From patchwork Thu Dec 8 03:35:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 13067877 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0133C4708E for ; Thu, 8 Dec 2022 03:36:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229811AbiLHDg3 (ORCPT ); Wed, 7 Dec 2022 22:36:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230117AbiLHDgK (ORCPT ); Wed, 7 Dec 2022 22:36:10 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D144207; Wed, 7 Dec 2022 19:35:44 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D63B2B821FF; Thu, 8 Dec 2022 03:35:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E955C433C1; Thu, 8 Dec 2022 03:35:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1670470541; bh=3b5O7KzxVK5v6Enic7QwsmTYpgriCPuNr5Ncf/UzA1o=; h=From:To:Cc:Subject:Date:From; b=XoOO2i7k4RlhGjMK+25Qipm85wYb5Nt2nMYBaI742so57TB4+HJfQy3F1+ZHMX2aQ yC4iZ6LjqH04uZOh99NpALbH2ZCJ/J+t96CEjX7WzV4hPkur5QCNsq+T3rUIoJoy1n uD6sNcrSBKfIh2CaxSGLey5b5CVT1AY8KANXREyPvkWSOTm93FeUQUZs9aLAgq/89E W9ptvHu2sMFUlSjhPcpmKr2ddo7R9meyKnDG1oywJNjFpaOAG5k0xaqRyFkFqVc6Wv J37oGR4xUZNpUbTvGhx7Qz8tPb1l6Z0mm9JzZJbMyXk7zYMk1Bx9MFC2fZMsttNIM3 9utjFcMXzdbHg== From: Eric Biggers To: linux-fscrypt@vger.kernel.org Cc: linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-btrfs@vger.kernel.org, linux-integrity@vger.kernel.org, Luca Boccassi , Jes Sorensen , Victor Hsieh , stable@vger.kernel.org Subject: [PATCH] fsverity: don't check builtin signatures when require_signatures=0 Date: Wed, 7 Dec 2022 19:35:23 -0800 Message-Id: <20221208033523.122642-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org From: Eric Biggers An issue that arises when migrating from builtin signatures to userspace signatures is that existing files that have builtin signatures cannot be opened unless either CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled or the signing certificate is left in the .fs-verity keyring. Since builtin signatures provide no security benefit when fs.verity.require_signatures=0 anyway, let's just skip the signature verification in this case. Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") Cc: # v5.4+ Signed-off-by: Eric Biggers Acked-by: Luca Boccassi --- fs/verity/signature.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) base-commit: 479174d402bcf60789106eedc4def3957c060bad diff --git a/fs/verity/signature.c b/fs/verity/signature.c index 143a530a80088..dc6935701abda 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -13,8 +13,8 @@ #include /* - * /proc/sys/fs/verity/require_signatures - * If 1, all verity files must have a valid builtin signature. + * /proc/sys/fs/verity/require_signatures. If 1, then builtin signatures are + * verified and all verity files must have a valid builtin signature. */ static int fsverity_require_signatures; @@ -54,6 +54,20 @@ int fsverity_verify_signature(const struct fsverity_info *vi, return 0; } + /* + * If require_signatures=0, don't verify builtin signatures. + * Originally, builtin signatures were verified opportunistically in + * this case. However, no security property is possible when + * require_signatures=0 anyway. Skipping the builtin signature + * verification makes it easier to migrate existing files from builtin + * signature verification to userspace signature verification. + */ + if (!fsverity_require_signatures) { + fsverity_warn(inode, + "Not checking builtin signature due to require_signatures=0"); + return 0; + } + d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL); if (!d) return -ENOMEM;