xref: /linux/tools/testing/selftests/bpf/progs/test_sig_in_xattr.c (revision 4b660dbd9ee2059850fd30e0df420ca7a38a1856)
1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
3 
4 #include "vmlinux.h"
5 #include <errno.h>
6 #include <bpf/bpf_helpers.h>
7 #include <bpf/bpf_tracing.h>
8 #include "bpf_kfuncs.h"
9 
10 char _license[] SEC("license") = "GPL";
11 
12 #ifndef SHA256_DIGEST_SIZE
13 #define SHA256_DIGEST_SIZE      32
14 #endif
15 
16 #define MAX_SIG_SIZE 1024
17 
18 /* By default, "fsverity sign" signs a file with fsverity_formatted_digest
19  * of the file. fsverity_formatted_digest on the kernel side is only used
20  * with CONFIG_FS_VERITY_BUILTIN_SIGNATURES. However, BPF LSM doesn't not
21  * require CONFIG_FS_VERITY_BUILTIN_SIGNATURES, so vmlinux.h may not have
22  * fsverity_formatted_digest. In this test, we intentionally avoid using
23  * fsverity_formatted_digest.
24  *
25  * Luckily, fsverity_formatted_digest is simply 8-byte magic followed by
26  * fsverity_digest. We use a char array of size fsverity_formatted_digest
27  * plus SHA256_DIGEST_SIZE. The magic part of it is filled by user space,
28  * and the rest of it is filled by bpf_get_fsverity_digest.
29  *
30  * Note that, generating signatures based on fsverity_formatted_digest is
31  * the design choice of this selftest (and "fsverity sign"). With BPF
32  * LSM, we have the flexibility to generate signature based on other data
33  * sets, for example, fsverity_digest or only the digest[] part of it.
34  */
35 #define MAGIC_SIZE 8
36 #define SIZEOF_STRUCT_FSVERITY_DIGEST 4  /* sizeof(struct fsverity_digest) */
37 char digest[MAGIC_SIZE + SIZEOF_STRUCT_FSVERITY_DIGEST + SHA256_DIGEST_SIZE];
38 
39 __u32 monitored_pid;
40 char sig[MAX_SIG_SIZE];
41 __u32 sig_size;
42 __u32 user_keyring_serial;
43 
44 SEC("lsm.s/file_open")
45 int BPF_PROG(test_file_open, struct file *f)
46 {
47 	struct bpf_dynptr digest_ptr, sig_ptr;
48 	struct bpf_key *trusted_keyring;
49 	__u32 pid;
50 	int ret;
51 
52 	pid = bpf_get_current_pid_tgid() >> 32;
53 	if (pid != monitored_pid)
54 		return 0;
55 
56 	/* digest_ptr points to fsverity_digest */
57 	bpf_dynptr_from_mem(digest + MAGIC_SIZE, sizeof(digest) - MAGIC_SIZE, 0, &digest_ptr);
58 
59 	ret = bpf_get_fsverity_digest(f, &digest_ptr);
60 	/* No verity, allow access */
61 	if (ret < 0)
62 		return 0;
63 
64 	/* Move digest_ptr to fsverity_formatted_digest */
65 	bpf_dynptr_from_mem(digest, sizeof(digest), 0, &digest_ptr);
66 
67 	/* Read signature from xattr */
68 	bpf_dynptr_from_mem(sig, sizeof(sig), 0, &sig_ptr);
69 	ret = bpf_get_file_xattr(f, "user.sig", &sig_ptr);
70 	/* No signature, reject access */
71 	if (ret < 0)
72 		return -EPERM;
73 
74 	trusted_keyring = bpf_lookup_user_key(user_keyring_serial, 0);
75 	if (!trusted_keyring)
76 		return -ENOENT;
77 
78 	/* Verify signature */
79 	ret = bpf_verify_pkcs7_signature(&digest_ptr, &sig_ptr, trusted_keyring);
80 
81 	bpf_key_put(trusted_keyring);
82 	return ret;
83 }
84