERT_OK(ret, "_run_setup_process"))
 284                 goto close_prog;
 285
 286         skel = test_verify_pkcs7_sig__open();
 287         if (!ASSERT_OK_PTR(skel, "test_verify_pkcs7_sig__open"))
 288                 goto close_prog;
 289
 290         old_print_cb = libbpf_set_print(libbpf_print_cb);
 291         ret = test_verify_pkcs7_sig__load(skel);
 292         libbpf_set_print(old_print_cb);
 293
 294         if (ret < 0 && kfunc_not_supported) {
 295                 printf(
 296                   "%s:SKIP:bpf_verify_pkcs7_signature() kfunc not supported\n",
 297                   __func__);
 298                 test__skip();
 299                 goto close_prog;
 300         }
 301
 302         if (!ASSERT_OK(ret, "test_verify_pkcs7_sig__load"))
 303                 goto close_prog;
 304
 305         ret = test_verify_pkcs7_sig__attach(skel);
 306         if (!ASSERT_OK(ret, "test_verify_pkcs7_sig__attach"))
 307                 goto close_prog;
 308
 309         map = bpf_object__find_map_by_name(skel->obj, "data_input");
 310         if (!ASSERT_OK_PTR(map, "data_input not found"))
 311                 goto close_prog;
 312
 313         skel->bss->monitored_pid = getpid();
 314
 315         /* Test without data and signature. */
 316         skel->bss->user_keyring_serial = KEY_SPEC_SESSION_KEYRING;
 317
 318         ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);
 319         if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))
 320                 goto close_prog;
 321
 322         /* Test successful signature verification with session keyring. */
 323         ret = populate_data_item_str(tmp_dir, &data);
 324         if (!ASSERT_OK(ret, "populate_data_item_str"))
 325                 goto close_prog;
 326
 327         ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);
 328         if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))
 329                 goto close_prog;
 330
 331         /* Test successful signature verification with testing keyring. */
 332         skel->bss->user_keyring_serial = syscall(__NR_request_key, "keyring",
 333                                                  "ebpf_testing_keyring", NULL,
 334                                                  KEY_SPEC_SESSION_KEYRING);
 335
 336         ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);
 337         if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))
 338                 goto close_prog;
 339
 340         /*
 341          * Ensure key_task_permission() is called and rejects the keyring
 342          * (no Search permission).
 343          */
 344         syscall(__NR_keyctl, KEYCTL_SETPERM, skel->bss->user_keyring_serial,
 345                 0x37373737);
 346
 347         ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);
 348         if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))
 349                 goto close_prog;
 350
 351         syscall(__NR_keyctl, KEYCTL_SETPERM, skel->bss->user_keyring_serial,
 352                 0x3f3f3f3f);
 353
 354         /*
 355          * Ensure key_validate() is called and rejects the keyring (key expired)
 356          */
 357         syscall(__NR_keyctl, KEYCTL_SET_TIMEOUT,
 358                 skel->bss->user_keyring_serial, 1);
 359         sleep(1);
 360
 361         ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);
 362         if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))
 363                 goto close_prog;
 364
 365         skel->bss->user_keyring_serial = KEY_SPEC_SESSION_KEYRING;
 366
 367         /* Test with corrupted data (signature verification should fail). */
 368         data.data[0] = 'a';
 369         ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);
 370         if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))
 371                 goto close_prog;
 372
 373         ret = populate_data_item_mod(&data);
 374         if (!ASSERT_OK(ret, "populate_data_item_mod"))
 375                 goto close_prog;
 376
 377         /* Test signature verification with system keyrings. */
 378         if (data.data_len) {
 379                 skel->bss->user_keyring_serial = 0;
 380                 skel->bss->system_keyring_id = 0;
 381
 382                 ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data,
 383                                           BPF_ANY);
 384                 if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))
 385                         goto close_prog;
 386
 387                 skel->bss->system_keyring_id = VERIFY_USE_SECONDARY_KEYRING;
 388
 389                 ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data,
 390                                           BPF_ANY);
 391                 if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))
 392                         goto close_prog;
 393
 394                 skel->bss->system_keyring_id = VERIFY_USE_PLATFORM_KEYRING;
 395
 396                 ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data,
 397                                           BPF_ANY);
 398                 ASSERT_LT(ret, 0, "bpf_map_update_elem data_input");
 399         }
 400
 401 close_prog:
 402         _run_setup_process(tmp_dir, "cleanup");
 403
 404         if (!skel)
 405                 return;
 406
 407         skel->bss->monitored_pid = 0;
 408         test_verify_pkcs7_sig__destroy(skel);
 409 }
 410
 411 static int get_signature_size(const char *sig_path)
 412 {
 413         struct stat st;
 414
 415         if (stat(sig_path, &st) == -1)
 416                 return -1;
 417
 418         return st.st_size;
 419 }
 420
 421 static int add_signature_to_xattr(const char *data_path, const char *sig_path)
 422 {
 423         char sig[MAX_SIG_SIZE] = {0};
 424         int fd, size, ret;
 425
 426         if (sig_path) {
 427                 fd = open(sig_path, O_RDONLY);
 428                 if (fd < 0)
 429                         return -1;
 430
 431                 size = read(fd, sig, MAX_SIG_SIZE);
 432                 close(fd);
 433                 if (size <= 0)
 434                         return -1;
 435         } else {
 436                 /* no sig_path, just write 32 bytes of zeros */
 437                 size = 32;
 438         }
 439         ret = setxattr(data_path, "user.sig", sig, size, 0);
 440         if (!ASSERT_OK(ret, "setxattr"))
 441                 return -1;
 442
 443         return 0;
 444 }
 445
 446 static int test_open_file(struct test_sig_in_xattr *skel, char *data_path,
 447                           pid_t pid, bool should_success, char *name)
 448 {
 449         int ret;
 450
 451         skel->bss->monitored_pid = pid;
 452         ret = open(data_path, O_RDONLY);
 453         close(ret);
 454         skel->bss->monitored_pid = 0;
 455
 456         if (should_success) {
 457                 if (!ASSERT_GE(ret, 0, name))
 458                         return -1;
 459         } else {
 460                 if (!ASSERT_LT(ret, 0, name))
 461                         return -1;
 462         }
 463         return 0;
 464 }
 465
 466 static void test_pkcs7_sig_fsverity(void)
 467 {
 468         char data_path[PATH_MAX];
 469         char sig_path[PATH_MAX];
 470         char tmp_dir_template[] = "/tmp/verify_sigXXXXXX";
 471         char *tmp_dir;
 472         struct test_sig_in_xattr *skel = NULL;
 473         pid_t pid;
 474         int ret;
 475
 476         tmp_dir = mkdtemp(tmp_dir_template);
 477         if (!ASSERT_OK_PTR(tmp_dir, "mkdtemp"))
 478                 return;
 479
 480         snprintf(data_path, PATH_MAX, "%s/data-file", tmp_dir);
 481         snprintf(sig_path, PATH_MAX, "%s/sig-file", tmp_dir);
 482
 483         ret = _run_setup_process(tmp_dir, "setup");
 484         if (!ASSERT_OK(ret, "_run_setup_process"))
 485                 goto out;
 486
 487         ret = _run_setup_process(tmp_dir, "fsverity-create-sign");
 488
 489         if (ret) {
 490                 printf("%s: SKIP: fsverity [sign|enable] doesn't work.\n"
 491                        "To run this test, try enable CONFIG_FS_VERITY and enable FSVerity for the filesystem.\n",
 492                        __func__);
 493                 test__skip();
 494                 goto out;
 495         }
 496
 497         skel = test_sig_in_xattr__open();
 498         if (!ASSERT_OK_PTR(skel, "test_sig_in_xattr__open"))
 499                 goto out;
 500         ret = get_signature_size(sig_path);
 501         if (!ASSERT_GT(ret, 0, "get_signature_size"))
 502                 goto out;
 503         skel->bss->sig_size = ret;
 504         skel->bss->user_keyring_serial = syscall(__NR_request_key, "keyring",
 505                                                  "ebpf_testing_keyring", NULL,
 506                                                  KEY_SPEC_SESSION_KEYRING);
 507         memcpy(skel->bss->digest, "FSVerity", 8);
 508
 509         ret = test_sig_in_xattr__load(skel);
 510         if (!ASSERT_OK(ret, "test_sig_in_xattr__load"))
 511                 goto out;
 512
 513         ret = test_sig_in_xattr__attach(skel);
 514         if (!ASSERT_OK(ret, "test_sig_in_xattr__attach"))
 515                 goto out;
 516
 517         pid = getpid();
 518
 519         /* Case 1: fsverity is not enabled, open should succeed */
 520         if (test_open_file(skel, data_path, pid, true, "open_1"))
 521                 goto out;
 522
 523         /* Case 2: fsverity is enabled, xattr is missing, open should
 524          * fail
 525          */
 526         ret = _run_setup_process(tmp_dir, "fsverity-enable");
 527         if (!ASSERT_OK(ret, "fsverity-enable"))
 528                 goto out;
 529         if (test_open_file(skel, data_path, pid, false, "open_2"))
 530                 goto out;
 531
 532         /* Case 3: fsverity is enabled, xattr has valid signature, open
 533          * should succeed
 534          */
 535         ret = add_signature_to_xattr(data_path, sig_path);
 536         if (!ASSERT_OK(ret, "add_signature_to_xattr_1"))
 537                 goto out;
 538
 539         if (test_open_file(skel, data_path, pid, true, "open_3"))
 540                 goto out;
 541
 542         /* Case 4: fsverity is enabled, xattr has invalid signature, open
 543          * should fail
 544          */
 545         ret = add_signature_to_xattr(data_path, NULL);
 546         if (!ASSERT_OK(ret, "add_signature_to_xattr_2"))
 547                 goto out;
 548         test_open_file(skel, data_path, pid, false, "open_4");
 549
 550 out:
 551         _run_setup_process(tmp_dir, "cleanup");
 552         if (!skel)
 553                 return;
 554
 555         skel->bss->monitored_pid = 0;
 556         test_sig_in_xattr__destroy(skel);
 557 }
 558
 559 void test_verify_pkcs7_sig(void)
 560 {
 561         if (test__start_subtest("pkcs7_sig_from_map"))
 562                 test_verify_pkcs7_sig_from_map();
 563         if (test__start_subtest("pkcs7_sig_fsverity"))
 564                 test_pkcs7_sig_fsverity();
 565 }