From: Kevin Brodsky <kevin.brodsky@arm.com>
To: linux-hardening@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Kevin Brodsky <kevin.brodsky@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Howells <dhowells@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Jann Horn <jannh@google.com>, Jeff Xu <jeffxu@chromium.org>,
Joey Gouly <joey.gouly@arm.com>, Kees Cook <kees@kernel.org>,
Linus Walleij <linus.walleij@linaro.org>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Marc Zyngier <maz@kernel.org>, Mark Brown <broonie@kernel.org>,
Matthew Wilcox <willy@infradead.org>,
Maxwell Bland <mbland@motorola.com>,
"Mike Rapoport (IBM)" <rppt@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Pierre Langlois <pierre.langlois@arm.com>,
Quentin Perret <qperret@google.com>,
Ryan Roberts <ryan.roberts@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Vlastimil Babka <vbabka@suse.cz>, Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
x86@kernel.org
Subject: [RFC PATCH v2 8/8] mm: Add basic tests for kpkeys_hardened_cred
Date: Fri, 15 Aug 2025 10:00:00 +0100 [thread overview]
Message-ID: <20250815090000.2182450-9-kevin.brodsky@arm.com> (raw)
In-Reply-To: <20250815090000.2182450-1-kevin.brodsky@arm.com>
Add basic tests for the kpkeys_hardened_pgtables feature: try to
perform a direct write to current->{cred,real_cred} and ensure it
fails. Also check that prepare_creds, protect_creds,
prepare_protected_creds behave as expected.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
---
mm/Makefile | 1 +
mm/tests/kpkeys_hardened_cred_kunit.c | 79 +++++++++++++++++++++++++++
security/Kconfig.hardening | 11 ++++
3 files changed, 91 insertions(+)
create mode 100644 mm/tests/kpkeys_hardened_cred_kunit.c
diff --git a/mm/Makefile b/mm/Makefile
index b1e6cf7f753c..c79af57c0aa5 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -149,3 +149,4 @@ obj-$(CONFIG_TMPFS_QUOTA) += shmem_quota.o
obj-$(CONFIG_PT_RECLAIM) += pt_reclaim.o
obj-$(CONFIG_KPKEYS_HARDENED_PGTABLES) += kpkeys_hardened_pgtables.o
obj-$(CONFIG_KPKEYS_HARDENED_PGTABLES_KUNIT_TEST) += tests/kpkeys_hardened_pgtables_kunit.o
+obj-$(CONFIG_KPKEYS_HARDENED_CRED_KUNIT_TEST) += tests/kpkeys_hardened_cred_kunit.o
diff --git a/mm/tests/kpkeys_hardened_cred_kunit.c b/mm/tests/kpkeys_hardened_cred_kunit.c
new file mode 100644
index 000000000000..ed07469b504c
--- /dev/null
+++ b/mm/tests/kpkeys_hardened_cred_kunit.c
@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <kunit/test.h>
+#include <linux/cred.h>
+#include <linux/sched.h>
+
+static int increment_cred_uid_nofault(struct cred *cred)
+{
+ uid_t val = __kuid_val(cred->uid) + 1;
+
+ return copy_to_kernel_nofault(&cred->uid, &val, sizeof(cred->uid));
+}
+
+static void write_current_creds(struct kunit *test)
+{
+ int ret;
+
+ if (!arch_kpkeys_enabled())
+ kunit_skip(test, "kpkeys are not supported");
+
+ ret = increment_cred_uid_nofault((struct cred *)current->cred);
+ KUNIT_EXPECT_EQ_MSG(test, ret, -EFAULT,
+ "Write to current->cred wasn't prevented");
+
+ ret = increment_cred_uid_nofault((struct cred *)current->real_cred);
+ KUNIT_EXPECT_EQ_MSG(test, ret, -EFAULT,
+ "Write to current->real_cred wasn't prevented");
+}
+
+static void write_new_creds(struct kunit *test)
+{
+ struct cred *cred, *protected_cred;
+ int ret;
+
+ if (!arch_kpkeys_enabled())
+ kunit_skip(test, "kpkeys are not supported");
+
+ /* prepare_creds() + protect_creds() */
+ cred = prepare_creds();
+ KUNIT_ASSERT_NOT_NULL(test, cred);
+
+ ret = increment_cred_uid_nofault(cred);
+ KUNIT_EXPECT_EQ_MSG(test, ret, 0,
+ "Failed to write to unprotected creds");
+
+ protected_cred = protect_creds(cred);
+ KUNIT_EXPECT_PTR_NE_MSG(test, cred, protected_cred,
+ "protect_creds() failed to move creds to protected memory");
+
+ ret = increment_cred_uid_nofault(protected_cred);
+ KUNIT_EXPECT_EQ_MSG(test, ret, -EFAULT,
+ "Write to protected_cred wasn't prevented");
+
+ put_cred(protected_cred);
+
+ /* prepare_protected_creds() */
+ protected_cred = prepare_protected_creds();
+
+ ret = increment_cred_uid_nofault(protected_cred);
+ KUNIT_EXPECT_EQ_MSG(test, ret, -EFAULT,
+ "Write to protected_cred wasn't prevented");
+
+ put_cred(protected_cred);
+
+}
+
+static struct kunit_case kpkeys_hardened_cred_test_cases[] = {
+ KUNIT_CASE(write_current_creds),
+ KUNIT_CASE(write_new_creds),
+ {}
+};
+
+static struct kunit_suite kpkeys_hardened_cred_test_suite = {
+ .name = "Hardened credentials using kpkeys",
+ .test_cases = kpkeys_hardened_cred_test_cases,
+};
+kunit_test_suite(kpkeys_hardened_cred_test_suite);
+
+MODULE_DESCRIPTION("Tests for the kpkeys_hardened_cred feature");
+MODULE_LICENSE("GPL");
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index cb494448c7ae..7ceb1e6846f2 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -302,6 +302,17 @@ config KPKEYS_HARDENED_CRED
This option has no effect if the system does not support
kernel pkeys.
+config KPKEYS_HARDENED_CRED_KUNIT_TEST
+ tristate "KUnit tests for kpkeys_hardened_cred" if !KUNIT_ALL_TESTS
+ depends on KPKEYS_HARDENED_CRED
+ depends on KUNIT
+ default KUNIT_ALL_TESTS
+ help
+ Enable this option to check that the kpkeys_hardened_cred feature
+ functions as intended, i.e. prevents arbitrary writes to live credentials.
+
+ If unsure, say N.
+
endmenu
config CC_HAS_RANDSTRUCT
--
2.47.0
prev parent reply other threads:[~2025-08-15 9:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-15 8:59 [RFC v2 PATCH 0/8] pkeys-based cred hardening Kevin Brodsky
2025-08-15 8:59 ` [RFC PATCH v2 1/8] arm64: kpkeys: Avoid unnecessary writes to POR_EL1 Kevin Brodsky
2025-08-15 8:59 ` [RFC PATCH v2 2/8] mm: kpkeys: Introduce unrestricted level Kevin Brodsky
2025-08-15 8:59 ` [RFC PATCH v2 3/8] slab: Introduce SLAB_SET_PKEY Kevin Brodsky
2025-11-27 16:36 ` Yeoreum Yun
2025-08-15 8:59 ` [RFC PATCH v2 4/8] rcu: Allow processing kpkeys-protected data Kevin Brodsky
2025-08-15 8:59 ` [RFC PATCH v2 5/8] mm: kpkeys: Introduce cred pkey/level Kevin Brodsky
2025-08-15 8:59 ` [RFC PATCH v2 6/8] cred: Protect live struct cred with kpkeys Kevin Brodsky
2025-08-15 8:59 ` [RFC PATCH v2 7/8] fs: Protect creds installed by override_creds() Kevin Brodsky
2025-08-15 9:00 ` Kevin Brodsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250815090000.2182450-9-kevin.brodsky@arm.com \
--to=kevin.brodsky@arm.com \
--cc=akpm@linux-foundation.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=joey.gouly@arm.com \
--cc=kees@kernel.org \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=luto@kernel.org \
--cc=maz@kernel.org \
--cc=mbland@motorola.com \
--cc=peterz@infradead.org \
--cc=pierre.langlois@arm.com \
--cc=qperret@google.com \
--cc=rppt@kernel.org \
--cc=ryan.roberts@arm.com \
--cc=tglx@linutronix.de \
--cc=vbabka@suse.cz \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox