[v2,0/4] ubifs: support authentication without hmac

Message ID	20200626112907.13201-1-torben.hohn@linutronix.de
Headers	show Return-Path: <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Torben Hohn <torben.hohn@linutronix.de> To: richard@nod.at Subject: [PATCH v2 0/4] ubifs: support authentication without hmac Date: Fri, 26 Jun 2020 13:29:03 +0200 Message-Id: <20200626112907.13201-1-torben.hohn@linutronix.de> In-Reply-To: <20200625155927.28430-1-torben.hohn@linutronix.de> References: <20200625155927.28430-1-torben.hohn@linutronix.de> MIME-Version: 1.0 summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [2a0a:51c0:0:12e:550:0:0:1 listed in] [list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Precedence: list Cc: bigeasy@linutronix.de, linux-mtd@lists.infradead.org, tglx@linutronix.de, s.hauer@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org> Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	ubifs: support authentication without hmac \| expand [v2,0/4] ubifs: support authentication without hmac [v2,1/4] ubifs: move #include "debug.h" above auth.c [v2,2/4] ubifs: support authentication, for ro mount, when no key is given [v2,3/4] ubifs: sprinkle ubifs_assert(c, !c->ro_mount) in hmac auth [v2,4/4] ubifs: prevent remounting rw when no hmac key was given

Torben Hohn June 26, 2020, 11:29 a.m. UTC

This PQ adds support for ubifs authentication without HMAC,
which obviously only works for a read-only mount.

ubiblock and dm-verity are not supported by u-boot, and
the kernel on the target is loaded by u-boot out of the RFS.

This is a first try to implement this.
It boots fine, and the WARN_ON is not triggered.

I plan to update the docs also, but i would like to have
some positive comments on this before.

Changes since v1:

- apply comments from Sascha an revert the
  ubifs_authicated_(read|write) stuff.
  Use ubifs_assert(c, !c->ro_mount) instead.
- Prevent remount rw, when hmac-less authentication is used
- add missing check, for ro mode, when no auth_key_name is specified.

Torben Hohn (4):
  ubifs: move #include "debug.h" above auth.c
  ubifs: support authentication, for ro mount, when no key is given
  ubifs: sprinkle ubifs_assert(c, !c->ro_mount) in hmac auth
  ubifs: prevent remounting rw when no hmac key was given

 fs/ubifs/auth.c    | 62 +++++++++++++++++++++++++++++++++++++++++++++-
 fs/ubifs/gc.c      |  1 +
 fs/ubifs/journal.c |  8 ++++++
 fs/ubifs/replay.c  |  1 +
 fs/ubifs/sb.c      |  5 ++++
 fs/ubifs/super.c   | 28 ++++++++++++++++++++-
 fs/ubifs/ubifs.h   | 12 ++++++++-
 7 files changed, 114 insertions(+), 3 deletions(-)

Richard Weinberger June 26, 2020, 2:16 p.m. UTC | #1

Torben,

----- Ursprüngliche Mail -----
> Von: "Torben Hohn" <torben.hohn@linutronix.de>
> An: "richard" <richard@nod.at>
> CC: "bigeasy" <bigeasy@linutronix.de>, "tglx" <tglx@linutronix.de>, "linux-mtd" <linux-mtd@lists.infradead.org>, "Sascha
> Hauer" <s.hauer@pengutronix.de>
> Gesendet: Freitag, 26. Juni 2020 13:29:03
> Betreff: [PATCH v2 0/4] ubifs: support authentication without hmac

> This PQ adds support for ubifs authentication without HMAC,
> which obviously only works for a read-only mount.
> 
> ubiblock and dm-verity are not supported by u-boot, and
> the kernel on the target is loaded by u-boot out of the RFS.
> 
> This is a first try to implement this.
> It boots fine, and the WARN_ON is not triggered.
> 
> I plan to update the docs also, but i would like to have
> some positive comments on this before.
> 
> Changes since v1:
> 
> - apply comments from Sascha an revert the
>  ubifs_authicated_(read|write) stuff.
>  Use ubifs_assert(c, !c->ro_mount) instead.
> - Prevent remount rw, when hmac-less authentication is used
> - add missing check, for ro mode, when no auth_key_name is specified.

I didn't dig deep into the code so far, I'm still checking the concept.

Your approach works only on pristine offline signed images from mkfs.ubifs.
So, if somebody does this, it won't work:

$ keyctl padd logon ubifs:authfs @s < secret.key 
$ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:authfs

... change the fs ...

$ umount /mnt
$ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,ro

The ro mount will fail because UBIFS is no longer able to verify the super block
using the system key ring. It was overwritten by they ubifs:authfs key.

A possible solution is keeping a copy of the offline sign key forever in the fs.
But I'm not sure whether this is wise.

Thanks,
//richard

Richard Weinberger June 26, 2020, 2:36 p.m. UTC | #2

----- Ursprüngliche Mail -----
> I didn't dig deep into the code so far, I'm still checking the concept.
> 
> Your approach works only on pristine offline signed images from mkfs.ubifs.
> So, if somebody does this, it won't work:
> 
> $ keyctl padd logon ubifs:authfs @s < secret.key
> $ mount -t ubifs /dev/ubi0_0 /mnt/ -o
> auth_hash_name=sha256,auth_key=ubifs:authfs
> 
> ... change the fs ...
> 
> $ umount /mnt
> $ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,ro
> 
> The ro mount will fail because UBIFS is no longer able to verify the super block
> using the system key ring. It was overwritten by they ubifs:authfs key.
> 
> A possible solution is keeping a copy of the offline sign key forever in the fs.
> But I'm not sure whether this is wise.

Or we change the feature from "ro mount without hmac" to "keep offline sign key and imply ro mount".
IOW adding a new mount option such as "auth_keep_offlinekey". If mounted with this option
UBIFS will not look for a hmac and enforce read-only mode.

Hmm?

Thanks,
//richard

Torben Hohn June 29, 2020, 9:07 a.m. UTC | #3

On Fri, Jun 26, 2020 at 04:16:51PM +0200, Richard Weinberger wrote:
> Torben,
> 
> ----- Ursprüngliche Mail -----
> > Von: "Torben Hohn" <torben.hohn@linutronix.de>
> > An: "richard" <richard@nod.at>
> > CC: "bigeasy" <bigeasy@linutronix.de>, "tglx" <tglx@linutronix.de>, "linux-mtd" <linux-mtd@lists.infradead.org>, "Sascha
> > Hauer" <s.hauer@pengutronix.de>
> > Gesendet: Freitag, 26. Juni 2020 13:29:03
> > Betreff: [PATCH v2 0/4] ubifs: support authentication without hmac
> 
> > This PQ adds support for ubifs authentication without HMAC,
> > which obviously only works for a read-only mount.
> > 
> > ubiblock and dm-verity are not supported by u-boot, and
> > the kernel on the target is loaded by u-boot out of the RFS.
> > 
> > This is a first try to implement this.
> > It boots fine, and the WARN_ON is not triggered.
> > 
> > I plan to update the docs also, but i would like to have
> > some positive comments on this before.
> > 
> > Changes since v1:
> > 
> > - apply comments from Sascha an revert the
> >  ubifs_authicated_(read|write) stuff.
> >  Use ubifs_assert(c, !c->ro_mount) instead.
> > - Prevent remount rw, when hmac-less authentication is used
> > - add missing check, for ro mode, when no auth_key_name is specified.
> 
> I didn't dig deep into the code so far, I'm still checking the concept.
> 
> Your approach works only on pristine offline signed images from mkfs.ubifs.
> So, if somebody does this, it won't work:
> 
> $ keyctl padd logon ubifs:authfs @s < secret.key 
> $ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:authfs
> 
> ... change the fs ...
> 
> $ umount /mnt
> $ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,ro
> 
> The ro mount will fail because UBIFS is no longer able to verify the super block
> using the system key ring. It was overwritten by they ubifs:authfs key.

Yes. But that is the intended behaviour.
If the filesystem has been changed, it must not be mounted again.

I would rather like to make it impossible to mount the filesystem in rw
mode, because this is an attack scenario. It would refuse to mount upon
reboot. Making it possible to remount root rw, with a fresh key is
nice for development, but its not desired in production. 


> 
> A possible solution is keeping a copy of the offline sign key forever in the fs.
> But I'm not sure whether this is wise.

Heh ? you mean the private key. NO

When its not possible to store a secret on the h/w then the only
option we have is asymmetric sigatures, with the private key never
being on the device.

This obviously means, that the device is not able to write to RFS.




> 
> Thanks,
> //richard

Torben Hohn June 29, 2020, 9:13 a.m. UTC | #4

On Fri, Jun 26, 2020 at 04:36:26PM +0200, Richard Weinberger wrote:
> ----- Ursprüngliche Mail -----
> > I didn't dig deep into the code so far, I'm still checking the concept.
> > 
> > Your approach works only on pristine offline signed images from mkfs.ubifs.
> > So, if somebody does this, it won't work:
> > 
> > $ keyctl padd logon ubifs:authfs @s < secret.key
> > $ mount -t ubifs /dev/ubi0_0 /mnt/ -o
> > auth_hash_name=sha256,auth_key=ubifs:authfs
> > 
> > ... change the fs ...
> > 
> > $ umount /mnt
> > $ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,ro
> > 
> > The ro mount will fail because UBIFS is no longer able to verify the super block
> > using the system key ring. It was overwritten by they ubifs:authfs key.
> > 
> > A possible solution is keeping a copy of the offline sign key forever in the fs.
> > But I'm not sure whether this is wise.
> 
> Or we change the feature from "ro mount without hmac" to "keep offline sign key and imply ro mount".
> IOW adding a new mount option such as "auth_keep_offlinekey". If mounted with this option
> UBIFS will not look for a hmac and enforce read-only mode.

Thats just another name for the same feature.
But it indeed seems to make the implications clearer.

And it porbably also makes the code easier to read.

> 
> Hmm?
> 
> Thanks,
> //richard

Richard Weinberger June 29, 2020, 10:46 a.m. UTC | #5

Torben,

----- Ursprüngliche Mail -----
>> The ro mount will fail because UBIFS is no longer able to verify the super block
>> using the system key ring. It was overwritten by they ubifs:authfs key.
> 
> Yes. But that is the intended behaviour.
> If the filesystem has been changed, it must not be mounted again.

In your use case.
 
> I would rather like to make it impossible to mount the filesystem in rw
> mode, because this is an attack scenario. It would refuse to mount upon
> reboot. Making it possible to remount root rw, with a fresh key is
> nice for development, but its not desired in production.
> 
> 
>> 
>> A possible solution is keeping a copy of the offline sign key forever in the fs.
>> But I'm not sure whether this is wise.
> 
> Heh ? you mean the private key. NO

No, I used bad wording. :-)
The superblock is signed by the offline key. As soon you switch to the new key
the super block is rewritten and can no longer verified this key.
Instead of rewriting the idea was keeping a copy.

Anyway, like said in the other mail, I think if we change the feature to
"keep offline sign key and imply ro mount" things will be more smooth with less corner
cases.

Thanks,
//richard

Thomas Gleixner July 2, 2020, 2:40 p.m. UTC | #6

Richard Weinberger <richard@nod.at> writes:
> The superblock is signed by the offline key. As soon you switch to the new key
> the super block is rewritten and can no longer verified this key.
> Instead of rewriting the idea was keeping a copy.
>
> Anyway, like said in the other mail, I think if we change the feature to
> "keep offline sign key and imply ro mount" things will be more smooth with less corner
> cases.

I don't think so. The desired mode is to prevent RW mounts for a factory
signed image which implies the prevention of rewriting the superblock.

This is not a conveniance feature, it's a strict security feature. Once
the thing has been changed from the factory generated state it's invalid
no matter what.

If a developer shoots himself in the foot with that, no big deal. He got
what he asked for :)

Thanks,

        tglx

Richard Weinberger July 2, 2020, 3 p.m. UTC | #7

----- Ursprüngliche Mail -----
> Von: "tglx" <tglx@linutronix.de>
> An: "richard" <richard@nod.at>, "Torben Hohn" <torben.hohn@linutronix.de>
> CC: "bigeasy" <bigeasy@linutronix.de>, "linux-mtd" <linux-mtd@lists.infradead.org>, "Sascha Hauer"
> <s.hauer@pengutronix.de>, "david" <david@sigma-star.at>
> Gesendet: Donnerstag, 2. Juli 2020 16:40:24
> Betreff: Re: [PATCH v2 0/4] ubifs: support authentication without hmac

> Richard Weinberger <richard@nod.at> writes:
>> The superblock is signed by the offline key. As soon you switch to the new key
>> the super block is rewritten and can no longer verified this key.
>> Instead of rewriting the idea was keeping a copy.
>>
>> Anyway, like said in the other mail, I think if we change the feature to
>> "keep offline sign key and imply ro mount" things will be more smooth with less
>> corner
>> cases.
> 
> I don't think so. The desired mode is to prevent RW mounts for a factory
> signed image which implies the prevention of rewriting the superblock.

This is exactly what I'm asking for.
Keep the factory signed super block and imply read-only mode.
  
Thanks,
//richard

Thomas Gleixner July 2, 2020, 6:48 p.m. UTC | #8

Richard Weinberger <richard@nod.at> writes:
> ----- Ursprüngliche Mail -----
>> Von: "tglx" <tglx@linutronix.de>
>> An: "richard" <richard@nod.at>, "Torben Hohn" <torben.hohn@linutronix.de>
>> CC: "bigeasy" <bigeasy@linutronix.de>, "linux-mtd" <linux-mtd@lists.infradead.org>, "Sascha Hauer"
>> <s.hauer@pengutronix.de>, "david" <david@sigma-star.at>
>> Gesendet: Donnerstag, 2. Juli 2020 16:40:24
>> Betreff: Re: [PATCH v2 0/4] ubifs: support authentication without hmac
>
>> Richard Weinberger <richard@nod.at> writes:
>>> The superblock is signed by the offline key. As soon you switch to the new key
>>> the super block is rewritten and can no longer verified this key.
>>> Instead of rewriting the idea was keeping a copy.
>>>
>>> Anyway, like said in the other mail, I think if we change the feature to
>>> "keep offline sign key and imply ro mount" things will be more smooth with less
>>> corner
>>> cases.
>> 
>> I don't think so. The desired mode is to prevent RW mounts for a factory
>> signed image which implies the prevention of rewriting the superblock.
>
> This is exactly what I'm asking for.
> Keep the factory signed super block and imply read-only mode.

And that's what Torben implemented unless I'm missing something.

Thanks,

        tglx

Richard Weinberger July 2, 2020, 7:03 p.m. UTC | #9

----- Ursprüngliche Mail -----
>>>> Anyway, like said in the other mail, I think if we change the feature to
>>>> "keep offline sign key and imply ro mount" things will be more smooth with less
>>>> corner
>>>> cases.
>>> 
>>> I don't think so. The desired mode is to prevent RW mounts for a factory
>>> signed image which implies the prevention of rewriting the superblock.
>>
>> This is exactly what I'm asking for.
>> Keep the factory signed super block and imply read-only mode.
> 
> And that's what Torben implemented unless I'm missing something.

Torben implemented it the other way around, he allows mounting without
the HMAC if UBIFS mount is read-only.
This covers also the proposed use-case but as I stated it has issues with
remounting and makes the implementation more complicated than it should be.

That's why I proposed adding a new mount option like "keep_offline_signature" or
what name fits better. That gives us the following pros:

1. Makes the implementation super simple.
   If keep_offline_signature is set and rw mount requested, reject.
   RW remount can rejected very easily, store keep_offline_signature in the ubifs context.

2. If the super block got already re-written, reject.
   You can check sub->hmac[] for being non-zero.
   That way we can give the user a decent error message in case they do stupid things.

3. Userspace can verify whether the UBIFS fs is pristine by checking
   for the keep_offline_signature mount flag in /proc/self/mountinfo.

Thanks,
//richard

Sebastian Andrzej Siewior July 3, 2020, 8:16 a.m. UTC | #10

On 2020-07-02 21:03:54 [+0200], Richard Weinberger wrote:
> ----- Ursprüngliche Mail -----
> >>>> Anyway, like said in the other mail, I think if we change the feature to
> >>>> "keep offline sign key and imply ro mount" things will be more smooth with less
> >>>> corner
> >>>> cases.
> >>> 
> >>> I don't think so. The desired mode is to prevent RW mounts for a factory
> >>> signed image which implies the prevention of rewriting the superblock.
> >>
> >> This is exactly what I'm asking for.
> >> Keep the factory signed super block and imply read-only mode.
> > 
> > And that's what Torben implemented unless I'm missing something.
> 
> Torben implemented it the other way around, he allows mounting without
> the HMAC if UBIFS mount is read-only.
> This covers also the proposed use-case but as I stated it has issues with
> remounting and makes the implementation more complicated than it should be.
> 
> That's why I proposed adding a new mount option like "keep_offline_signature" or
> what name fits better. That gives us the following pros:

so you want an extra option instead of setting SB_RDONLY on RO mounts
without the key and not allowing RW mounts in this case?

> 1. Makes the implementation super simple.
>    If keep_offline_signature is set and rw mount requested, reject.
>    RW remount can rejected very easily, store keep_offline_signature in the ubifs context.
> 
> 2. If the super block got already re-written, reject.
>    You can check sub->hmac[] for being non-zero.
>    That way we can give the user a decent error message in case they do stupid things.

re-written as in a prior RW mount with the key?

> 3. Userspace can verify whether the UBIFS fs is pristine by checking
>    for the keep_offline_signature mount flag in /proc/self/mountinfo.

Could this information be dubious if the UBIFS was mounted RW once (with
the key around) and then mounted RO,keep_offline_signature ? So you
would have to only allow keep_offline_signature if your point (2) is
true?

> Thanks,
> //richard

Sebastian

Richard Weinberger July 3, 2020, 8:20 a.m. UTC | #11

Sebastian,

----- Ursprüngliche Mail -----
>> > And that's what Torben implemented unless I'm missing something.
>> 
>> Torben implemented it the other way around, he allows mounting without
>> the HMAC if UBIFS mount is read-only.
>> This covers also the proposed use-case but as I stated it has issues with
>> remounting and makes the implementation more complicated than it should be.
>> 
>> That's why I proposed adding a new mount option like "keep_offline_signature" or
>> what name fits better. That gives us the following pros:
> 
> so you want an extra option instead of setting SB_RDONLY on RO mounts
> without the key and not allowing RW mounts in this case?

Yes.

>> 1. Makes the implementation super simple.
>>    If keep_offline_signature is set and rw mount requested, reject.
>>    RW remount can rejected very easily, store keep_offline_signature in the ubifs
>>    context.
>> 
>> 2. If the super block got already re-written, reject.
>>    You can check sub->hmac[] for being non-zero.
>>    That way we can give the user a decent error message in case they do stupid
>>    things.
> 
> re-written as in a prior RW mount with the key?

Yes.

>> 3. Userspace can verify whether the UBIFS fs is pristine by checking
>>    for the keep_offline_signature mount flag in /proc/self/mountinfo.
> 
> Could this information be dubious if the UBIFS was mounted RW once (with
> the key around) and then mounted RO,keep_offline_signature ? So you
> would have to only allow keep_offline_signature if your point (2) is
> true?

No. Because as soon you mount once RW the super block is re-written with
the provided HMAC. You can detect this and refuse the mount option.

Thanks,
//richard

Thomas Gleixner July 3, 2020, 9:12 a.m. UTC | #12

Richard Weinberger <richard@nod.at> writes:
>> And that's what Torben implemented unless I'm missing something.
>
> Torben implemented it the other way around, he allows mounting without
> the HMAC if UBIFS mount is read-only.
> This covers also the proposed use-case but as I stated it has issues with
> remounting and makes the implementation more complicated than it should be.
>
> That's why I proposed adding a new mount option like "keep_offline_signature" or
> what name fits better. That gives us the following pros:
>
> 1. Makes the implementation super simple.
>    If keep_offline_signature is set and rw mount requested, reject.
>    RW remount can rejected very easily, store keep_offline_signature in the ubifs context.
>
> 2. If the super block got already re-written, reject.
>    You can check sub->hmac[] for being non-zero.
>    That way we can give the user a decent error message in case they do stupid things.
>
> 3. Userspace can verify whether the UBIFS fs is pristine by checking
>    for the keep_offline_signature mount flag in /proc/self/mountinfo.

Works for me.

[v2,0/4] ubifs: support authentication without hmac

Message

Comments