selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc

tracing_struct                           # failed to auto-attach: -524                                                 (trampoline)

user_ringbuf                             # failed to find kernel BTF type ID of '__s390x_sys_prctl': -3                (?)

lookup_key                               # JIT does not support calling kernel function                                (kfunc)

verify_pkcs7_sig                         # JIT does not support calling kernel function                                (kfunc)

APIDIR := $(TOOLSINCDIR)/uapi

GENDIR := $(abspath ../../../../include/generated)

GENHDR := $(GENDIR)/autoconf.h

HOSTPKG_CONFIG := pkg-config

ifneq ($(wildcard $(GENHDR)),)

  GENFLAGS := -DHAVE_GENHDR

	test_xsk.sh

TEST_PROGS_EXTENDED := with_addr.sh \

	with_tunnels.sh ima_setup.sh \

	with_tunnels.sh ima_setup.sh verify_sig_setup.sh \

	test_xdp_vlan.sh test_bpftool.py

# Compile but not part of 'make run_tests'

	test_lirc_mode2_user xdping test_cpp runqslower bench bpf_testmod.ko \

	xskxceiver xdp_redirect_multi xdp_synproxy veristat

TEST_CUSTOM_PROGS = $(OUTPUT)/urandom_read

TEST_CUSTOM_PROGS = $(OUTPUT)/urandom_read $(OUTPUT)/sign-file

# Emit succinct information message describing current building step

# $1 - generic step name (e.g., CC, LINK, etc);

		     -fuse-ld=$(LLD) -Wl,-znoseparate-code		       \

		     -Wl,-rpath=. -Wl,--build-id=sha1 -o $@

$(OUTPUT)/sign-file: ../../../../scripts/sign-file.c

	$(call msg,SIGN-FILE,,$@)

	$(Q)$(CC) $(shell $(HOSTPKG_CONFIG)--cflags libcrypto 2> /dev/null) \

		  $< -o $@ \

		  $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)

$(OUTPUT)/bpf_testmod.ko: $(VMLINUX_BTF) $(wildcard bpf_testmod/Makefile bpf_testmod/*.[ch])

	$(call msg,MOD,,$@)

	$(Q)$(RM) bpf_testmod/bpf_testmod.ko # force re-compilation

TRUNNER_EXTRA_FILES := $(OUTPUT)/urandom_read $(OUTPUT)/bpf_testmod.ko	\

		       $(OUTPUT)/liburandom_read.so			\

		       $(OUTPUT)/xdp_synproxy				\

		       ima_setup.sh					\

		       $(OUTPUT)/sign-file				\

		       ima_setup.sh verify_sig_setup.sh			\

		       $(wildcard progs/btf_dump_test_case_*.c)

TRUNNER_BPF_BUILD_RULE := CLANG_BPF_BUILD_RULE

TRUNNER_BPF_CFLAGS := $(BPF_CFLAGS) $(CLANG_CFLAGS) -DENABLE_ATOMICS_TESTS

CONFIG_KEYS=y

CONFIG_LIRC=y

CONFIG_LWTUNNEL=y

CONFIG_MODULE_SIG=y

CONFIG_MODULE_SRCVERSION_ALL=y

CONFIG_MODULE_UNLOAD=y

CONFIG_MODULES=y

CONFIG_MODVERSIONS=y

CONFIG_MPLS=y

CONFIG_MPLS_IPTUNNEL=y

CONFIG_MPLS_ROUTING=y

CONFIG_MEMCG=y

CONFIG_MEMORY_FAILURE=y

CONFIG_MINIX_SUBPARTITION=y

CONFIG_MODULE_SIG=y

CONFIG_MODULE_SRCVERSION_ALL=y

CONFIG_MODULE_UNLOAD=y

CONFIG_MODULES=y

CONFIG_MODVERSIONS=y

CONFIG_NAMESPACES=y

CONFIG_NET=y

CONFIG_NET_9P=y

// SPDX-License-Identifier: GPL-2.0

/*

 * Copyright (C) 2022 Huawei Technologies Duesseldorf GmbH

 *

 * Author: Roberto Sassu <roberto.sassu@huawei.com>

 */

#include <stdio.h>

#include <errno.h>

#include <stdlib.h>

#include <unistd.h>

#include <endian.h>

#include <limits.h>

#include <sys/stat.h>

#include <sys/wait.h>

#include <sys/mman.h>

#include <linux/keyctl.h>

#include <test_progs.h>

#include "test_verify_pkcs7_sig.skel.h"

#define MAX_DATA_SIZE (1024 * 1024)

#define MAX_SIG_SIZE 1024

#define VERIFY_USE_SECONDARY_KEYRING (1UL)

#define VERIFY_USE_PLATFORM_KEYRING  (2UL)

/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */

#define MODULE_SIG_STRING "~Module signature appended~\n"

/*

 * Module signature information block.

 *

 * The constituents of the signature section are, in order:

 *

 *	- Signer's name

 *	- Key identifier

 *	- Signature data

 *	- Information block

 */

struct module_signature {

	__u8	algo;		/* Public-key crypto algorithm [0] */

	__u8	hash;		/* Digest algorithm [0] */

	__u8	id_type;	/* Key identifier type [PKEY_ID_PKCS7] */

	__u8	signer_len;	/* Length of signer's name [0] */

	__u8	key_id_len;	/* Length of key identifier [0] */

	__u8	__pad[3];

	__be32	sig_len;	/* Length of signature data */

};

struct data {

	__u8 data[MAX_DATA_SIZE];

	__u32 data_len;

	__u8 sig[MAX_SIG_SIZE];

	__u32 sig_len;

};

static bool kfunc_not_supported;

static int libbpf_print_cb(enum libbpf_print_level level, const char *fmt,

			   va_list args)

{

	if (strcmp(fmt, "libbpf: extern (func ksym) '%s': not found in kernel or module BTFs\n"))

		return 0;

	if (strcmp(va_arg(args, char *), "bpf_verify_pkcs7_signature"))

		return 0;

	kfunc_not_supported = true;

	return 0;

}

static int _run_setup_process(const char *setup_dir, const char *cmd)

{

	int child_pid, child_status;

	child_pid = fork();

	if (child_pid == 0) {

		execlp("./verify_sig_setup.sh", "./verify_sig_setup.sh", cmd,

		       setup_dir, NULL);

		exit(errno);

	} else if (child_pid > 0) {

		waitpid(child_pid, &child_status, 0);

		return WEXITSTATUS(child_status);

	}

	return -EINVAL;

}

static int populate_data_item_str(const char *tmp_dir, struct data *data_item)

{

	struct stat st;

	char data_template[] = "/tmp/dataXXXXXX";

	char path[PATH_MAX];

	int ret, fd, child_status, child_pid;

	data_item->data_len = 4;

	memcpy(data_item->data, "test", data_item->data_len);

	fd = mkstemp(data_template);

	if (fd == -1)

		return -errno;

	ret = write(fd, data_item->data, data_item->data_len);

	close(fd);

	if (ret != data_item->data_len) {

		ret = -EIO;

		goto out;

	}

	child_pid = fork();

	if (child_pid == -1) {

		ret = -errno;

		goto out;

	}

	if (child_pid == 0) {

		snprintf(path, sizeof(path), "%s/signing_key.pem", tmp_dir);

		return execlp("./sign-file", "./sign-file", "-d", "sha256",

			      path, path, data_template, NULL);

	}

	waitpid(child_pid, &child_status, 0);

	ret = WEXITSTATUS(child_status);

	if (ret)

		goto out;

	snprintf(path, sizeof(path), "%s.p7s", data_template);

	ret = stat(path, &st);

	if (ret == -1) {

		ret = -errno;

		goto out;

	}

	if (st.st_size > sizeof(data_item->sig)) {

		ret = -EINVAL;

		goto out_sig;

	}

	data_item->sig_len = st.st_size;

	fd = open(path, O_RDONLY);

	if (fd == -1) {

		ret = -errno;

		goto out_sig;

	}

	ret = read(fd, data_item->sig, data_item->sig_len);

	close(fd);

	if (ret != data_item->sig_len) {

		ret = -EIO;

		goto out_sig;

	}

	ret = 0;

out_sig:

	unlink(path);

out:

	unlink(data_template);

	return ret;

}

static int populate_data_item_mod(struct data *data_item)

{

	char mod_path[PATH_MAX], *mod_path_ptr;

	struct stat st;

	void *mod;

	FILE *fp;

	struct module_signature ms;

	int ret, fd, modlen, marker_len, sig_len;

	data_item->data_len = 0;

	if (stat("/lib/modules", &st) == -1)

		return 0;

	/* Requires CONFIG_TCP_CONG_BIC=m. */

	fp = popen("find /lib/modules/$(uname -r) -name tcp_bic.ko", "r");

	if (!fp)

		return 0;

	mod_path_ptr = fgets(mod_path, sizeof(mod_path), fp);

	pclose(fp);

	if (!mod_path_ptr)

		return 0;

	mod_path_ptr = strchr(mod_path, '\n');

	if (!mod_path_ptr)

		return 0;

	*mod_path_ptr = '\0';

	if (stat(mod_path, &st) == -1)

		return 0;

	modlen = st.st_size;

	marker_len = sizeof(MODULE_SIG_STRING) - 1;

	fd = open(mod_path, O_RDONLY);

	if (fd == -1)

		return -errno;

	mod = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);

	close(fd);

	if (mod == MAP_FAILED)

		return -errno;

	if (strncmp(mod + modlen - marker_len, MODULE_SIG_STRING, marker_len)) {

		ret = -EINVAL;

		goto out;

	}

	modlen -= marker_len;

	memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));

	sig_len = __be32_to_cpu(ms.sig_len);

	modlen -= sig_len + sizeof(ms);

	if (modlen > sizeof(data_item->data)) {

		ret = -E2BIG;

		goto out;

	}

	memcpy(data_item->data, mod, modlen);

	data_item->data_len = modlen;

	if (sig_len > sizeof(data_item->sig)) {

		ret = -E2BIG;

		goto out;

	}

	memcpy(data_item->sig, mod + modlen, sig_len);

	data_item->sig_len = sig_len;

	ret = 0;

out:

	munmap(mod, st.st_size);

	return ret;

}

void test_verify_pkcs7_sig(void)

{

	libbpf_print_fn_t old_print_cb;

	char tmp_dir_template[] = "/tmp/verify_sigXXXXXX";

	char *tmp_dir;

	struct test_verify_pkcs7_sig *skel = NULL;

	struct bpf_map *map;

	struct data data;

	int ret, zero = 0;

	/* Trigger creation of session keyring. */

	syscall(__NR_request_key, "keyring", "_uid.0", NULL,

		KEY_SPEC_SESSION_KEYRING);

	tmp_dir = mkdtemp(tmp_dir_template);

	if (!ASSERT_OK_PTR(tmp_dir, "mkdtemp"))

		return;

	ret = _run_setup_process(tmp_dir, "setup");

	if (!ASSERT_OK(ret, "_run_setup_process"))

		goto close_prog;

	skel = test_verify_pkcs7_sig__open();

	if (!ASSERT_OK_PTR(skel, "test_verify_pkcs7_sig__open"))

		goto close_prog;

	old_print_cb = libbpf_set_print(libbpf_print_cb);

	ret = test_verify_pkcs7_sig__load(skel);

	libbpf_set_print(old_print_cb);

	if (ret < 0 && kfunc_not_supported) {

		printf(

		  "%s:SKIP:bpf_verify_pkcs7_signature() kfunc not supported\n",

		  __func__);

		test__skip();

		goto close_prog;

	}

	if (!ASSERT_OK(ret, "test_verify_pkcs7_sig__load"))

		goto close_prog;

	ret = test_verify_pkcs7_sig__attach(skel);

	if (!ASSERT_OK(ret, "test_verify_pkcs7_sig__attach"))

		goto close_prog;

	map = bpf_object__find_map_by_name(skel->obj, "data_input");

	if (!ASSERT_OK_PTR(map, "data_input not found"))

		goto close_prog;

	skel->bss->monitored_pid = getpid();

	/* Test without data and signature. */

	skel->bss->user_keyring_serial = KEY_SPEC_SESSION_KEYRING;

	ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);

	if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))

		goto close_prog;

	/* Test successful signature verification with session keyring. */

	ret = populate_data_item_str(tmp_dir, &data);

	if (!ASSERT_OK(ret, "populate_data_item_str"))

		goto close_prog;

	ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);

	if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))

		goto close_prog;

	/* Test successful signature verification with testing keyring. */

	skel->bss->user_keyring_serial = syscall(__NR_request_key, "keyring",

						 "ebpf_testing_keyring", NULL,

						 KEY_SPEC_SESSION_KEYRING);

	ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);

	if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))

		goto close_prog;

	/*

	 * Ensure key_task_permission() is called and rejects the keyring

	 * (no Search permission).

	 */

	syscall(__NR_keyctl, KEYCTL_SETPERM, skel->bss->user_keyring_serial,

		0x37373737);

	ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);

	if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))

		goto close_prog;

	syscall(__NR_keyctl, KEYCTL_SETPERM, skel->bss->user_keyring_serial,

		0x3f3f3f3f);

	/*

	 * Ensure key_validate() is called and rejects the keyring (key expired)

	 */

	syscall(__NR_keyctl, KEYCTL_SET_TIMEOUT,

		skel->bss->user_keyring_serial, 1);

	sleep(1);

	ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);

	if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))

		goto close_prog;

	skel->bss->user_keyring_serial = KEY_SPEC_SESSION_KEYRING;

	/* Test with corrupted data (signature verification should fail). */

	data.data[0] = 'a';

	ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data, BPF_ANY);

	if (!ASSERT_LT(ret, 0, "bpf_map_update_elem data_input"))

		goto close_prog;

	ret = populate_data_item_mod(&data);

	if (!ASSERT_OK(ret, "populate_data_item_mod"))

		goto close_prog;

	/* Test signature verification with system keyrings. */

	if (data.data_len) {

		skel->bss->user_keyring_serial = 0;

		skel->bss->system_keyring_id = 0;

		ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data,

					  BPF_ANY);

		if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))

			goto close_prog;

		skel->bss->system_keyring_id = VERIFY_USE_SECONDARY_KEYRING;

		ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data,

					  BPF_ANY);

		if (!ASSERT_OK(ret, "bpf_map_update_elem data_input"))

			goto close_prog;

		skel->bss->system_keyring_id = VERIFY_USE_PLATFORM_KEYRING;

		ret = bpf_map_update_elem(bpf_map__fd(map), &zero, &data,

					  BPF_ANY);

		ASSERT_LT(ret, 0, "bpf_map_update_elem data_input");

	}

close_prog:

	_run_setup_process(tmp_dir, "cleanup");

	if (!skel)

		return;

	skel->bss->monitored_pid = 0;

	test_verify_pkcs7_sig__destroy(skel);

}