Revert "Revert "ANDROID: GKI: Add module load time protected symbol l…

…ookup"" This reverts commit 5e1f58c. Reason for revert: Presubmit breakage has been addressed by aosp/1946327 Bug: 200082547 Bug: 214445388 Change-Id: I2be3fedba240eac3bab67a96566f4103deb7bc24 Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
ammarfaizi2 · Jan 14, 2022 · 5ffc4c2275478f8d4c17795dc5f1b552559fff26 · 5ffc4c2
1 parent 2c9f5bc
commit 5ffc4c2275478f8d4c17795dc5f1b552559fff26
Show file tree

Hide file tree

Showing 9 changed files with 119 additions and 1 deletion.
diff --git a/android/abi_gki_modules_exports b/android/abi_gki_modules_exports
@@ -0,0 +1 @@
+[abi_symbol_list]
diff --git a/android/abi_gki_modules_protected b/android/abi_gki_modules_protected
@@ -0,0 +1 @@
+[abi_symbol_list]
diff --git a/arch/arm64/configs/gki_defconfig b/arch/arm64/configs/gki_defconfig
@@ -94,6 +94,8 @@ CONFIG_MODULES=y
 CONFIG_MODULE_UNLOAD=y
 CONFIG_MODVERSIONS=y
 CONFIG_MODULE_SCMVERSION=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_PROTECT=y
 CONFIG_BLK_INLINE_ENCRYPTION=y
 CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
 CONFIG_IOSCHED_BFQ=y

diff --git a/arch/x86/configs/gki_defconfig b/arch/x86/configs/gki_defconfig
@@ -76,6 +76,8 @@ CONFIG_MODULES=y
 CONFIG_MODULE_UNLOAD=y
 CONFIG_MODVERSIONS=y
 CONFIG_MODULE_SCMVERSION=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_PROTECT=y
 CONFIG_BLK_INLINE_ENCRYPTION=y
 CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
 CONFIG_IOSCHED_BFQ=y

diff --git a/init/Kconfig b/init/Kconfig
@@ -2197,6 +2197,20 @@ config MODULE_SIG_FORCE
 	  Reject unsigned modules or signed modules for which we don't have a
 	  key.  Without this, such modules will simply taint the kernel.
 
+config MODULE_SIG_PROTECT
+	bool "Android GKI module protection"
+	depends on MODULE_SIG && !MODULE_SIG_FORCE
+	select MODULE_SIG_ALL
+	help
+	  Enables Android GKI symbol and export protection support.
+
+	  This modifies the behavior of the MODULE_SIG_FORCE as follows:
+	  - Allows Android GKI Modules signed using MODULE_SIG_ALL during build.
+	  - Allows other modules to load if they don't violate the access to
+	    Android GKI protected symbols and do not export the symbols already
+	    exported by the Android GKI modules. Loading will fail and return
+	    -EACCES (Permission denied) if symbol access contidions are not met.
+
 config MODULE_SIG_ALL
 	bool "Automatically sign all modules"
 	default y

diff --git a/kernel/Makefile b/kernel/Makefile
@@ -69,6 +69,7 @@ obj-$(CONFIG_UID16) += uid16.o
 obj-$(CONFIG_MODULES) += module.o
 obj-$(CONFIG_MODULE_SIG) += module_signing.o
 obj-$(CONFIG_MODULE_SIG_FORMAT) += module_signature.o
+obj-$(CONFIG_MODULE_SIG_PROTECT) += gki_module.o
 obj-$(CONFIG_KALLSYMS) += kallsyms.o
 obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
 obj-$(CONFIG_CRASH_CORE) += crash_core.o
@@ -158,3 +159,19 @@ $(obj)/kheaders_data.tar.xz: FORCE
 	$(call cmd,genikh)
 
 clean-files := kheaders_data.tar.xz kheaders.md5
+
+#
+# ANDROID: GKI: Generate headerfiles required for gki_module.o
+#
+# Dependencies on generated files need to be listed explicitly
+$(obj)/gki_module.o: $(obj)/gki_module_protected.h $(obj)/gki_module_exported.h
+
+$(obj)/gki_module_protected.h: $(srctree)/android/abi_gki_modules_protected \
+				$(srctree)/scripts/gen_gki_modules_headers.sh
+	$(Q)$(CONFIG_SHELL) $(srctree)/scripts/gen_gki_modules_headers.sh $@ \
+	"$(srctree)"
+
+$(obj)/gki_module_exported.h: $(srctree)/android/abi_gki_modules_exports \
+				$(srctree)/scripts/gen_gki_modules_headers.sh
+	$(Q)$(CONFIG_SHELL) $(srctree)/scripts/gen_gki_modules_headers.sh $@ \
+	"$(srctree)"
diff --git a/kernel/gki_module.c b/kernel/gki_module.c
@@ -0,0 +1,50 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright 2021 Google LLC
+ * Author: ramjiyani@google.com (Ramji Jiyani)
+ */
+
+#include <linux/bsearch.h>
+#include <linux/errno.h>
+#include <linux/kernel.h>
+#include <linux/printk.h>
+#include <linux/string.h>
+
+/*
+ * Build time generated header files
+ *
+ * gki_module_exported.h -- Symbols protected from _export_ by unsigned modules
+ * gki_module_protected.h -- Symbols protected from _access_ by unsigned modules
+ */
+#include "gki_module_protected.h"
+#include "gki_module_exported.h"
+
+#define MAX_STRCMP_LEN (max(MAX_PROTECTED_NAME_LEN, MAX_EXPORTED_NAME_LEN))
+
+/* bsearch() comparision callback */
+static int cmp_name(const void *sym, const void *protected_sym)
+{
+	return strncmp(sym, protected_sym, MAX_STRCMP_LEN);
+}
+
+/**
+ * gki_is_module_protected_symbol - Is a symbol protected from unsigned module?
+ *
+ * @name:	Symbol being checked against protection from unsigned module
+ */
+bool gki_is_module_protected_symbol(const char *name)
+{
+	return bsearch(name, gki_protected_symbols, NO_OF_PROTECTED_SYMBOLS,
+		       MAX_PROTECTED_NAME_LEN, cmp_name) != NULL;
+}
+
+/**
+ * gki_is_module_exported_symbol - Is a symbol exported from a GKI module?
+ *
+ * @name:	Symbol being checked against exported symbols from GKI modules
+ */
+bool gki_is_module_exported_symbol(const char *name)
+{
+	return bsearch(name, gki_exported_symbols, NO_OF_EXPORTED_SYMBOLS,
+		       MAX_EXPORTED_NAME_LEN, cmp_name) != NULL;
+}
diff --git a/kernel/module-internal.h b/kernel/module-internal.h
@@ -29,3 +29,17 @@ struct load_info {
 };
 
 extern int mod_verify_sig(const void *mod, struct load_info *info);
+
+#ifdef CONFIG_MODULE_SIG_PROTECT
+extern bool gki_is_module_exported_symbol(const char *name);
+extern bool gki_is_module_protected_symbol(const char *name);
+#else
+static inline bool gki_is_module_exported_symbol(const char *name)
+{
+	return 0;
+}
+static inline bool gki_is_module_protected_symbol(const char *name)
+{
+	return 0;
+}
+#endif /* CONFIG_MODULE_SIG_PROTECT */
diff --git a/kernel/module.c b/kernel/module.c
@@ -271,7 +271,7 @@ static void module_assert_mutex_or_preempt(void)
 #endif
 }
 
-#ifdef CONFIG_MODULE_SIG
+#if defined(CONFIG_MODULE_SIG) && !defined(CONFIG_MODULE_SIG_PROTECT)
 static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
 module_param(sig_enforce, bool_enable_only, 0644);
 
@@ -2267,6 +2267,14 @@ static int verify_exported_symbols(struct module *mod)
 				.name	= kernel_symbol_name(s),
 				.gplok	= true,
 			};
+
+			if (!mod->sig_ok && gki_is_module_exported_symbol(
+						    kernel_symbol_name(s))) {
+				pr_err("%s: exporting protected symbol(%s)\n",
+				       mod->name, kernel_symbol_name(s));
+				return -EACCES;
+			}
+
 			if (find_symbol(&fsa)) {
 				pr_err("%s: exports duplicate symbol %s"
 				       " (owned by %s)\n",
@@ -2334,6 +2342,13 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
 			break;
 
 		case SHN_UNDEF:
+			if (!mod->sig_ok &&
+			    gki_is_module_protected_symbol(name)) {
+				pr_err("%s: is not an Android GKI signed module. It can not access protected symbol: %s\n",
+				       mod->name, name);
+				return -EACCES;
+			}
+
 			ksym = resolve_symbol_wait(mod, info, name);
 			/* Ok if resolved.  */
 			if (ksym && !IS_ERR(ksym)) {
@@ -4060,6 +4075,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
 			       "kernel\n", mod->name);
 		add_taint_module(mod, TAINT_UNSIGNED_MODULE, LOCKDEP_STILL_OK);
 	}
+#else
+	mod->sig_ok = 0;
 #endif
 
 	/* To avoid stressing percpu allocator, do this once we're unique. */