Browse Source

[image] Add concept of trusted images

Trusted images may always be executed.  Untrusted images may be
executed only if the current image trust requirement allows untrusted
images.

Images can be marked as trusted using image_trust(), and marked as
untrusted using image_untrust().

The current image trust requirement can be changed using
image_set_trust().  It is possible to make the change permanent, in
which case any future attempts to change the image trust requirement
will fail.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 13 years ago
parent
commit
97dcc824bf
3 changed files with 70 additions and 0 deletions
  1. 46
    0
      src/core/image.c
  2. 22
    0
      src/include/ipxe/image.h
  3. 2
    0
      src/usr/imgmgmt.c

+ 46
- 0
src/core/image.c View File

@@ -36,12 +36,28 @@ FILE_LICENCE ( GPL2_OR_LATER );
36 36
  *
37 37
  */
38 38
 
39
+/* Disambiguate the various error causes */
40
+#define EACCES_UNTRUSTED \
41
+	__einfo_error ( EINFO_EACCES_UNTRUSTED )
42
+#define EINFO_EACCES_UNTRUSTED \
43
+	__einfo_uniqify ( EINFO_EACCES, 0x01, "Untrusted image" )
44
+#define EACCES_PERMANENT \
45
+	__einfo_error ( EINFO_EACCES_PERMANENT )
46
+#define EINFO_EACCES_PERMANENT \
47
+	__einfo_uniqify ( EINFO_EACCES, 0x02, "Trust requirement is permanent" )
48
+
39 49
 /** List of registered images */
40 50
 struct list_head images = LIST_HEAD_INIT ( images );
41 51
 
42 52
 /** Currently-executing image */
43 53
 struct image *current_image;
44 54
 
55
+/** Current image trust requirement */
56
+static int require_trusted_images = 0;
57
+
58
+/** Prevent changes to image trust requirement */
59
+static int require_trusted_images_permanent = 0;
60
+
45 61
 /**
46 62
  * Free executable image
47 63
  *
@@ -228,6 +244,12 @@ int image_exec ( struct image *image ) {
228 244
 	if ( ( rc = image_select ( image ) ) != 0 )
229 245
 		return rc;
230 246
 
247
+	/* Check that image is trusted (if applicable) */
248
+	if ( require_trusted_images && ! ( image->flags & IMAGE_TRUSTED ) ) {
249
+		DBGC ( image, "IMAGE %s is not trusted\n", image->name );
250
+		return -EACCES_UNTRUSTED;
251
+	}
252
+
231 253
 	/* Switch current working directory to be that of the image itself */
232 254
 	old_cwuri = uri_get ( cwuri );
233 255
 	churi ( image->uri );
@@ -355,3 +377,27 @@ struct image * image_find_selected ( void ) {
355 377
 	}
356 378
 	return NULL;
357 379
 }
380
+
381
+/**
382
+ * Change image trust requirement
383
+ *
384
+ * @v require_trusted	Require trusted images
385
+ * @v permanent		Make trust requirement permanent
386
+ * @ret rc		Return status code
387
+ */
388
+int image_set_trust ( int require_trusted, int permanent ) {
389
+
390
+	/* Update trust requirement, if permitted to do so */
391
+	if ( ! require_trusted_images_permanent ) {
392
+		require_trusted_images = require_trusted;
393
+		require_trusted_images_permanent = permanent;
394
+	}
395
+
396
+	/* Fail if we attempted to change the trust requirement but
397
+	 * were not permitted to do so.
398
+	 */
399
+	if ( require_trusted_images != require_trusted )
400
+		return -EACCES_PERMANENT;
401
+
402
+	return 0;
403
+}

+ 22
- 0
src/include/ipxe/image.h View File

@@ -64,6 +64,9 @@ struct image {
64 64
 /** Image is selected for execution */
65 65
 #define IMAGE_SELECTED 0x0002
66 66
 
67
+/** Image is trusted */
68
+#define IMAGE_TRUSTED 0x0004
69
+
67 70
 /** An executable image type */
68 71
 struct image_type {
69 72
 	/** Name of this image type */
@@ -148,6 +151,7 @@ extern int image_exec ( struct image *image );
148 151
 extern int image_replace ( struct image *replacement );
149 152
 extern int image_select ( struct image *image );
150 153
 extern struct image * image_find_selected ( void );
154
+extern int image_set_trust ( int require_trusted, int permanent );
151 155
 
152 156
 /**
153 157
  * Increment reference count on an image
@@ -181,4 +185,22 @@ static inline int image_set_name ( struct image *image, const char *name ) {
181 185
 	return 0;
182 186
 }
183 187
 
188
+/**
189
+ * Set image as trusted
190
+ *
191
+ * @v image		Image
192
+ */
193
+static inline void image_trust ( struct image *image ) {
194
+	image->flags |= IMAGE_TRUSTED;
195
+}
196
+
197
+/**
198
+ * Set image as untrusted
199
+ *
200
+ * @v image		Image
201
+ */
202
+static inline void image_untrust ( struct image *image ) {
203
+	image->flags &= ~IMAGE_TRUSTED;
204
+}
205
+
184 206
 #endif /* _IPXE_IMAGE_H */

+ 2
- 0
src/usr/imgmgmt.c View File

@@ -140,6 +140,8 @@ void imgstat ( struct image *image ) {
140 140
 	printf ( "%s : %zd bytes", image->name, image->len );
141 141
 	if ( image->type )
142 142
 		printf ( " [%s]", image->type->name );
143
+	if ( image->flags & IMAGE_TRUSTED )
144
+		printf ( " [TRUSTED]" );
143 145
 	if ( image->flags & IMAGE_SELECTED )
144 146
 		printf ( " [SELECTED]" );
145 147
 	if ( image->cmdline )

Loading…
Cancel
Save