| Message ID | 20200130020129.15328-1-skhan@linuxfoundation.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | security/integrity: Include __func__ in messages for easier debug | expand |
On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: > Change messages to messages to make it easier to debug. The following > error message isn't informative enough to figure out what failed. > Change messages to include function information. > > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> > --- > .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ > security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- > 2 files changed, 18 insertions(+), 13 deletions(-) > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt so all the pr_<level> logging is more specific. This would prefix all pr_<level> output with "integrity: " 3integrity: Couldn't get size: 0x%lx 3integrity: Error reading db var: 0x%lx 3integrity: MODSIGN: Couldn't get UEFI db list 3integrity: Couldn't parse db signatures: %d 6integrity: Couldn't get UEFI MokListRT 3integrity: Couldn't parse MokListRT signatures: %d 6integrity: Couldn't get UEFI dbx list 3integrity: Couldn't parse dbx signatures: %d 5integrity: Platform Keyring initialized 6integrity: Error adding keys to platform keyring %s --- security/integrity/platform_certs/load_powerpc.c | 3 +++ security/integrity/platform_certs/load_uefi.c | 2 ++ security/integrity/platform_certs/platform_keyring.c | 2 ++ 3 files changed, 7 insertions(+) diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index a2900c..5cfbd0 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -5,6 +5,9 @@ * * - loads keys and hashes stored and controlled by the firmware. */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include <linux/kernel.h> #include <linux/sched.h> #include <linux/cred.h> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 111898a..480450a 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -1,5 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include <linux/kernel.h> #include <linux/sched.h> #include <linux/cred.h> diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c index 7646e35..9bd2846 100644 --- a/security/integrity/platform_certs/platform_keyring.c +++ b/security/integrity/platform_certs/platform_keyring.c @@ -6,6 +6,8 @@ * Author(s): Nayna Jain <nayna@linux.ibm.com> */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include <linux/export.h> #include <linux/kernel.h> #include <linux/sched.h>
On Wed, 2020-01-29 at 19:08 -0800, Joe Perches wrote: > On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: > > Change messages to messages to make it easier to debug. The following > > error message isn't informative enough to figure out what failed. > > Change messages to include function information. > > > > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> > > --- > > .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ > > security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- > > 2 files changed, 18 insertions(+), 13 deletions(-) > > > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > > perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > so all the pr_<level> logging is more specific. > > This would prefix all pr_<level> output with "integrity: " Agreed. Joe, could you post a patch with a proper patch description for this? thanks, Mimi
On 1/29/20 10:08 PM, Joe Perches wrote: > On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: >> Change messages to messages to make it easier to debug. The following >> error message isn't informative enough to figure out what failed. >> Change messages to include function information. >> >> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> >> --- >> .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ >> security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- >> 2 files changed, 18 insertions(+), 13 deletions(-) >> >> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > so all the pr_<level> logging is more specific. > > This would prefix all pr_<level> output with "integrity: " > > 3integrity: Couldn't get size: 0x%lx > 3integrity: Error reading db var: 0x%lx > 3integrity: MODSIGN: Couldn't get UEFI db list > 3integrity: Couldn't parse db signatures: %d > 6integrity: Couldn't get UEFI MokListRT > 3integrity: Couldn't parse MokListRT signatures: %d > 6integrity: Couldn't get UEFI dbx list > 3integrity: Couldn't parse dbx signatures: %d > > 5integrity: Platform Keyring initialized > 6integrity: Error adding keys to platform keyring %s > > --- > security/integrity/platform_certs/load_powerpc.c | 3 +++ > security/integrity/platform_certs/load_uefi.c | 2 ++ > security/integrity/platform_certs/platform_keyring.c | 2 ++ > 3 files changed, 7 insertions(+) > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > index a2900c..5cfbd0 100644 > --- a/security/integrity/platform_certs/load_powerpc.c > +++ b/security/integrity/platform_certs/load_powerpc.c > @@ -5,6 +5,9 @@ > * > * - loads keys and hashes stored and controlled by the firmware. > */ > + > +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > + Looks good. How about slight addition in it as below: #define pr_fmt(fmt) KBUILD_MODNAME ": load_powerpc: " fmt > #include <linux/kernel.h> > #include <linux/sched.h> > #include <linux/cred.h> > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c > index 111898a..480450a 100644 > --- a/security/integrity/platform_certs/load_uefi.c > +++ b/security/integrity/platform_certs/load_uefi.c > @@ -1,5 +1,7 @@ > // SPDX-License-Identifier: GPL-2.0 > > +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt Similarly... #define pr_fmt(fmt) KBUILD_MODNAME ": load_uefi: " fmt > + > #include <linux/kernel.h> > #include <linux/sched.h> > #include <linux/cred.h> > diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c > index 7646e35..9bd2846 100644 > --- a/security/integrity/platform_certs/platform_keyring.c > +++ b/security/integrity/platform_certs/platform_keyring.c > @@ -6,6 +6,8 @@ > * Author(s): Nayna Jain <nayna@linux.ibm.com> > */ > > +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt Same here... #define pr_fmt(fmt) KBUILD_MODNAME ": platform_keyring: " fmt Thanks & Regards, - Nayna
On 2/3/20 6:21 AM, Mimi Zohar wrote: > On Wed, 2020-01-29 at 19:08 -0800, Joe Perches wrote: >> On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: >>> Change messages to messages to make it easier to debug. The following >>> error message isn't informative enough to figure out what failed. >>> Change messages to include function information. >>> >>> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> >>> --- >>> .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ >>> security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- >>> 2 files changed, 18 insertions(+), 13 deletions(-) >>> >>> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c >> >> perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt >> so all the pr_<level> logging is more specific. >> >> This would prefix all pr_<level> output with "integrity: " > Joe! Sorry for the delay in getting back to you. > Agreed. Joe, could you post a patch with a proper patch description > for this? > I have been looking into this a bit more and there is an opportunity here to add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt to integrity.h and get rid of duplicate defines. thanks, -- Shuah
On Mon, 2020-02-03 at 11:55 -0700, Shuah Khan wrote: > On 2/3/20 6:21 AM, Mimi Zohar wrote: > > On Wed, 2020-01-29 at 19:08 -0800, Joe Perches wrote: > > > On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: > > > > Change messages to messages to make it easier to debug. The following > > > > error message isn't informative enough to figure out what failed. > > > > Change messages to include function information. > > > > > > > > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> > > > > --- > > > > .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ > > > > security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- > > > > 2 files changed, 18 insertions(+), 13 deletions(-) > > > > > > > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > > > > > > perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > > so all the pr_<level> logging is more specific. > > > > > > This would prefix all pr_<level> output with "integrity: " > > Joe! Sorry for the delay in getting back to you. > > > Agreed. Joe, could you post a patch with a proper patch description > > for this? > > > > I have been looking into this a bit more and there is an opportunity > here to add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt to integrity.h > and get rid of duplicate defines. That might work but: $ git grep --name-only 'integrity\.h' security | xargs grep pr_fmt security/integrity/digsig.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt security/integrity/digsig_asymmetric.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt security/integrity/evm/evm_main.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt security/security.c:#define pr_fmt(fmt) "LSM: " fmt Here security.c already uses "LSM: " Does anyone care about the LSM: prefix?
On Mon, 2020-02-03 at 10:15 -0500, Nayna wrote: > On 1/29/20 10:08 PM, Joe Perches wrote: > > On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: > > > Change messages to messages to make it easier to debug. The following > > > error message isn't informative enough to figure out what failed. > > > Change messages to include function information. > > > > > > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> > > > --- > > > .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ > > > security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- > > > 2 files changed, 18 insertions(+), 13 deletions(-) > > > > > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > > perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > so all the pr_<level> logging is more specific. > > > > This would prefix all pr_<level> output with "integrity: " > > > > 3integrity: Couldn't get size: 0x%lx > > 3integrity: Error reading db var: 0x%lx > > 3integrity: MODSIGN: Couldn't get UEFI db list > > 3integrity: Couldn't parse db signatures: %d > > 6integrity: Couldn't get UEFI MokListRT > > 3integrity: Couldn't parse MokListRT signatures: %d > > 6integrity: Couldn't get UEFI dbx list > > 3integrity: Couldn't parse dbx signatures: %d > > > > 5integrity: Platform Keyring initialized > > 6integrity: Error adding keys to platform keyring %s > > > > --- > > security/integrity/platform_certs/load_powerpc.c | 3 +++ > > security/integrity/platform_certs/load_uefi.c | 2 ++ > > security/integrity/platform_certs/platform_keyring.c | 2 ++ > > 3 files changed, 7 insertions(+) > > > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > > index a2900c..5cfbd0 100644 > > --- a/security/integrity/platform_certs/load_powerpc.c > > +++ b/security/integrity/platform_certs/load_powerpc.c > > @@ -5,6 +5,9 @@ > > * > > * - loads keys and hashes stored and controlled by the firmware. > > */ > > + > > +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > + > > Looks good. How about slight addition in it as below: > > #define pr_fmt(fmt) KBUILD_MODNAME ": load_powerpc: " fmt Perhaps another way to do that is to use: --- security/integrity/integrity.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 543d277..b78469 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -6,6 +6,12 @@ * Mimi Zohar <zohar@us.ibm.com> */ +#ifdef pr_fmt +#undef pr_fmt +#endif + +#define pr_fmt(fmt) KBUILD_MODNAME ": " KBUILD_BASENAME ": " fmt + #include <linux/types.h> #include <linux/integrity.h> #include <crypto/sha.h> That would create these string differences in security: $ diff -urN old new --- old 2020-02-03 11:11:46.403134346 -0800 +++ new 2020-02-03 11:12:15.407135326 -0800 @@ -43,76 +43,81 @@ 2 48 8 14 xattr_data:271 80 68 8 data:306 2 48 8 9 entry:136 80 72 14 event_data:138 2 48 8 9 entry:305 80 72 14 event_data:306 -2ima: ahash calculation failed: err: %d +2ima: ima_crypto: ahash calculation failed: err: %d 3 32 4 13 hash_algo:318 48 4 14 digestsize:320 64 8 10 digest:319 3 32 4 13 hash_algo:339 48 4 18 cur_digestsize:341 64 8 14 cur_digest:340 3 32 4 7 pcr:134 48 4 11 namelen:134 64 4 21 template_data_len:134 3 32 8 8 data:277 64 8 9 datap:278 96 8 8 size:279 3 48 4 19 datalen_to_hash:489 64 256 10 buffer:486 384 376 16 __shash_desc:474 3 48 8 8 lnum:973 80 8 8 rule:952 112 48 8 args:971 -3Couldn't get size: 0x%lx -3Couldn't parse db signatures: %d -3Couldn't parse dbx signatures: %d -3Couldn't parse MokListRT signatures: %d -3Error reading db var: 0x%lx -3evm: Can not allocate %s (reason: %ld) -3evm: HMAC key is not set -3evm: key initialization failed -3ima: attempting to initialize the template "%s" failed -3ima: attempting to restore a incompatible measurement list -3ima: attempting to restore an unsupported template "%s" failed -3ima: attempting to restore a template name that is too long -3ima: attempting to restore the template fmt "%s" failed -3ima: attempting to restore too many measurements -3ima: Can not allocate %s (reason: %d) -3ima: Can not allocate %s (reason: %ld) -3ima: Error Communicating to TPM chip -3ima: Error Communicating to TPM chip, result: %d -3ima: field '%s' not found -3ima: format string '%s' contains too many fields -3ima: format string '%s' not valid, using template %s -3ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall. -3ima: impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help -3ima: Invalid field with length %d -3ima: lsm rule update error %d -3ima: OUT OF MEMORY ERROR creating queue entry -3ima: Prevent firmware loading_store. -3ima: Prevent firmware sysfs fallback loading. -3ima: %s: buf end mismatch: expected: %p, current: %p -3ima: signed policy file (specified as an absolute pathname) required -3ima: %s: nr of fields mismatch: expected: %d, current: %d -3ima: template does not support hash alg -3ima: template %s init failed, result: %d -3ima: template %s not found, using %s -3ima: Unable to open file: %s (%d) -3integrity: Key '%s' is in ima_blacklist_keyring -3integrity: no %s keyring: %d -3integrity: Problem loading X.509 certificate %d -3integrity: Request for unknown key '%s' err %ld -3integrity: Unable to open file: %s (%d) -3MODSIGN: Couldn't get UEFI db list -3Unable to create integrity sysfs dir: %d +3evm: evm_crypto: Can not allocate %s (reason: %ld) +3evm: evm_crypto: HMAC key is not set +3evm: evm_crypto: key initialization failed +3ima: ima_crypto: Can not allocate %s (reason: %d) +3ima: ima_crypto: Can not allocate %s (reason: %ld) +3ima: ima_crypto: Error Communicating to TPM chip +3ima: ima_fs: signed policy file (specified as an absolute pathname) required +3ima: ima_fs: Unable to open file: %s (%d) +3ima: ima_main: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall. +3ima: ima_main: impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help +3ima: ima_main: Prevent firmware loading_store. +3ima: ima_main: Prevent firmware sysfs fallback loading. +3ima: ima_main: template %s init failed, result: %d +3ima: ima_policy: lsm rule update error %d +3ima: ima_queue: Error Communicating to TPM chip, result: %d +3ima: ima_queue: OUT OF MEMORY ERROR creating queue entry +3ima: ima_template: attempting to initialize the template "%s" failed +3ima: ima_template: attempting to restore a incompatible measurement list +3ima: ima_template: attempting to restore an unsupported template "%s" failed +3ima: ima_template: attempting to restore a template name that is too long +3ima: ima_template: attempting to restore the template fmt "%s" failed +3ima: ima_template: attempting to restore too many measurements +3ima: ima_template: field '%s' not found +3ima: ima_template: format string '%s' contains too many fields +3ima: ima_template: format string '%s' not valid, using template %s +3ima: ima_template: Invalid field with length %d +3ima: ima_template_lib: %s: buf end mismatch: expected: %p, current: %p +3ima: ima_template_lib: %s: nr of fields mismatch: expected: %d, current: %d +3ima: ima_template: template does not support hash alg +3ima: ima_template: template %s init failed, result: %d +3ima: ima_template: template %s not found, using %s +3integrity: digsig_asymmetric: Key '%s' is in ima_blacklist_keyring +3integrity: digsig_asymmetric: Request for unknown key '%s' err %ld +3integrity: digsig: no %s keyring: %d +3integrity: digsig: Problem loading X.509 certificate %d +3integrity: digsig: Unable to open file: %s (%d) +3integrity: iint: Unable to create integrity sysfs dir: %d +3integrity: load_uefi: Couldn't get size: 0x%lx +3integrity: load_uefi: Couldn't parse db signatures: %d +3integrity: load_uefi: Couldn't parse dbx signatures: %d +3integrity: load_uefi: Couldn't parse MokListRT signatures: %d +3integrity: load_uefi: Error reading db var: 0x%lx +3integrity: load_uefi: MODSIGN: Couldn't get UEFI db list 4 32 8 8 entry:46 64 72 13 event_data:48 176 24 7 hash:55 240 240 11 tmp_iint:47 4 48 16 8 rbuf:209 80 16 13 rbuf_size:214 112 32 6 sg:212 176 104 8 wait:213 4 48 8 8 bufp:358 80 8 12 hdr_mask:362 112 64 7 hdr:353 208 34 17 template_name:350 -4ima: Couldn't register LSM notifier, error %d -4ima: rule for LSM '%s' is undefined -4ima: Skipping unknown architecture policy rule: %s -5ima: template with 'modsig' field also needs 'd-modsig' field -5integrity: Loaded X.509 cert '%s' -6evm: Error registering secfs -6evm: HMAC attrs: 0x%x -6evm: init_desc failed -6evm: Initialising EVM extended attributes: -6evm: key initialized -6evm: %s -6ima: Allocated hash algorithm: %s -6ima: Allocating %s failed, going to use default hash algorithm %s -6ima: No architecture policies found -6ima: No TPM chip found, activating TPM-bypass! -6ima: policy update %s -6ima: Unable to reopen file for reading. -6integrity: Can't allocate %s keyring (%d) -6integrity: Loading X.509 certificate: %s +4ima: ima_main: Couldn't register LSM notifier, error %d +4ima: ima_policy: rule for LSM '%s' is undefined +4ima: ima_policy: Skipping unknown architecture policy rule: %s +5ima: ima_policy: template with 'modsig' field also needs 'd-modsig' field +5integrity: digsig: Loaded X.509 cert '%s' +5integrity: platform_keyring: Platform Keyring initialized +6evm: evm_crypto: init_desc failed +6evm: evm_crypto: key initialized +6evm: evm_main: Error registering secfs +6evm: evm_main: HMAC attrs: 0x%x +6evm: evm_main: Initialising EVM extended attributes: +6evm: evm_main: %s +6ima: ima_crypto: Allocated hash algorithm: %s +6ima: ima_crypto: Unable to reopen file for reading. +6ima: ima_fs: policy update %s +6ima: ima_init: No TPM chip found, activating TPM-bypass! +6ima: ima_main: Allocating %s failed, going to use default hash algorithm %s +6ima: ima_policy: No architecture policies found +6integrity: digsig: Can't allocate %s keyring (%d) +6integrity: digsig: Loading X.509 certificate: %s +6integrity: load_uefi: Couldn't get UEFI dbx list +6integrity: load_uefi: Couldn't get UEFI MokListRT +6integrity: platform_keyring: Error adding keys to platform keyring %s 7 48 4 7 pcr:203 64 8 17 template_desc:198 96 8 11 pathbuf:199 128 8 12 pathname:201 160 8 15 xattr_value:204 192 8 10 modsig:205 224 255 12 filename:200 7 48 4 9 secid:706 64 4 7 pcr:690 80 8 9 entry:693 112 8 12 template:699 144 72 14 event_data:695 256 68 8 hash:703 368 240 8 iint:694
On 2/3/20 12:02 PM, Joe Perches wrote: > On Mon, 2020-02-03 at 11:55 -0700, Shuah Khan wrote: >> On 2/3/20 6:21 AM, Mimi Zohar wrote: >>> On Wed, 2020-01-29 at 19:08 -0800, Joe Perches wrote: >>>> On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: >>>>> Change messages to messages to make it easier to debug. The following >>>>> error message isn't informative enough to figure out what failed. >>>>> Change messages to include function information. >>>>> >>>>> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> >>>>> --- >>>>> .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ >>>>> security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- >>>>> 2 files changed, 18 insertions(+), 13 deletions(-) >>>>> >>>>> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c >>>> >>>> perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt >>>> so all the pr_<level> logging is more specific. >>>> >>>> This would prefix all pr_<level> output with "integrity: " >> >> Joe! Sorry for the delay in getting back to you. >> >>> Agreed. Joe, could you post a patch with a proper patch description >>> for this? >>> >> >> I have been looking into this a bit more and there is an opportunity >> here to add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt to integrity.h >> and get rid of duplicate defines. > > That might work but: > > $ git grep --name-only 'integrity\.h' security | xargs grep pr_fmt > security/integrity/digsig.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > security/integrity/digsig_asymmetric.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > security/integrity/evm/evm_main.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > security/security.c:#define pr_fmt(fmt) "LSM: " fmt > > Here security.c already uses "LSM: " > > Does anyone care about the LSM: prefix? > > What I have in mind is replace the ones under security/integrity/ adding the define to integrity.h is under security/integrity. I would leave the security/security.c:#define pr_fmt(fmt) "LSM: " fmt alone and just replace the ones under security/integrity/ in which case KBUILD_MODNAME will show integrity as the module. thanks, -- Shuah
On 2/3/2020 11:02 AM, Joe Perches wrote: > On Mon, 2020-02-03 at 11:55 -0700, Shuah Khan wrote: >> On 2/3/20 6:21 AM, Mimi Zohar wrote: >>> On Wed, 2020-01-29 at 19:08 -0800, Joe Perches wrote: >>>> On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: >>>>> Change messages to messages to make it easier to debug. The following >>>>> error message isn't informative enough to figure out what failed. >>>>> Change messages to include function information. >>>>> >>>>> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> >>>>> --- >>>>> .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ >>>>> security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- >>>>> 2 files changed, 18 insertions(+), 13 deletions(-) >>>>> >>>>> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c >>>> perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt >>>> so all the pr_<level> logging is more specific. >>>> >>>> This would prefix all pr_<level> output with "integrity: " >> Joe! Sorry for the delay in getting back to you. >> >>> Agreed. Joe, could you post a patch with a proper patch description >>> for this? >>> >> I have been looking into this a bit more and there is an opportunity >> here to add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt to integrity.h >> and get rid of duplicate defines. > That might work but: > > $ git grep --name-only 'integrity\.h' security | xargs grep pr_fmt > security/integrity/digsig.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > security/integrity/digsig_asymmetric.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > security/integrity/evm/evm_main.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > security/security.c:#define pr_fmt(fmt) "LSM: " fmt > > Here security.c already uses "LSM: " > > Does anyone care about the LSM: prefix? Yes.
On Mon, 2020-02-03 at 11:23 -0800, Casey Schaufler wrote: > On 2/3/2020 11:02 AM, Joe Perches wrote: > > On Mon, 2020-02-03 at 11:55 -0700, Shuah Khan wrote: > > > On 2/3/20 6:21 AM, Mimi Zohar wrote: > > > > On Wed, 2020-01-29 at 19:08 -0800, Joe Perches wrote: > > > > > On Wed, 2020-01-29 at 19:01 -0700, Shuah Khan wrote: > > > > > > Change messages to messages to make it easier to debug. The following > > > > > > error message isn't informative enough to figure out what failed. > > > > > > Change messages to include function information. > > > > > > > > > > > > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> > > > > > > --- > > > > > > .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ > > > > > > security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- > > > > > > 2 files changed, 18 insertions(+), 13 deletions(-) > > > > > > > > > > > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > > > > > perhaps instead add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > > > > so all the pr_<level> logging is more specific. > > > > > > > > > > This would prefix all pr_<level> output with "integrity: " > > > Joe! Sorry for the delay in getting back to you. > > > > > > > Agreed. Joe, could you post a patch with a proper patch description > > > > for this? > > > > > > > I have been looking into this a bit more and there is an opportunity > > > here to add #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt to integrity.h > > > and get rid of duplicate defines. > > That might work but: > > > > $ git grep --name-only 'integrity\.h' security | xargs grep pr_fmt > > security/integrity/digsig.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > security/integrity/digsig_asymmetric.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > security/integrity/evm/evm_main.c:#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > security/security.c:#define pr_fmt(fmt) "LSM: " fmt > > > > Here security.c already uses "LSM: " > > > > Does anyone care about the LSM: prefix? > > Yes. No worries. My mistake it wouldn't change. It was a bad grep as the integrity.h in security.c is #included from the linux/include path and not the integrity subdirectory.
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index a2900cb85357..621454148fbc 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -25,7 +25,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size) rc = secvar_ops->get(key, keylen, NULL, size); if (rc) { - pr_err("Couldn't get size: %d\n", rc); + pr_err("%s: Couldn't get size: %d\n", __func__, rc); return NULL; } @@ -36,7 +36,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size) rc = secvar_ops->get(key, keylen, db, size); if (rc) { kfree(db); - pr_err("Error reading %s var: %d\n", key, rc); + pr_err("%s: Error reading %s var: %d\n", __func__, key, rc); return NULL; } @@ -69,23 +69,25 @@ static int __init load_powerpc_certs(void) */ db = get_cert_list("db", 3, &dbsize); if (!db) { - pr_err("Couldn't get db list from firmware\n"); + pr_err("%s: Couldn't get db list from firmware\n", __func__); } else { rc = parse_efi_signature_list("powerpc:db", db, dbsize, get_handler_for_db); if (rc) - pr_err("Couldn't parse db signatures: %d\n", rc); + pr_err("%s: Couldn't parse db signatures: %d\n", + __func__, rc); kfree(db); } dbx = get_cert_list("dbx", 4, &dbxsize); if (!dbx) { - pr_info("Couldn't get dbx list from firmware\n"); + pr_info("%s: Couldn't get dbx list from firmware\n", __func__); } else { rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize, get_handler_for_dbx); if (rc) - pr_err("Couldn't parse dbx signatures: %d\n", rc); + pr_err("%s: Couldn't parse dbx signatures: %d\n", + __func__, rc); kfree(dbx); } diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 111898aad56e..c3cf6575abc1 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -44,7 +44,7 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); if (status != EFI_BUFFER_TOO_SMALL) { - pr_err("Couldn't get size: 0x%lx\n", status); + pr_err("%s: Couldn't get size: 0x%lx\n", __func__, status); return NULL; } @@ -55,7 +55,7 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, status = efi.get_variable(name, guid, NULL, &lsize, db); if (status != EFI_SUCCESS) { kfree(db); - pr_err("Error reading db var: 0x%lx\n", status); + pr_err("%s: Error reading db var: 0x%lx\n", __func__, status); return NULL; } @@ -85,13 +85,14 @@ static int __init load_uefi_certs(void) if (!uefi_check_ignore_db()) { db = get_cert_list(L"db", &secure_var, &dbsize); if (!db) { - pr_err("MODSIGN: Couldn't get UEFI db list\n"); + pr_err("%s: MODSIGN: Couldn't get UEFI db list\n", + __func__); } else { rc = parse_efi_signature_list("UEFI:db", db, dbsize, get_handler_for_db); if (rc) - pr_err("Couldn't parse db signatures: %d\n", - rc); + pr_err("%s: Couldn't parse db signatures: %d\n", + __func__, rc); kfree(db); } } @@ -103,7 +104,8 @@ static int __init load_uefi_certs(void) rc = parse_efi_signature_list("UEFI:MokListRT", mok, moksize, get_handler_for_db); if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + pr_err("%s: Couldn't parse MokListRT signatures: %d\n", + __func__, rc); kfree(mok); } @@ -115,7 +117,8 @@ static int __init load_uefi_certs(void) dbx, dbxsize, get_handler_for_dbx); if (rc) - pr_err("Couldn't parse dbx signatures: %d\n", rc); + pr_err("%s: Couldn't parse dbx signatures: %d\n", + __func__, rc); kfree(dbx); }
Change messages to messages to make it easier to debug. The following error message isn't informative enough to figure out what failed. Couldn't get size: 0x800000000000000e Change messages to include function information. Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> --- .../integrity/platform_certs/load_powerpc.c | 14 ++++++++------ security/integrity/platform_certs/load_uefi.c | 17 ++++++++++------- 2 files changed, 18 insertions(+), 13 deletions(-)