[dm-devel] [PATCH 2/2] dm-integrity: disable recalculate due to secrurity reasons

Wed Jan 20 12:58:23 UTC 2021

Disable recalculating if we don't have fix_hmac, the journal hash
algorithm is using a kay and we don't have the "legacy_recalculate" flag.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>

Index: linux-2.6/drivers/md/dm-integrity.c
===================================================================

--- linux-2.6.orig/drivers/md/dm-integrity.c
+++ linux-2.6/drivers/md/dm-integrity.c
@@ -262,6 +262,7 @@ struct dm_integrity_c {
 	bool discard;
 	bool fix_padding;
 	bool fix_hmac;
+	bool legacy_recalculate;
 
 	struct alg_spec internal_hash_alg;
 	struct alg_spec journal_crypt_alg;
@@ -389,6 +390,15 @@ static int dm_integrity_failed(struct dm
 	return READ_ONCE(ic->failed);
 }
 
+static bool dm_integrity_disable_recalculate(struct dm_integrity_c *ic)
+{
+	if (!ic->fix_hmac &&
+	     ic->journal_mac_alg.key &&
+	    !ic->legacy_recalculate)
+		return true;
+	return false;
+}
+
 static commit_id_t dm_integrity_commit_id(struct dm_integrity_c *ic, unsigned i,
 					  unsigned j, unsigned char seq)
 {
@@ -3221,6 +3231,7 @@ static void dm_integrity_status(struct d
 		arg_count += !!ic->journal_mac_alg.alg_string;
 		arg_count += (ic->sb->flags & cpu_to_le32(SB_FLAG_FIXED_PADDING)) != 0;
 		arg_count += (ic->sb->flags & cpu_to_le32(SB_FLAG_FIXED_HMAC)) != 0;
+		arg_count += ic->legacy_recalculate;
 		DMEMIT("%s %llu %u %c %u", ic->dev->name, ic->start,
 		       ic->tag_size, ic->mode, arg_count);
 		if (ic->meta_dev)
@@ -3246,6 +3257,8 @@ static void dm_integrity_status(struct d
 			DMEMIT(" fix_padding");
 		if ((ic->sb->flags & cpu_to_le32(SB_FLAG_FIXED_HMAC)) != 0)
 			DMEMIT(" fix_hmac");
+		if (ic->legacy_recalculate)
+			DMEMIT(" legacy_recalculate");
 
 #define EMIT_ALG(a, n)							\
 		do {							\
@@ -3878,7 +3891,7 @@ static int dm_integrity_ctr(struct dm_ta
 	unsigned extra_args;
 	struct dm_arg_set as;
 	static const struct dm_arg _args[] = {
-		{0, 16, "Invalid number of feature args"},
+		{0, 17, "Invalid number of feature args"},
 	};
 	unsigned journal_sectors, interleave_sectors, buffer_sectors, journal_watermark, sync_msec;
 	bool should_write_sb;
@@ -4028,6 +4041,8 @@ static int dm_integrity_ctr(struct dm_ta
 			ic->fix_padding = true;
 		} else if (!strcmp(opt_string, "fix_hmac")) {
 			ic->fix_hmac = true;
+		} else if (!strcmp(opt_string, "legacy_recalculate")) {
+			ic->legacy_recalculate = true;
 		} else {
 			r = -EINVAL;
 			ti->error = "Invalid argument";
@@ -4331,6 +4346,14 @@ try_smaller_buffer:
 		}
 	}
 
+	if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING) &&
+	    le64_to_cpu(ic->sb->recalc_sector) < ic->provided_data_sectors &&
+	    dm_integrity_disable_recalculate(ic)) {
+		ti->error = "Recalculating with \"fix_hmac\" is disable for security reasons - if you really need it, use the argument \"legacy_recalculate\"";
+		r = -EOPNOTSUPP;
+		goto bad;
+	}
+
 	ic->bufio = dm_bufio_client_create(ic->meta_dev ? ic->meta_dev->bdev : ic->dev->bdev,
 			1U << (SECTOR_SHIFT + ic->log2_buffer_sectors), 1, 0, NULL, NULL);
 	if (IS_ERR(ic->bufio)) {
Index: linux-2.6/Documentation/admin-guide/device-mapper/dm-integrity.rst
===================================================================
--- linux-2.6.orig/Documentation/admin-guide/device-mapper/dm-integrity.rst
+++ linux-2.6/Documentation/admin-guide/device-mapper/dm-integrity.rst
@@ -128,9 +128,15 @@ internal_hash:algorithm(:key)	(the key i
 
 	You can use a crc algorithm (such as crc32), then integrity target
 	will protect the data against accidental corruption.
-	You can also use a hmac algorithm (for example
-	"hmac(sha256):0123456789abcdef"), in this mode it will provide
-	cryptographic authentication of the data without encryption.
+
+	In order to provide cryptographic authentication of the data
+	without encryption, you need:
+	* the kernel 5.12 and integritysetup 2.3.5
+	* specfiy internal_hash as a hmac function with a key, for example
+	  hmac(sha256):0123456789abcdef
+	* specify journal_hash as a hmac function with a key, for example
+	  hmac(sha256):0123456789abcdef
+	* specify the fix_hmac argument
 
 	When this argument is not used, the integrity tags are accepted
 	from an upper layer target, such as dm-crypt. The upper layer


