// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
*/
#include <linux/err.h>
#include <linux/slab.h>
#include <linux/parser.h>
#include <linux/types.h>
#include <linux/ctype.h>
#include "policy.h"
#include "policy_parser.h"
#include "digest.h"
#define START_COMMENT '#'
#define IPE_POLICY_DELIM " \t"
#define IPE_LINE_DELIM "\n\r"
/**
* new_parsed_policy() - Allocate and initialize a parsed policy.
*
* Return:
* * a pointer to the ipe_parsed_policy structure - Success
* * %-ENOMEM - Out of memory (OOM)
*/
static struct ipe_parsed_policy *new_parsed_policy(void)
{
struct ipe_parsed_policy *p = NULL;
struct ipe_op_table *t = NULL;
size_t i = 0;
p = kzalloc(sizeof(*p), GFP_KERNEL);
if (!p)
return ERR_PTR(-ENOMEM);
p->global_default_action = IPE_ACTION_INVALID;
for (i = 0; i < ARRAY_SIZE(p->rules); ++i) {
t = &p->rules[i];
t->default_action = IPE_ACTION_INVALID;
INIT_LIST_HEAD(&t->rules);
}
return p;
}
/**
* remove_comment() - Truncate all chars following START_COMMENT in a string.
*
* @line: Supplies a policy line string for preprocessing.
*/
static void remove_comment(char *line)
{
line = strchr(line, START_COMMENT);
if (line)
*line = '\0';
}
/**
* remove_trailing_spaces() - Truncate all trailing spaces in a string.
*
* @line: Supplies a policy line string for preprocessing.
*
* Return: The length of truncated string.
*/
static size_t remove_trailing_spaces(char *line)
{
size_t i = 0;
i = strlen(line);
while (i > 0 && isspace(line[i - 1]))
i--;
line[i] = '\0';
return i;
}
/**
* parse_version() - Parse policy version.
* @ver: Supplies a version string to be parsed.
* @p: Supplies the partial parsed policy.
*
* Return:
* * %0 - Success
* * %-EBADMSG - Version string is invalid
* * %-ERANGE - Version number overflow
* * %-EINVAL - Parsing error
*/
static int parse_version(char *ver, struct ipe_parsed_policy *p)
{
u16 *const cv[] = { &p->version.major, &p->version.minor, &p->version.rev };
size_t sep_count = 0;
char *token;
int rc = 0;
while ((token = strsep(&ver, ".")) != NULL) {
/* prevent overflow */
if (sep_count >= ARRAY_SIZE(cv))
return -EBADMSG;
rc = kstrtou16(token, 10, cv[sep_count]);
if (rc)
return rc;
++sep_count;
}
/* prevent underflow */
if (sep_count != ARRAY_SIZE(cv))
return -EBADMSG;
return 0;
}
enum header_opt {
IPE_HEADER_POLICY_NAME = 0,
IPE_HEADER_POLICY_VERSION,
__IPE_HEADER_MAX
};
static const match_table_t header_tokens = {
{IPE_HEADER_POLICY_NAME, "policy_name=%s"},
{IPE_HEADER_POLICY_VERSION, "policy_version=%s"},
{__IPE_HEADER_MAX, NULL}
};
/**
* parse_header() - Parse policy header information.
* @line: Supplies header line to be parsed.
* @p: Supplies the partial parsed policy.
*
* Return:
* * %0 - Success
* * %-EBADMSG - Header string is invalid
* * %-ENOMEM - Out of memory (OOM)
* * %-ERANGE - Version number overflow
* * %-EINVAL - Version parsing error
*/
static int parse_header(char *line, struct ipe_parsed_policy *p)
{
substring_t args[MAX_OPT_ARGS];
char *t, *ver = NULL;
size_t idx = 0;
int rc = 0;
while ((t = strsep(&line, IPE_POLICY_DELIM)) != NULL) {
int token;
if (*t == '\0')
continue;
if (idx >= __IPE_HEADER_MAX) {
rc = -EBADMSG;
goto out;
}
token = match_token(t, header_tokens, args);
if (token != idx) {
rc = -EBADMSG;
goto out;
}
switch (token) {
case IPE_HEADER_POLICY_NAME:
p->name = match_strdup(&args[0]);
if (!p->name)
rc = -ENOMEM;
break;
case IPE_HEADER_POLICY_VERSION:
ver = match_strdup(&args[0]);
if (!ver) {
rc = -ENOMEM;
break;
}
rc = parse_version(ver, p);
break;
default:
rc = -EBADMSG;
}
if (rc)
goto out;
++idx;
}
if (idx != __IPE_HEADER_MAX)
rc = -EBADMSG;
out:
kfree(ver);
return rc;
}
/**
* token_default() - Determine if the given token is "DEFAULT".
* @token: Supplies the token string to be compared.
*
* Return:
* * %false - The token is not "DEFAULT"
* * %true - The token is "DEFAULT"
*/
static bool token_default(char *token)
{
return !strcmp(token, "DEFAULT");
}
/**
* free_rule() - Free the supplied ipe_rule struct.
* @r: Supplies the ipe_rule struct to be freed.
*
* Free a ipe_rule struct @r. Note @r must be removed from any lists before
* calling this function.
*/
static void free_rule(struct ipe_rule *r)
{
struct ipe_prop *p, *t;
if (IS_ERR_OR_NULL(r))
return;
list_for_each_entry_safe(p, t, &r->props, next) {
list_del(&p->next);
ipe_digest_free(p->value);
kfree(p);
}
kfree(r);
}
static const match_table_t operation_tokens = {
{IPE_OP_EXEC, "op=EXECUTE"},
{IPE_OP_FIRMWARE, "op=FIRMWARE"},
{IPE_OP_KERNEL_MODULE, "op=KMODULE"},
{IPE_OP_KEXEC_IMAGE, "op=KEXEC_IMAGE"},
{IPE_OP_KEXEC_INITRAMFS, "op=KEXEC_INITRAMFS"},
{IPE_OP_POLICY, "op=POLICY"},
{IPE_OP_X509, "op=X509_CERT"},
{IPE_OP_INVALID, NULL}
};
/**
* parse_operation() - Parse the operation type given a token string.
* @t: Supplies the token string to be parsed.
*
* Return: The parsed operation type.
*/
static enum ipe_op_type parse_operation(char *t)
{
substring_t args[MAX_OPT_ARGS];
return match_token(t, operation_tokens, args);
}
static const match_table_t action_tokens = {
{IPE_ACTION_ALLOW, "action=ALLOW"},
{IPE_ACTION_DENY, "action=DENY"},
{IPE_ACTION_INVALID, NULL}
};
/**
* parse_action() - Parse the action type given a token string.
* @t: Supplies the token string to be parsed.
*
* Return: The parsed action type.
*/
static enum ipe_action_type parse_action(char *t)
{
substring_t args[MAX_OPT_ARGS];
return match_token(t, action_tokens, args);
}
static const match_table_t property_tokens = {
{IPE_PROP_BOOT_VERIFIED_FALSE, "boot_verified=FALSE"},
{IPE_PROP_BOOT_VERIFIED_TRUE, "boot_verified=TRUE"},
{IPE_PROP_DMV_ROOTHASH, "dmverity_roothash=%s"},
{IPE_PROP_DMV_SIG_FALSE, "dmverity_signature=FALSE"},
{IPE_PROP_DMV_SIG_TRUE, "dmverity_signature=TRUE"},
{IPE_PROP_FSV_DIGEST, "fsverity_digest=%s"},
{IPE_PROP_FSV_SIG_FALSE, "fsverity_signature=FALSE"},
{IPE_PROP_FSV_SIG_TRUE, "fsverity_signature=TRUE"},
{IPE_PROP_INVALID, NULL}
};
/**
* parse_property() - Parse a rule property given a token string.
* @t: Supplies the token string to be parsed.
* @r: Supplies the ipe_rule the parsed property will be associated with.
*
* This function parses and associates a property with an IPE rule based
* on a token string.
*
* Return:
* * %0 - Success
* * %-ENOMEM - Out of memory (OOM)
* * %-EBADMSG - The supplied token cannot be parsed
*/
static int parse_property(char *t, struct ipe_rule *r)
{
substring_t args[MAX_OPT_ARGS];
struct ipe_prop *p = NULL;
int rc = 0;
int token;
char *dup = NULL;
p = kzalloc(sizeof(*p), GFP_KERNEL);
if (!p)
return -ENOMEM;
token = match_token(t, property_tokens, args);
switch (token) {
case IPE_PROP_DMV_ROOTHASH:
case IPE_PROP_FSV_DIGEST:
dup = match_strdup(&args[0]);
if (!dup) {
rc = -ENOMEM;
goto err;
}
p->value = ipe_digest_parse(dup);
if (IS_ERR(p->value)) {
rc = PTR_ERR(p->value);
goto err;
}
fallthrough;
case IPE_PROP_BOOT_VERIFIED_FALSE:
case IPE_PROP_BOOT_VERIFIED_TRUE:
case IPE_PROP_DMV_SIG_FALSE:
case IPE_PROP_DMV_SIG_TRUE:
case IPE_PROP_FSV_SIG_FALSE:
case IPE_PROP_FSV_SIG_TRUE:
p->type = token;
break;
default:
rc = -EBADMSG;
break;
}
if (rc)
goto err;
list_add_tail(&p->next, &r->props);
out:
kfree(dup);
return rc;
err:
kfree(p);
goto out;
}
/**
* parse_rule() - parse a policy rule line.
* @line: Supplies rule line to be parsed.
* @p: Supplies the partial parsed policy.
*
* Return:
* * 0 - Success
* * %-ENOMEM - Out of memory (OOM)
* * %-EBADMSG - Policy syntax error
*/
static int parse_rule(char *line, struct ipe_parsed_policy *p)
{
enum ipe_action_type action = IPE_ACTION_INVALID;
enum ipe_op_type op = IPE_OP_INVALID;
bool is_default_rule = false;
struct ipe_rule *r = NULL;
bool first_token = true;
bool op_parsed = false;
int rc = 0;
char *t;
if (IS_ERR_OR_NULL(line))
return -EBADMSG;
r = kzalloc(sizeof(*r), GFP_KERNEL);
if (!r)
return -ENOMEM;
INIT_LIST_HEAD(&r->next);
INIT_LIST_HEAD(&r->props);
while (t = strsep(&line, IPE_POLICY_DELIM), line) {
if (*t == '\0')
continue;
if (first_token && token_default(t)) {
is_default_rule = true;
} else {
if (!op_parsed) {
op = parse_operation(t);
if (op == IPE_OP_INVALID)
rc = -EBADMSG;
else
op_parsed = true;
} else {
rc = parse_property(t, r);
}
}
if (rc)
goto err;
first_token = false;
}
action = parse_action(t);
if (action == IPE_ACTION_INVALID) {
rc = -EBADMSG;
goto err;
}
if (is_default_rule) {
if (!list_empty(&r->props)) {
rc = -EBADMSG;
} else if (op == IPE_OP_INVALID) {
if (p->global_default_action != IPE_ACTION_INVALID)
rc = -EBADMSG;
else
p->global_default_action = action;
} else {
if (p->rules[op].default_action != IPE_ACTION_INVALID)
rc = -EBADMSG;
else
p->rules[op].default_action = action;
}
} else if (op != IPE_OP_INVALID && action != IPE_ACTION_INVALID) {
r->op = op;
r->action = action;
} else {
rc = -EBADMSG;
}
if (rc)
goto err;
if (!is_default_rule)
list_add_tail(&r->next, &p->rules[op].rules);
else
free_rule(r);
return rc;
err:
free_rule(r);
return rc;
}
/**
* ipe_free_parsed_policy() - free a parsed policy structure.
* @p: Supplies the parsed policy.
*/
void ipe_free_parsed_policy(struct ipe_parsed_policy *p)
{
struct ipe_rule *pp, *t;
size_t i = 0;
if (IS_ERR_OR_NULL(p))
return;
for (i = 0; i < ARRAY_SIZE(p->rules); ++i)
list_for_each_entry_safe(pp, t, &p->rules[i].rules, next) {
list_del(&pp->next);
free_rule(pp);
}
kfree(p->name);
kfree(p);
}
/**
* validate_policy() - validate a parsed policy.
* @p: Supplies the fully parsed policy.
*
* Given a policy structure that was just parsed, validate that all
* operations have their default rules or a global default rule is set.
*
* Return:
* * %0 - Success
* * %-EBADMSG - Policy is invalid
*/
static int validate_policy(const struct ipe_parsed_policy *p)
{
size_t i = 0;
if (p->global_default_action != IPE_ACTION_INVALID)
return 0;
for (i = 0; i < ARRAY_SIZE(p->rules); ++i) {
if (p->rules[i].default_action == IPE_ACTION_INVALID)
return -EBADMSG;
}
return 0;
}
/**
* ipe_parse_policy() - Given a string, parse the string into an IPE policy.
* @p: partially filled ipe_policy structure to populate with the result.
* it must have text and textlen set.
*
* Return:
* * %0 - Success
* * %-EBADMSG - Policy is invalid
* * %-ENOMEM - Out of Memory
* * %-ERANGE - Policy version number overflow
* * %-EINVAL - Policy version parsing error
*/
int ipe_parse_policy(struct ipe_policy *p)
{
struct ipe_parsed_policy *pp = NULL;
char *policy = NULL, *dup = NULL;
bool header_parsed = false;
char *line = NULL;
size_t len;
int rc = 0;
if (!p->textlen)
return -EBADMSG;
policy = kmemdup_nul(p->text, p->textlen, GFP_KERNEL);
if (!policy)
return -ENOMEM;
dup = policy;
pp = new_parsed_policy();
if (IS_ERR(pp)) {
rc = PTR_ERR(pp);
goto out;
}
while ((line = strsep(&policy, IPE_LINE_DELIM)) != NULL) {
remove_comment(line);
len = remove_trailing_spaces(line);
if (!len)
continue;
if (!header_parsed) {
rc = parse_header(line, pp);
if (rc)
goto err;
header_parsed = true;
} else {
rc = parse_rule(line, pp);
if (rc)
goto err;
}
}
if (!header_parsed || validate_policy(pp)) {
rc = -EBADMSG;
goto err;
}
p->parsed = pp;
out:
kfree(dup);
return rc;
err:
ipe_free_parsed_policy(pp);
goto out;
}