From: Roberto Sassu
Add a linked list of hash tables to the digest cache, one per algorithm,
containing the digests extracted from digest lists.
The number of hash table slots is determined by dividing the number of
digests to add to the average depth of the collision list defined with
CONFIG_DI
From: Roberto Sassu
In the environments where xattrs are not available (e.g. in the initial ram
disk), the Integrity Digest Cache cannot precisely determine which digest
list in a directory contains the desired reference digest. However,
although slower, it would be desirable to search the digest
From: Roberto Sassu
The Integrity Digest Cache can support other LSMs in their decisions of
granting access to file data and metadata.
However, the information alone about whether a digest was found in a digest
cache might not be sufficient, because for example those LSMs wouldn't know
about the
From: Roberto Sassu
Introduce digest_cache_populate() to populate the digest cache from a
digest list. Call it from digest_cache_init() if the inode is a regular
file.
It opens the file, marks it for internal use with
digest_cache_to_file_sec(), and then schedules a work to read the content
(wit
From: Roberto Sassu
Add tests to verify the correctness of the Integrity Digest Cache, in
all_test.c.
Add the kernel module digest_cache_kern.ko, to let all_test call the API
of the Integrity Digest Cache through the newly introduced
digest_cache_test file in /integrity/digest_cache.
Test cover
From: Roberto Sassu
Register six new LSM hooks on behalf of the IMA LSM, path_truncate,
file_release, inode_unlink, inode_rename, inode_post_setxattr and
inode_post_removexattr, to monitor digest lists/parent directory
modifications.
If an action affects a digest list or the parent directory, th
From: Roberto Sassu
Allow kernel modules to register/deregister new digest list parsers,
respectively through digest_cache_register_parser() and
digest_cache_unregister_parser().
Those functions pass the new parser structure holding the linked list
pointers and a parsing function with the new ty
From: Roberto Sassu
Add digest_list_parse_tlv(), to parse TLV-formatted (Type Length Value)
digest lists. Their structure is:
[field: DIGEST_LIST_ALGO, length, value]
[field: DIGEST_LIST_NUM_ENTRIES, length, value]
[field: DIGEST_LIST_ENTRY#1, length, value (below)]
|- [DIGEST_LIST_ENTRY_DIGEST
From: Roberto Sassu
A desirable goal when doing integrity measurements is that they are done
always in the same order across boots, so that the resulting PCR value
becomes predictable and suitable for sealing policies. However, due to
parallel execution of system services at boot, a deterministic
From: Roberto Sassu
Add the documentation of the Integrity Digest Cache in
Documentation/security.
Signed-off-by: Roberto Sassu
---
Documentation/security/digest_cache.rst | 850
Documentation/security/index.rst| 1 +
MAINTAINERS |
From: Roberto Sassu
Add the 'digest_cache=' policy keyword, to enable the usage of digest
caches for specific IMA actions and purpose.
At the moment, it accepts only 'data' as value, as digest caches can be
used only for measurement and appraisal of file data. In the future, it
might be possible
From: Roberto Sassu
Add a digest cache pointer to the ima_iint_cache structure and introduce
ima_digest_cache_get_check() to retrieve a fresh digest cache and compare
with the pointer stored in the previous calls (if digest cache was enabled
in the IMA policy).
If the pointers don't match, reset
From: Roberto Sassu
Setting the boot-time built-in policies 'digest_cache_measure' and
'digest_cache_appraise' is not sufficient to use the Integrity Digest Cache
to measure and appraise files, since their effect is only to measure and
appraise digest lists.
Modify existing measurement rules if
From: Roberto Sassu
The Integrity Digest Cache allows integrity providers to record how the
digest list being used to populate the digest cache was verified.
Integrity providers can register a kernel_post_read_file LSM hook
implementation, and call digest_cache_verif_set() providing the result o
From: Roberto Sassu
Introduce ima_digest_cache_load_verified_usage() to retrieve the verified
usage from the digest cache pointer returned by digest_cache_lookup().
Verified usage cannot be loaded from the digest cache returned by
digest_cache_get() since the latter might return a directory dige
From: Roberto Sassu
Similarly to measurement, enable the new appraisal style too using digest
caches.
It allows files to be verified by only checking the signature of the
package they belong to (as opposed to checking individual file signatures),
and by doing a digest lookup in the digest cache.
From: Roberto Sassu
One of the IMA shortcomings over the years has been the availability of
reference digest values for appraisal. Recently, the situation improved
and some Linux distributions are including file signatures, such as
Fedora 39.
The Integrity Digest Cache takes a different approach
From: Roberto Sassu
Add a parser of a generic Type-Length-Value (TLV) format:
+--+--+-++-+
| field1 (u16) | len1 (u32) | value1 (u8 len1) |
+--++--+
| ... |... |... |
+--+--
From: Roberto Sassu
Introduce DIGEST_LIST_CHECK, a new hook to check the integrity of digest
lists.
The new hook is invoked during a kernel read with the file type
READING_DIGEST LIST, which is done by the Integrity Digest Cache when it is
populating a digest cache with a digest list.
The new h
From: Roberto Sassu
Integrity detection and protection has long been a desirable feature, to
reach a large user base and mitigate the risk of flaws in the software
and attacks.
However, while solutions exist, they struggle to reach a large user base,
due to requiring higher than desired constrai
From: Roberto Sassu
Introduce the Integrity Digest Cache, to collect digests from various
sources (called digest lists), and to store them in kernel memory, in a set
of hash tables forming a digest cache. Extracted digests can be used as
reference values for integrity verification of file data or
From: Roberto Sassu
Introduce ksys_finit_module() to let kernel components request a kernel
module without requiring running modprobe.
Signed-off-by: Roberto Sassu
---
include/linux/syscalls.h | 10 ++
kernel/module/main.c | 43 ++--
2 files chan
From: Roberto Sassu
Create the digest_cache directory in /integrity, and add the
default_path file, to let root change/read the default path (file or
directory) from where digest lists are looked up.
An RW semaphore prevents the default path from changing while
digest_list_new() and read_default
From: Roberto Sassu
Introduce digest_cache_init() to initialize created digest caches. Since
initialization happens after releasing both the dig_owner_mutex and
dig_user_mutex locks (to avoid a lock inversion with VFS locks), any caller
of digest_cache_get() can potentially be in charge of initia
On Tue, Nov 19, 2024 at 2:30 AM Pasha Tatashin
wrote:
> > Can you point me to where a refcounted reference to the page comes
> > from when page_detective_metadata() calls dump_page_lvl()?
>
> I am sorry, I remembered incorrectly, we are getting reference right
> after dump_page_lvl() in page_detec
On Tue, Nov 19, 2024 at 01:52:00PM +0100, Jann Horn wrote:
> > I will take reference, as we already do that for memcg purpose, but
> > have not included dump_page().
>
> Note that taking a reference on the page does not make all of
> dump_page() fine; in particular, my understanding is that
> foli
On Tue, Nov 19, 2024 at 11:35:47AM -0800, Yosry Ahmed wrote:
> On Tue, Nov 19, 2024 at 11:30 AM Pasha Tatashin
> wrote:
> >
> > On Tue, Nov 19, 2024 at 1:23 PM Roman Gushchin
> > wrote:
> > >
> > > On Tue, Nov 19, 2024 at 10:08:36AM -0500, Pasha Tatashin wrote:
> > > > On Mon, Nov 18, 2024 at 8:
On Tue, Nov 19, 2024 at 01:14:02PM +0100, Christoph Hellwig wrote:
> On Tue, Nov 19, 2024 at 11:49:09AM +0100, Roberto Sassu wrote:
> > From: Roberto Sassu
> >
> > Introduce ksys_finit_module() to let kernel components request a kernel
> > module without requiring running modprobe.
>
> That does
On 19/11/24 11:45, Steven Rostedt wrote:
> On Tue, 19 Nov 2024 16:34:47 +0100
> Valentin Schneider wrote:
>
>> Context
>> ===
>>
>> We've observed within Red Hat that isolated, NOHZ_FULL CPUs running a
>> pure-userspace application get regularly interrupted by IPIs sent from
>> housekeeping C
On Tue, Nov 19, 2024 at 11:49:09AM +0100, Roberto Sassu wrote:
> From: Roberto Sassu
>
> Introduce ksys_finit_module() to let kernel components request a kernel
> module without requiring running modprobe.
That does sound more than sketchy, even more so because the commit log
completely fails to
With NO_HZ_IDLE, we get CONTEXT_TRACKING_IDLE, so we get these
transitions:
ct_idle_enter()
ct_kernel_exit()
ct_state_inc_clear_work()
ct_idle_exit()
ct_kernel_enter()
ct_work_flush()
With just CONTEXT_TRACKING_IDLE, ct_state_inc_clear_work() is just
ct_state_inc() and ct
Later commits will cause objtool to warn about non __ro_after_init static
keys being used in .noinstr sections in order to safely defer instruction
patching IPIs targeted at NOHZ_FULL CPUs.
Two such keys currently exist: mds_idle_clear and __sched_clock_stable,
which can both be modified at runtim
Later commits will cause objtool to warn about non __ro_after_init static
keys being used in .noinstr sections in order to safely defer instruction
patching IPIs targeted at NOHZ_FULL CPUs.
__sched_clock_stable is used in .noinstr code, and can be modified at
runtime (e.g. KVM module loading). Sup
On Tue, Nov 19, 2024 at 4:14 PM Pasha Tatashin
wrote:
> On Tue, Nov 19, 2024 at 7:52 AM Jann Horn wrote:
> > On Tue, Nov 19, 2024 at 2:30 AM Pasha Tatashin
> > wrote:
> > > > Can you point me to where a refcounted reference to the page comes
> > > > from when page_detective_metadata() calls dump
On Tue, Nov 19, 2024 at 04:34:48PM +0100, Valentin Schneider wrote:
> call_dest_name() does not get passed the file pointer of validate_call(),
> which means its invocation of insn_reloc() will always return NULL. Make it
> take a file pointer.
>
> While at it, make sure call_dest_name() uses arch
On Tue, Nov 19, 2024 at 04:34:49PM +0100, Valentin Schneider wrote:
> I had to look into objtool itself to understand what this warning was
> about; make it more explicit.
>
> Signed-off-by: Valentin Schneider
Acked-by: Josh Poimboeuf
--
Josh
On Tue, Nov 19, 2024 at 1:23 PM Roman Gushchin wrote:
>
> On Tue, Nov 19, 2024 at 10:08:36AM -0500, Pasha Tatashin wrote:
> > On Mon, Nov 18, 2024 at 8:09 PM Greg KH wrote:
> > >
> > > On Mon, Nov 18, 2024 at 05:08:42PM -0500, Pasha Tatashin wrote:
> > > > Additionally, using crash/drgn is not fe
On Mon, Nov 18, 2024 at 8:09 PM Greg KH wrote:
>
> On Mon, Nov 18, 2024 at 05:08:42PM -0500, Pasha Tatashin wrote:
> > Additionally, using crash/drgn is not feasible for us at this time, it
> > requires keeping external tools on our hosts, also it requires
> > approval and a security review for ea
call_dest_name() does not get passed the file pointer of validate_call(),
which means its invocation of insn_reloc() will always return NULL. Make it
take a file pointer.
While at it, make sure call_dest_name() uses arch_dest_reloc_offset(),
otherwise it gets the pv_ops[] offset wrong.
Fabricatin
I had to look into objtool itself to understand what this warning was
about; make it more explicit.
Signed-off-by: Valentin Schneider
---
tools/objtool/check.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 5f1d0f95fc04b..0
On Tue, Nov 19, 2024 at 11:49:07AM +0100, Roberto Sassu wrote:
> From: Roberto Sassu
> v5:
> - Add new patch to introduce ksys_finit_module()
Why?
Luis
On Tue, Nov 19, 2024 at 11:30 AM Pasha Tatashin
wrote:
>
> On Tue, Nov 19, 2024 at 1:23 PM Roman Gushchin
> wrote:
> >
> > On Tue, Nov 19, 2024 at 10:08:36AM -0500, Pasha Tatashin wrote:
> > > On Mon, Nov 18, 2024 at 8:09 PM Greg KH
> > > wrote:
> > > >
> > > > On Mon, Nov 18, 2024 at 05:08:42
On Tue, Nov 19, 2024 at 04:34:53PM +0100, Valentin Schneider wrote:
> Later commits will cause objtool to warn about non __ro_after_init static
> keys being used in .noinstr sections in order to safely defer instruction
> patching IPIs targeted at NOHZ_FULL CPUs.
Don't we need similar checking for
Add George from ChromeOS.
On Mon, Nov 18, 2024 at 3:49 PM Rong Xu wrote:
>
> This patch looks good to me.
>
> I assume the profile format change in the Android doc will be submitted soon.
> Since "extbinary" is a superset of "binary", using the "extbinary"
> format profile
> in Android shouldn't
On Tue, Nov 19, 2024 at 04:34:53PM +0100, Valentin Schneider wrote:
> +++ b/include/linux/jump_label.h
> @@ -200,7 +200,8 @@ struct module;
> #define JUMP_TYPE_FALSE 0UL
> #define JUMP_TYPE_TRUE 1UL
> #define JUMP_TYPE_LINKED 2UL
> -#define JUMP_TYPE_MASK
On Tue, Nov 19, 2024 at 7:52 AM Jann Horn wrote:
>
> On Tue, Nov 19, 2024 at 2:30 AM Pasha Tatashin
> wrote:
> > > Can you point me to where a refcounted reference to the page comes
> > > from when page_detective_metadata() calls dump_page_lvl()?
> >
> > I am sorry, I remembered incorrectly, we a
On Tue, 19 Nov 2024 16:34:47 +0100
Valentin Schneider wrote:
> Context
> ===
>
> We've observed within Red Hat that isolated, NOHZ_FULL CPUs running a
> pure-userspace application get regularly interrupted by IPIs sent from
> housekeeping CPUs. Those IPIs are caused by activity on the housek
On Tue, 2024-11-19 at 08:46 -0800, Randy Dunlap wrote:
> Hi--
>
> On 11/19/24 2:49 AM, Roberto Sassu wrote:
> > +/**
> > + * struct parser - Structure to store a function pointer to parse digest
> > list
> > + * @list: Linked list
> > + * @owner: Kernel module owning the parser
> > + * @name: Par
Hi--
On 11/19/24 2:49 AM, Roberto Sassu wrote:
> +/**
> + * struct parser - Structure to store a function pointer to parse digest list
> + * @list: Linked list
> + * @owner: Kernel module owning the parser
> + * @name: Parser name (must match the format in the digest list file name)
> + * @func: F
Hi--
On 11/19/24 2:49 AM, Roberto Sassu wrote:
> +/**
> + * typedef callback - Callback after parsing TLV entry
Same as my other naming comment -- too generic.
Maybe tlv_callback...
Thanks.
> + * @callback_data: Opaque data to supply to the callback function
> + * @field: Field identifier
> + *
Hello Jakub,
On Mon, Nov 18, 2024 at 06:33:36PM -0800, Jakub Kicinski wrote:
> Sorry for the late review, I think this will miss v6.13 :(
That is fine, there is no rush for this change.
> On Wed, 13 Nov 2024 07:10:53 -0800 Breno Leitao wrote:
> > /**
> > * struct netconsole_target - Represent
From: Roberto Sassu
Introduce a new measurement style using digest caches, which can be
performed exclusively on non-standard PCRs, to avoid ambiguity.
While a measurement on the standard PCR means that a file was accessed and
had the measured data, a measurement with the digest cache means only
On Tue, 2024-11-19 at 13:14 +0100, Christoph Hellwig wrote:
> On Tue, Nov 19, 2024 at 11:49:09AM +0100, Roberto Sassu wrote:
> > From: Roberto Sassu
> >
> > Introduce ksys_finit_module() to let kernel components request a kernel
> > module without requiring running modprobe.
>
> That does sound
sched_clock_running is only ever enabled in the __init functions
sched_clock_init() and sched_clock_init_late(), and is never disabled. Mark
it __ro_after_init.
Signed-off-by: Valentin Schneider
---
kernel/sched/clock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/s
A later commit will reduce the size of the RCU watching counter to free up
some bits for another purpose. Paul suggested adding a config option to
test the extreme case where the counter is reduced to its minimum usable
width for rcutorture to poke at, so do that.
Make it only configurable under R
Context
===
We've observed within Red Hat that isolated, NOHZ_FULL CPUs running a
pure-userspace application get regularly interrupted by IPIs sent from
housekeeping CPUs. Those IPIs are caused by activity on the housekeeping CPUs
leading to various on_each_cpu() calls, e.g.:
64359.05220959
We now have an RCU_EXPERT config for testing small-sized RCU dynticks
counter: CONFIG_RCU_DYNTICKS_TORTURE.
Modify scenario TREE04 to exercise to use this config in order to test a
ridiculously small counter (2 bits).
Link:
http://lore.kernel.org/r/4c2cb573-168f-4806-b1d9-164e8276e66a@paulmck-l
Later commits will cause objtool to warn about non __ro_after_init static
keys being used in .noinstr sections in order to safely defer instruction
patching IPIs targeted at NOHZ_FULL CPUs.
mds_idle_clear is used in .noinstr code, and can be modified at
runtime (SMT hotplug). Suppressing the text_
Later commits will disallow runtime-mutable text in .noinstr sections in
order to safely defer instruction patching IPIs.
All static keys used in .noinstr sections have now been checked as being
either flagged as __ro_after_init, or as forceful static keys. Any
occurrence of this new warning would
smp_call_function() & friends have the unfortunate habit of sending IPIs to
isolated, NOHZ_FULL, in-userspace CPUs, as they blindly target all online
CPUs.
Some callsites can be bent into doing the right, such as done by commit:
cc9e303c91f5 ("x86/cpu: Disable frequency requests via aperfmperf
Forceful static keys are used in early entry code where it is unsafe to
defer the sync_core() IPIs, and flagged as such via their ->type field.
Record that information when creating a text_poke_loc. The
text_poke_loc.old field is written to when first iterating a text_poke()
entry, and as such can
vunmap()'s issued from housekeeping CPUs are a relatively common source of
interference for isolated NOHZ_FULL CPUs, as they are hit by the
flush_tlb_kernel_range() IPIs.
Given that CPUs executing in userspace do not access data in the vmalloc
range, these IPIs could be deferred until their next k
text_poke_bp_batch() sends IPIs to all online CPUs to synchronize
them vs the newly patched instruction. CPUs that are executing in userspace
do not need this synchronization to happen immediately, and this is
actually harmful interference for NOHZ_FULL CPUs.
As the synchronization IPIs are sent u
Kernel TLB invalidation IPIs are a common source of interference on
NOHZ_FULL CPUs. Given NOHZ_FULL CPUs executing in userspace are not
accessing any kernel addresses, these invalidations do not need to happen
immediately, and can be deferred until the next user->kernel transition.
Add a minimal,
On Tue, Nov 19, 2024 at 10:08:36AM -0500, Pasha Tatashin wrote:
> On Mon, Nov 18, 2024 at 8:09 PM Greg KH wrote:
> >
> > On Mon, Nov 18, 2024 at 05:08:42PM -0500, Pasha Tatashin wrote:
> > > Additionally, using crash/drgn is not feasible for us at this time, it
> > > requires keeping external tool
65 matches
Mail list logo
