1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4
 */
5

6
#include <linux/err.h>
7
#include <linux/slab.h>
8
#include <linux/parser.h>
9
#include <linux/types.h>
10
#include <linux/ctype.h>
11

12
#include "policy.h"
13
#include "policy_parser.h"
14
#include "digest.h"
15

16
#define START_COMMENT	'#'
17
#define IPE_POLICY_DELIM " \t"
18
#define IPE_LINE_DELIM "\n\r"
19

20
/**
21
 * new_parsed_policy() - Allocate and initialize a parsed policy.
22
 *
23
 * Return:
24
 * * a pointer to the ipe_parsed_policy structure	- Success
25
 * * %-ENOMEM						- Out of memory (OOM)
26
 */
27
static struct ipe_parsed_policy *new_parsed_policy(void)
28
{
29
	struct ipe_parsed_policy *p = NULL;
30
	struct ipe_op_table *t = NULL;
31
	size_t i = 0;
32

33
	p = kzalloc(sizeof(*p), GFP_KERNEL);
34
	if (!p)
35
		return ERR_PTR(-ENOMEM);
36

37
	p->global_default_action = IPE_ACTION_INVALID;
38

39
	for (i = 0; i < ARRAY_SIZE(p->rules); ++i) {
40
		t = &p->rules[i];
41

42
		t->default_action = IPE_ACTION_INVALID;
43
		INIT_LIST_HEAD(&t->rules);
44
	}
45

46
	return p;
47
}
48

49
/**
50
 * remove_comment() - Truncate all chars following START_COMMENT in a string.
51
 *
52
 * @line: Supplies a policy line string for preprocessing.
53
 */
54
static void remove_comment(char *line)
55
{
56
	line = strchr(line, START_COMMENT);
57

58
	if (line)
59
		*line = '\0';
60
}
61

62
/**
63
 * remove_trailing_spaces() - Truncate all trailing spaces in a string.
64
 *
65
 * @line: Supplies a policy line string for preprocessing.
66
 *
67
 * Return: The length of truncated string.
68
 */
69
static size_t remove_trailing_spaces(char *line)
70
{
71
	size_t i = 0;
72

73
	i = strlen(line);
74
	while (i > 0 && isspace(line[i - 1]))
75
		i--;
76

77
	line[i] = '\0';
78

79
	return i;
80
}
81

82
/**
83
 * parse_version() - Parse policy version.
84
 * @ver: Supplies a version string to be parsed.
85
 * @p: Supplies the partial parsed policy.
86
 *
87
 * Return:
88
 * * %0		- Success
89
 * * %-EBADMSG	- Version string is invalid
90
 * * %-ERANGE	- Version number overflow
91
 * * %-EINVAL	- Parsing error
92
 */
93
static int parse_version(char *ver, struct ipe_parsed_policy *p)
94
{
95
	u16 *const cv[] = { &p->version.major, &p->version.minor, &p->version.rev };
96
	size_t sep_count = 0;
97
	char *token;
98
	int rc = 0;
99

100
	while ((token = strsep(&ver, ".")) != NULL) {
101
		/* prevent overflow */
102
		if (sep_count >= ARRAY_SIZE(cv))
103
			return -EBADMSG;
104

105
		rc = kstrtou16(token, 10, cv[sep_count]);
106
		if (rc)
107
			return rc;
108

109
		++sep_count;
110
	}
111

112
	/* prevent underflow */
113
	if (sep_count != ARRAY_SIZE(cv))
114
		return -EBADMSG;
115

116
	return 0;
117
}
118

119
enum header_opt {
120
	IPE_HEADER_POLICY_NAME = 0,
121
	IPE_HEADER_POLICY_VERSION,
122
	__IPE_HEADER_MAX
123
};
124

125
static const match_table_t header_tokens = {
126
	{IPE_HEADER_POLICY_NAME,	"policy_name=%s"},
127
	{IPE_HEADER_POLICY_VERSION,	"policy_version=%s"},
128
	{__IPE_HEADER_MAX,		NULL}
129
};
130

131
/**
132
 * parse_header() - Parse policy header information.
133
 * @line: Supplies header line to be parsed.
134
 * @p: Supplies the partial parsed policy.
135
 *
136
 * Return:
137
 * * %0		- Success
138
 * * %-EBADMSG	- Header string is invalid
139
 * * %-ENOMEM	- Out of memory (OOM)
140
 * * %-ERANGE	- Version number overflow
141
 * * %-EINVAL	- Version parsing error
142
 */
143
static int parse_header(char *line, struct ipe_parsed_policy *p)
144
{
145
	substring_t args[MAX_OPT_ARGS];
146
	char *t, *ver = NULL;
147
	size_t idx = 0;
148
	int rc = 0;
149

150
	while ((t = strsep(&line, IPE_POLICY_DELIM)) != NULL) {
151
		int token;
152

153
		if (*t == '\0')
154
			continue;
155
		if (idx >= __IPE_HEADER_MAX) {
156
			rc = -EBADMSG;
157
			goto out;
158
		}
159

160
		token = match_token(t, header_tokens, args);
161
		if (token != idx) {
162
			rc = -EBADMSG;
163
			goto out;
164
		}
165

166
		switch (token) {
167
		case IPE_HEADER_POLICY_NAME:
168
			p->name = match_strdup(&args[0]);
169
			if (!p->name)
170
				rc = -ENOMEM;
171
			break;
172
		case IPE_HEADER_POLICY_VERSION:
173
			ver = match_strdup(&args[0]);
174
			if (!ver) {
175
				rc = -ENOMEM;
176
				break;
177
			}
178
			rc = parse_version(ver, p);
179
			break;
180
		default:
181
			rc = -EBADMSG;
182
		}
183
		if (rc)
184
			goto out;
185
		++idx;
186
	}
187

188
	if (idx != __IPE_HEADER_MAX)
189
		rc = -EBADMSG;
190

191
out:
192
	kfree(ver);
193
	return rc;
194
}
195

196
/**
197
 * token_default() - Determine if the given token is "DEFAULT".
198
 * @token: Supplies the token string to be compared.
199
 *
200
 * Return:
201
 * * %false	- The token is not "DEFAULT"
202
 * * %true	- The token is "DEFAULT"
203
 */
204
static bool token_default(char *token)
205
{
206
	return !strcmp(token, "DEFAULT");
207
}
208

209
/**
210
 * free_rule() - Free the supplied ipe_rule struct.
211
 * @r: Supplies the ipe_rule struct to be freed.
212
 *
213
 * Free a ipe_rule struct @r. Note @r must be removed from any lists before
214
 * calling this function.
215
 */
216
static void free_rule(struct ipe_rule *r)
217
{
218
	struct ipe_prop *p, *t;
219

220
	if (IS_ERR_OR_NULL(r))
221
		return;
222

223
	list_for_each_entry_safe(p, t, &r->props, next) {
224
		list_del(&p->next);
225
		ipe_digest_free(p->value);
226
		kfree(p);
227
	}
228

229
	kfree(r);
230
}
231

232
static const match_table_t operation_tokens = {
233
	{IPE_OP_EXEC,			"op=EXECUTE"},
234
	{IPE_OP_FIRMWARE,		"op=FIRMWARE"},
235
	{IPE_OP_KERNEL_MODULE,		"op=KMODULE"},
236
	{IPE_OP_KEXEC_IMAGE,		"op=KEXEC_IMAGE"},
237
	{IPE_OP_KEXEC_INITRAMFS,	"op=KEXEC_INITRAMFS"},
238
	{IPE_OP_POLICY,			"op=POLICY"},
239
	{IPE_OP_X509,			"op=X509_CERT"},
240
	{IPE_OP_INVALID,		NULL}
241
};
242

243
/**
244
 * parse_operation() - Parse the operation type given a token string.
245
 * @t: Supplies the token string to be parsed.
246
 *
247
 * Return: The parsed operation type.
248
 */
249
static enum ipe_op_type parse_operation(char *t)
250
{
251
	substring_t args[MAX_OPT_ARGS];
252

253
	return match_token(t, operation_tokens, args);
254
}
255

256
static const match_table_t action_tokens = {
257
	{IPE_ACTION_ALLOW,	"action=ALLOW"},
258
	{IPE_ACTION_DENY,	"action=DENY"},
259
	{IPE_ACTION_INVALID,	NULL}
260
};
261

262
/**
263
 * parse_action() - Parse the action type given a token string.
264
 * @t: Supplies the token string to be parsed.
265
 *
266
 * Return: The parsed action type.
267
 */
268
static enum ipe_action_type parse_action(char *t)
269
{
270
	substring_t args[MAX_OPT_ARGS];
271

272
	return match_token(t, action_tokens, args);
273
}
274

275
static const match_table_t property_tokens = {
276
	{IPE_PROP_BOOT_VERIFIED_FALSE,	"boot_verified=FALSE"},
277
	{IPE_PROP_BOOT_VERIFIED_TRUE,	"boot_verified=TRUE"},
278
	{IPE_PROP_DMV_ROOTHASH,		"dmverity_roothash=%s"},
279
	{IPE_PROP_DMV_SIG_FALSE,	"dmverity_signature=FALSE"},
280
	{IPE_PROP_DMV_SIG_TRUE,		"dmverity_signature=TRUE"},
281
	{IPE_PROP_FSV_DIGEST,		"fsverity_digest=%s"},
282
	{IPE_PROP_FSV_SIG_FALSE,	"fsverity_signature=FALSE"},
283
	{IPE_PROP_FSV_SIG_TRUE,		"fsverity_signature=TRUE"},
284
	{IPE_PROP_INVALID,		NULL}
285
};
286

287
/**
288
 * parse_property() - Parse a rule property given a token string.
289
 * @t: Supplies the token string to be parsed.
290
 * @r: Supplies the ipe_rule the parsed property will be associated with.
291
 *
292
 * This function parses and associates a property with an IPE rule based
293
 * on a token string.
294
 *
295
 * Return:
296
 * * %0		- Success
297
 * * %-ENOMEM	- Out of memory (OOM)
298
 * * %-EBADMSG	- The supplied token cannot be parsed
299
 */
300
static int parse_property(char *t, struct ipe_rule *r)
301
{
302
	substring_t args[MAX_OPT_ARGS];
303
	struct ipe_prop *p = NULL;
304
	int rc = 0;
305
	int token;
306
	char *dup = NULL;
307

308
	p = kzalloc(sizeof(*p), GFP_KERNEL);
309
	if (!p)
310
		return -ENOMEM;
311

312
	token = match_token(t, property_tokens, args);
313

314
	switch (token) {
315
	case IPE_PROP_DMV_ROOTHASH:
316
	case IPE_PROP_FSV_DIGEST:
317
		dup = match_strdup(&args[0]);
318
		if (!dup) {
319
			rc = -ENOMEM;
320
			goto err;
321
		}
322
		p->value = ipe_digest_parse(dup);
323
		if (IS_ERR(p->value)) {
324
			rc = PTR_ERR(p->value);
325
			goto err;
326
		}
327
		fallthrough;
328
	case IPE_PROP_BOOT_VERIFIED_FALSE:
329
	case IPE_PROP_BOOT_VERIFIED_TRUE:
330
	case IPE_PROP_DMV_SIG_FALSE:
331
	case IPE_PROP_DMV_SIG_TRUE:
332
	case IPE_PROP_FSV_SIG_FALSE:
333
	case IPE_PROP_FSV_SIG_TRUE:
334
		p->type = token;
335
		break;
336
	default:
337
		rc = -EBADMSG;
338
		break;
339
	}
340
	if (rc)
341
		goto err;
342
	list_add_tail(&p->next, &r->props);
343

344
out:
345
	kfree(dup);
346
	return rc;
347
err:
348
	kfree(p);
349
	goto out;
350
}
351

352
/**
353
 * parse_rule() - parse a policy rule line.
354
 * @line: Supplies rule line to be parsed.
355
 * @p: Supplies the partial parsed policy.
356
 *
357
 * Return:
358
 * * 0		- Success
359
 * * %-ENOMEM	- Out of memory (OOM)
360
 * * %-EBADMSG	- Policy syntax error
361
 */
362
static int parse_rule(char *line, struct ipe_parsed_policy *p)
363
{
364
	enum ipe_action_type action = IPE_ACTION_INVALID;
365
	enum ipe_op_type op = IPE_OP_INVALID;
366
	bool is_default_rule = false;
367
	struct ipe_rule *r = NULL;
368
	bool first_token = true;
369
	bool op_parsed = false;
370
	int rc = 0;
371
	char *t;
372

373
	if (IS_ERR_OR_NULL(line))
374
		return -EBADMSG;
375

376
	r = kzalloc(sizeof(*r), GFP_KERNEL);
377
	if (!r)
378
		return -ENOMEM;
379

380
	INIT_LIST_HEAD(&r->next);
381
	INIT_LIST_HEAD(&r->props);
382

383
	while (t = strsep(&line, IPE_POLICY_DELIM), line) {
384
		if (*t == '\0')
385
			continue;
386
		if (first_token && token_default(t)) {
387
			is_default_rule = true;
388
		} else {
389
			if (!op_parsed) {
390
				op = parse_operation(t);
391
				if (op == IPE_OP_INVALID)
392
					rc = -EBADMSG;
393
				else
394
					op_parsed = true;
395
			} else {
396
				rc = parse_property(t, r);
397
			}
398
		}
399

400
		if (rc)
401
			goto err;
402
		first_token = false;
403
	}
404

405
	action = parse_action(t);
406
	if (action == IPE_ACTION_INVALID) {
407
		rc = -EBADMSG;
408
		goto err;
409
	}
410

411
	if (is_default_rule) {
412
		if (!list_empty(&r->props)) {
413
			rc = -EBADMSG;
414
		} else if (op == IPE_OP_INVALID) {
415
			if (p->global_default_action != IPE_ACTION_INVALID)
416
				rc = -EBADMSG;
417
			else
418
				p->global_default_action = action;
419
		} else {
420
			if (p->rules[op].default_action != IPE_ACTION_INVALID)
421
				rc = -EBADMSG;
422
			else
423
				p->rules[op].default_action = action;
424
		}
425
	} else if (op != IPE_OP_INVALID && action != IPE_ACTION_INVALID) {
426
		r->op = op;
427
		r->action = action;
428
	} else {
429
		rc = -EBADMSG;
430
	}
431

432
	if (rc)
433
		goto err;
434
	if (!is_default_rule)
435
		list_add_tail(&r->next, &p->rules[op].rules);
436
	else
437
		free_rule(r);
438

439
	return rc;
440
err:
441
	free_rule(r);
442
	return rc;
443
}
444

445
/**
446
 * ipe_free_parsed_policy() - free a parsed policy structure.
447
 * @p: Supplies the parsed policy.
448
 */
449
void ipe_free_parsed_policy(struct ipe_parsed_policy *p)
450
{
451
	struct ipe_rule *pp, *t;
452
	size_t i = 0;
453

454
	if (IS_ERR_OR_NULL(p))
455
		return;
456

457
	for (i = 0; i < ARRAY_SIZE(p->rules); ++i)
458
		list_for_each_entry_safe(pp, t, &p->rules[i].rules, next) {
459
			list_del(&pp->next);
460
			free_rule(pp);
461
		}
462

463
	kfree(p->name);
464
	kfree(p);
465
}
466

467
/**
468
 * validate_policy() - validate a parsed policy.
469
 * @p: Supplies the fully parsed policy.
470
 *
471
 * Given a policy structure that was just parsed, validate that all
472
 * operations have their default rules or a global default rule is set.
473
 *
474
 * Return:
475
 * * %0		- Success
476
 * * %-EBADMSG	- Policy is invalid
477
 */
478
static int validate_policy(const struct ipe_parsed_policy *p)
479
{
480
	size_t i = 0;
481

482
	if (p->global_default_action != IPE_ACTION_INVALID)
483
		return 0;
484

485
	for (i = 0; i < ARRAY_SIZE(p->rules); ++i) {
486
		if (p->rules[i].default_action == IPE_ACTION_INVALID)
487
			return -EBADMSG;
488
	}
489

490
	return 0;
491
}
492

493
/**
494
 * ipe_parse_policy() - Given a string, parse the string into an IPE policy.
495
 * @p: partially filled ipe_policy structure to populate with the result.
496
 *     it must have text and textlen set.
497
 *
498
 * Return:
499
 * * %0		- Success
500
 * * %-EBADMSG	- Policy is invalid
501
 * * %-ENOMEM	- Out of Memory
502
 * * %-ERANGE	- Policy version number overflow
503
 * * %-EINVAL	- Policy version parsing error
504
 */
505
int ipe_parse_policy(struct ipe_policy *p)
506
{
507
	struct ipe_parsed_policy *pp = NULL;
508
	char *policy = NULL, *dup = NULL;
509
	bool header_parsed = false;
510
	char *line = NULL;
511
	size_t len;
512
	int rc = 0;
513

514
	if (!p->textlen)
515
		return -EBADMSG;
516

517
	policy = kmemdup_nul(p->text, p->textlen, GFP_KERNEL);
518
	if (!policy)
519
		return -ENOMEM;
520
	dup = policy;
521

522
	pp = new_parsed_policy();
523
	if (IS_ERR(pp)) {
524
		rc = PTR_ERR(pp);
525
		goto out;
526
	}
527

528
	while ((line = strsep(&policy, IPE_LINE_DELIM)) != NULL) {
529
		remove_comment(line);
530
		len = remove_trailing_spaces(line);
531
		if (!len)
532
			continue;
533

534
		if (!header_parsed) {
535
			rc = parse_header(line, pp);
536
			if (rc)
537
				goto err;
538
			header_parsed = true;
539
		} else {
540
			rc = parse_rule(line, pp);
541
			if (rc)
542
				goto err;
543
		}
544
	}
545

546
	if (!header_parsed || validate_policy(pp)) {
547
		rc = -EBADMSG;
548
		goto err;
549
	}
550

551
	p->parsed = pp;
552

553
out:
554
	kfree(dup);
555
	return rc;
556
err:
557
	ipe_free_parsed_policy(pp);
558
	goto out;
559
}
560

561