Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load dependencies by name #1594

Open
wants to merge 28 commits into
base: master
Choose a base branch
from
Open

Load dependencies by name #1594

wants to merge 28 commits into from
+404 −83

Conversation

aleksei-fedotov
Copy link
Contributor

@aleksei-fedotov aleksei-fedotov commented Jan 7, 2025
edited
Loading

Description

This PR allows loading dependencies by module name only as it is proposed in this RFC. In particular, it:

  • Verifies signatures of all loaded modules.
  • Changes loading of Thread Composability Manager using its module name instead of full path.

The signature verification is enabled by default. To disable it explicitly, user needs specifying -DTBB_VERIFY_DEPENDENCY_SIGNATURE=OFF in the invocation command of CMake. In this case the warning message appears:

CMake Warning at CMakeLists.txt:231 (message):
  Verification of a dependency signature during dynamic run-time linking is
  explicitly disabled.This may lead to security vulnerabilities.  It is
  recommended to leave it enabled by default or set
  TBB_VERIFY_DEPENDENCY_SIGNATURE ON to enable it explicitly.

The patch also adds optional reporting of dynamic link issues. Examples of the output:

oneTBB dynamic link warning: The module "<path-to-dll>" is unsigned or has invalid signature.
oneTBB dynamic link warning: The module "<path-to-dll>" was not found. System error: 126

The issues reporting is disabled by default and can be enabled by setting TBB_DYNAMIC_LINK_WARNING macro during the build.

@aleksei-fedotov aleksei-fedotov marked this pull request as ready for review January 8, 2025 16:11
@aleksei-fedotov aleksei-fedotov requested review from pavelkumbrasev and removed request for pavelkumbrasev January 8, 2025 16:11
egfefey
egfefey reviewed Jan 9, 2025
View reviewed changes
CMakeLists.txt Outdated Show resolved Hide resolved
egfefey
egfefey reviewed Jan 9, 2025
View reviewed changes
src/tbb/dynamic_link.cpp Outdated Show resolved Hide resolved
egfefey
egfefey reviewed Jan 9, 2025
View reviewed changes
src/tbb/dynamic_link.cpp Outdated Show resolved Hide resolved
egfefey
egfefey reviewed Jan 13, 2025
View reviewed changes
src/tbb/dynamic_link.cpp
DYNAMIC_LINK_WARNING( dl_sig_other_error, filepath, retval);
break;
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar here: Is the case for an expired certificate covered somewhere?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is covered by untrusted root case as the whole chain of certificates is checked.

@aleksei-fedotov aleksei-fedotov force-pushed the load-dependencies-by-name branch from 3872b7b to 4605226 Compare January 14, 2025 13:13
kboyarinov
kboyarinov reviewed Jan 14, 2025
View reviewed changes
src/tbb/CMakeLists.txt Outdated Show resolved Hide resolved
egfefey
egfefey reviewed Jan 17, 2025
View reviewed changes
src/tbb/dynamic_link.cpp Outdated
pWVTData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL | WTD_REVOCATION_CHECK_CHAIN;
pWVTData.dwUIContext = WTD_UICONTEXT_EXECUTE; // UI Context to run the file

const auto rc = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &pgActionID, &pWVTData);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to use LONG instead of auto to prevent ambiguity and unintended typecasting when doing comparisons later with the return code from WinVerifyTrust

egfefey
egfefey reviewed Jan 17, 2025
View reviewed changes
Copy link
Contributor

@egfefey egfefey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the security standpoint, this is good for now.
A few notes:

  • This is still up for discussion but anything beside ERROR_SUCCESS from WinVerifyTrust should result in an error instead of a warning sometimes. The user always has to option to turn off signature verification if they want, so once it's on, it's either success or failure.
  • Might also need review from the TBB team.
  • If there are some testing results that we can share, that will be great.

egfefey
egfefey reviewed Jan 29, 2025
View reviewed changes
Copy link
Contributor

@egfefey egfefey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update to use SearchPathA is good from the security point of view.

@aleksei-fedotov
Add TBB_VERIFY_DEPENDENCY_SIGNATURE option
8f1eb34
@aleksei-fedotov
Avoid manual setting of a size for TCM link table
f99525c
@aleksei-fedotov
Don't load library from working dir on WIN32
b11857e
@aleksei-fedotov
Allow dependency loading without building abs path
a649f02
@aleksei-fedotov
Load TCM using only its module name
25bb280
@aleksei-fedotov
Verify module signature during dynamic linking
39c0b6f 
Signed-off-by: Fedotov, Aleksei <[email protected]>
@aleksei-fedotov
Do not determine full filepath when it is built
f7db5d5 
Signed-off-by: Fedotov, Aleksei <[email protected]>
@aleksei-fedotov
Use mbsrtowcs for character conversion
9f23763 
Signed-off-by: Fedotov, Aleksei <[email protected]>
@aleksei-fedotov
Remove unnecessary variable
6f16361 
Signed-off-by: Fedotov, Aleksei <[email protected]>
@aleksei-fedotov
Add TBB's own DYNAMIC_LINK_WARNING implementation
22c7558 
Signed-off-by: Fedotov, Aleksei <[email protected]>
@aleksei-fedotov
Actualize commentaries
e090698 
Signed-off-by: Fedotov, Aleksei <[email protected]>
@aleksei-fedotov
Remove debug code
4323787
@aleksei-fedotov
Unify loading flags for Windows
31f2041
@aleksei-fedotov
Fix build on Linux
076557d
@aleksei-fedotov aleksei-fedotov force-pushed the load-dependencies-by-name branch from dd5a544 to 5e6c672 Compare January 29, 2025 11:05
@aleksei-fedotov
Copy link
Contributor Author

Update to use SearchPathA is good from the security point of view.

Thanks, @egfefey! Then I proceed with productization of this patch.

isaevil
isaevil reviewed Feb 11, 2025
View reviewed changes
CMakeLists.txt
@@ -122,6 +122,7 @@ cmake_dependent_option(TBBMALLOC_PROXY_BUILD "Enable tbbmalloc_proxy build" ON "
option(TBB_CPF "Enable preview features of the library" OFF)
option(TBB_FIND_PACKAGE "Enable search for external oneTBB using find_package instead of build from sources" OFF)
option(TBB_DISABLE_HWLOC_AUTOMATIC_SEARCH "Disable HWLOC automatic search by pkg-config tool" ${CMAKE_CROSSCOMPILING})
option(TBB_VERIFY_DEPENDENCY_SIGNATURE "Verify signature of a dependency during its dynamic run-time linking" ON)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please document this option in cmake/README.md as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point!

Also, I wanted reverting the meaning by re-naming it as, for example, TBB_SKIP_DEPENDENCY_SIGNATURE_VALIDATION to extend the compilation command only if user disables validation, and miss it for the normal builds.
Additionally, but less important is to make the option longer so that users are less leaner towards using it. 🙂

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally prefer the current name :)

CMakeLists.txt
Comment on lines +240 to +241
"This may lead to security vulnerabilities. It is recommended to leave it enabled by default"
" or set TBB_VERIFY_DEPENDENCY_SIGNATURE ON to enable it explicitly.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about making it shorter a little bit?

Suggested change
"This may lead to security vulnerabilities. It is recommended to leave it enabled by default"
" or set TBB_VERIFY_DEPENDENCY_SIGNATURE ON to enable it explicitly.")
"This may lead to security vulnerabilities. It is recommended to set "
"TBB_VERIFY_DEPENDENCY_SIGNATURE to ON (default value)")

src/tbb/CMakeLists.txt
Comment on lines +74 to +76
if (TBB_VERIFY_DEPENDENCY_SIGNATURE)
target_compile_definitions(tbb PRIVATE __TBB_VERIFY_DEPENDENCY_SIGNATURE)
endif()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See target_compile_definitions call at line 58. You should be able to use the same pattern as for BUILD_SHARED_LIBS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kboyarinov kboyarinov kboyarinov left review comments

@isaevil isaevil isaevil left review comments

@egfefey egfefey egfefey left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aleksei-fedotov @kboyarinov @isaevil @egfefey