Skip to content

Commit c7a5899

Browse files
antonyantonyklassert
antonyantony
authored and
klassert
committed
xfrm: redact SA secret with lockdown confidentiality
redact XFRM SA secret in the netlink response to xfrm_get_sa() or dumpall sa. Enable lockdown, confidentiality mode, at boot or at run time. e.g. when enabled: cat /sys/kernel/security/lockdown none integrity [confidentiality] ip xfrm state src 172.16.1.200 dst 172.16.1.100 proto esp spi 0x00000002 reqid 2 mode tunnel replay-window 0 aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96 note: the aead secret is redacted. Redacting secret is also a FIPS 140-2 requirement. v1->v2 - add size checks before memset calls v2->v3 - replace spaces with tabs for consistency v3->v4 - use kernel lockdown instead of a /proc setting v4->v5 - remove kconfig option Reviewed-by: Stephan Mueller <[email protected]> Signed-off-by: Antony Antony <[email protected]> Signed-off-by: Steffen Klassert <[email protected]>
1 parent 8be33ec commit c7a5899

File tree

3 files changed

+69
-7
lines changed

3 files changed

+69
-7
lines changed

include/linux/security.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,7 @@ enum lockdown_reason {
127127
LOCKDOWN_PERF,
128128
LOCKDOWN_TRACEFS,
129129
LOCKDOWN_XMON_RW,
130+
LOCKDOWN_XFRM_SECRET,
130131
LOCKDOWN_CONFIDENTIALITY_MAX,
131132
};
132133

net/xfrm/xfrm_user.c

Lines changed: 67 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -848,21 +848,84 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
848848
return 0;
849849
}
850850

851+
static bool xfrm_redact(void)
852+
{
853+
return IS_ENABLED(CONFIG_SECURITY) &&
854+
security_locked_down(LOCKDOWN_XFRM_SECRET);
855+
}
856+
851857
static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
852858
{
853859
struct xfrm_algo *algo;
860+
struct xfrm_algo_auth *ap;
854861
struct nlattr *nla;
862+
bool redact_secret = xfrm_redact();
855863

856864
nla = nla_reserve(skb, XFRMA_ALG_AUTH,
857865
sizeof(*algo) + (auth->alg_key_len + 7) / 8);
858866
if (!nla)
859867
return -EMSGSIZE;
860-
861868
algo = nla_data(nla);
862869
strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
863-
memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
870+
871+
if (redact_secret && auth->alg_key_len)
872+
memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8);
873+
else
874+
memcpy(algo->alg_key, auth->alg_key,
875+
(auth->alg_key_len + 7) / 8);
864876
algo->alg_key_len = auth->alg_key_len;
865877

878+
nla = nla_reserve(skb, XFRMA_ALG_AUTH_TRUNC, xfrm_alg_auth_len(auth));
879+
if (!nla)
880+
return -EMSGSIZE;
881+
ap = nla_data(nla);
882+
memcpy(ap, auth, sizeof(struct xfrm_algo_auth));
883+
if (redact_secret && auth->alg_key_len)
884+
memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8);
885+
else
886+
memcpy(ap->alg_key, auth->alg_key,
887+
(auth->alg_key_len + 7) / 8);
888+
return 0;
889+
}
890+
891+
static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb)
892+
{
893+
struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_AEAD, aead_len(aead));
894+
struct xfrm_algo_aead *ap;
895+
bool redact_secret = xfrm_redact();
896+
897+
if (!nla)
898+
return -EMSGSIZE;
899+
900+
ap = nla_data(nla);
901+
memcpy(ap, aead, sizeof(*aead));
902+
903+
if (redact_secret && aead->alg_key_len)
904+
memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8);
905+
else
906+
memcpy(ap->alg_key, aead->alg_key,
907+
(aead->alg_key_len + 7) / 8);
908+
return 0;
909+
}
910+
911+
static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
912+
{
913+
struct xfrm_algo *ap;
914+
bool redact_secret = xfrm_redact();
915+
struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_CRYPT,
916+
xfrm_alg_len(ealg));
917+
if (!nla)
918+
return -EMSGSIZE;
919+
920+
ap = nla_data(nla);
921+
memcpy(ap, ealg, sizeof(*ealg));
922+
923+
if (redact_secret && ealg->alg_key_len)
924+
memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8);
925+
else
926+
memcpy(ap->alg_key, ealg->alg_key,
927+
(ealg->alg_key_len + 7) / 8);
928+
866929
return 0;
867930
}
868931

@@ -906,20 +969,17 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
906969
goto out;
907970
}
908971
if (x->aead) {
909-
ret = nla_put(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead);
972+
ret = copy_to_user_aead(x->aead, skb);
910973
if (ret)
911974
goto out;
912975
}
913976
if (x->aalg) {
914977
ret = copy_to_user_auth(x->aalg, skb);
915-
if (!ret)
916-
ret = nla_put(skb, XFRMA_ALG_AUTH_TRUNC,
917-
xfrm_alg_auth_len(x->aalg), x->aalg);
918978
if (ret)
919979
goto out;
920980
}
921981
if (x->ealg) {
922-
ret = nla_put(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg);
982+
ret = copy_to_user_ealg(x->ealg, skb);
923983
if (ret)
924984
goto out;
925985
}

security/security.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
6565
[LOCKDOWN_PERF] = "unsafe use of perf",
6666
[LOCKDOWN_TRACEFS] = "use of tracefs",
6767
[LOCKDOWN_XMON_RW] = "xmon read and write access",
68+
[LOCKDOWN_XFRM_SECRET] = "xfrm SA secret",
6869
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
6970
};
7071

0 commit comments

Comments
 (0)