Changeset 94720 in vbox

Timestamp:

Apr 27, 2022 12:58:00 PM (3 years ago)

Author:

vboxsync

Message:

Main: Implement loading and unloading of the cryptographic support module from the extension pack, bugref:9955

Location:

trunk/src/VBox/Main

Files:

• include/VirtualBoxImpl.h (modified) (2 diffs)
• src-all/ExtPackManagerImpl.cpp (modified) (4 diffs)
• src-server/VirtualBoxImpl.cpp (modified) (5 diffs)

trunk/src/VBox/Main/include/VirtualBoxImpl.h

@@ -21 +21 @@
 # pragma once
 #endif
+
+#include <VBox/VBoxCryptoIf.h>
 
 #include "VirtualBoxBase.h"
@@ -292 +294 @@
     void i_storeSettingsKey(const Utf8Str &aKey);
     bool i_isMediaUuidInUse(const Guid &aId, DeviceType_T deviceType);
+    HRESULT i_retainCryptoIf(PCVBOXCRYPTOIF *ppCryptoIf);
+    HRESULT i_releaseCryptoIf(PCVBOXCRYPTOIF pCryptoIf);
+    HRESULT i_unloadCryptoIfModule(void);
 
 

trunk/src/VBox/Main/src-all/ExtPackManagerImpl.cpp

@@ -3099 +3099 @@
                 bool fRunningVMs = i_areThereAnyRunningVMs();
                 bool fVetoingCP = pExtPack->i_areThereCloudProviderUninstallVetos();
+                bool fUnloadedCryptoMod = m->pVirtualBox->i_unloadCryptoIfModule() == S_OK;
                 autoLock.acquire();
                 hrc = i_refreshExtPack(pStrName->c_str(), false /*a_fUnusableIsError*/, &pExtPack);
@@ -3111 +3112 @@
                     LogRel(("Upgrading extension pack '%s' failed because at least one Cloud Provider is still busy.", pStrName->c_str()));
                     hrc = setError(E_FAIL, tr("Upgrading extension pack '%s' failed because at least one Cloud Provider is still busy"),
+                                   pStrName->c_str());
+                }
+                else if (!fUnloadedCryptoMod)
+                {
+                    LogRel(("Upgrading extension pack '%s' failed because the cryptographic support module is still in use.", pStrName->c_str()));
+                    hrc = setError(E_FAIL, tr("Upgrading extension pack '%s' failed because the cryptographic support module is still in use"),
                                    pStrName->c_str());
                 }
@@ -3227 +3234 @@
             bool fRunningVMs = i_areThereAnyRunningVMs();
             bool fVetoingCP = pExtPack->i_areThereCloudProviderUninstallVetos();
+            bool fUnloadedCryptoMod = m->pVirtualBox->i_unloadCryptoIfModule() == S_OK;
             autoLock.acquire();
-            if (a_fForcedRemoval || (!fRunningVMs && !fVetoingCP))
+            if (a_fForcedRemoval || (!fRunningVMs && !fVetoingCP && fUnloadedCryptoMod))
             {
                 hrc = i_refreshExtPack(a_pstrName->c_str(), false /*a_fUnusableIsError*/, &pExtPack);
@@ -3296 +3304 @@
                                    a_pstrName->c_str());
                 }
+                else if (!fUnloadedCryptoMod)
+                {
+                    LogRel(("Uninstall extension pack '%s' failed because the cryptographic support module is still in use.", a_pstrName->c_str()));
+                    hrc = setError(E_FAIL, tr("Uninstall extension pack '%s' failed because the cryptographic support module is still in use"),
+                                   a_pstrName->c_str());
+                }
                 else
                 {

trunk/src/VBox/Main/src-server/VirtualBoxImpl.cpp

@@ -44 +44 @@
 #include <VBox/param.h>
 #include <VBox/settings.h>
+#include <VBox/sup.h>
 #include <VBox/version.h>
 
@@ -317 +318 @@
         , fWatcherIsReliable(RTSystemGetNtVersion() >= RTSYSTEM_MAKE_NT_VERSION(6, 0, 0))
 #endif
+        , hLdrModCrypto(NIL_RTLDRMOD)
+        , cRefsCrypto(0)
+        , pCryptoIf(NULL)
     {
 #if defined(RT_OS_WINDOWS) && defined(VBOXSVC_WITH_CLIENT_WATCHER)
@@ -441 +445 @@
     bool                                fWatcherIsReliable;
 #endif
+
+    /** @name Members related to the cryptographic support interface.
+     * @{ */
+    /** The loaded module handle if loaded. */
+    RTLDRMOD                            hLdrModCrypto;
+    /** Reference counter tracking how many users of the cryptographic support
+     * are there currently. */
+    volatile uint32_t                   cRefsCrypto;
+    /** Pointer to the cryptographic support interface. */
+    PCVBOXCRYPTOIF                      pCryptoIf;
+    /** @} */
 };
 
@@ -1067 +1082 @@
 #endif /* VBOX_WITH_RESOURCE_USAGE_API */
 
+    /*
+     * Unload the cryptographic module if loaded before the extension
+     * pack manager is torn down.
+     */
+    Assert(!m->cRefsCrypto);
+    if (m->hLdrModCrypto != NIL_RTLDRMOD)
+    {
+        m->pCryptoIf = NULL;
+
+        int vrc = RTLdrClose(m->hLdrModCrypto);
+        AssertRC(vrc);
+        m->hLdrModCrypto = NIL_RTLDRMOD;
+    }
+
 #ifdef VBOX_WITH_EXTPACK
     if (m->ptrExtPackManager)
@@ -6050 +6079 @@
 
 
+/**
+ * Retains a reference to the default cryptographic interface.
+ *
+ * @returns COM status code.
+ * @param   ppCryptoIf          Where to store the pointer to the cryptographic interface on success.
+ *
+ * @note Locks this object for writing.
+ */
+HRESULT VirtualBox::i_retainCryptoIf(PCVBOXCRYPTOIF *ppCryptoIf)
+{
+    AssertReturn(ppCryptoIf != NULL, E_INVALIDARG);
+
+    AutoCaller autoCaller(this);
+    AssertComRCReturnRC(autoCaller.rc());
+
+    AutoWriteLock wlock(this COMMA_LOCKVAL_SRC_POS);
+
+    /* Try to load the extension pack module if it isn't currently. */
+    HRESULT hrc = S_OK;
+    if (m->hLdrModCrypto == NIL_RTLDRMOD)
+    {
+        /*
+         * Check that a crypto extension pack name is set and resolve it into a
+         * library path.
+         */
+        Utf8Str strExtPack;
+        hrc = m->pSystemProperties->getDefaultCryptoExtPack(strExtPack);
+        if (FAILED(hrc))
+            return hrc;
+        if (strExtPack.isEmpty())
+            return setError(VBOX_E_OBJECT_NOT_FOUND,
+                            tr("Ńo extension pack providing a crpytographic support module could be found"));
+
+        Utf8Str strCryptoLibrary;
+        int vrc = m->ptrExtPackManager->i_getCryptoLibraryPathForExtPack(&strExtPack, &strCryptoLibrary);
+        if (RT_SUCCESS(vrc))
+        {
+            RTERRINFOSTATIC ErrInfo;
+            vrc = SUPR3HardenedLdrLoadPlugIn(strCryptoLibrary.c_str(), &m->hLdrModCrypto, RTErrInfoInitStatic(&ErrInfo));
+            if (RT_SUCCESS(vrc))
+            {
+                /* Resolve the entry point and query the pointer to the cryptographic interface. */
+                PFNVBOXCRYPTOENTRY pfnCryptoEntry = NULL;
+                vrc = RTLdrGetSymbol(m->hLdrModCrypto, VBOX_CRYPTO_MOD_ENTRY_POINT, (void **)&pfnCryptoEntry);
+                if (RT_SUCCESS(vrc))
+                {
+                    vrc = pfnCryptoEntry(&m->pCryptoIf);
+                    if (RT_FAILURE(vrc))
+                        hrc = setErrorBoth(VBOX_E_IPRT_ERROR, vrc,
+                                           tr("Failed to query the interface callback table from the cryptographic support module '%s' from extension pack '%s'"),
+                                           strCryptoLibrary.c_str(), strExtPack.c_str());
+                }
+                else
+                    hrc = setErrorBoth(VBOX_E_IPRT_ERROR, vrc,
+                                       tr("Failed to resolve the entry point for the cryptographic support module '%s' from extension pack '%s'"),
+                                       strCryptoLibrary.c_str(), strExtPack.c_str());
+            }
+            else
+                hrc = setErrorBoth(VBOX_E_IPRT_ERROR, vrc,
+                                   tr("Couldn't load the cryptographic support module '%s' from extension pack '%s' (error: '%s')"),
+                                   strCryptoLibrary.c_str(), strExtPack.c_str(), ErrInfo.Core.pszMsg);
+        }
+        else
+            hrc = setErrorBoth(VBOX_E_IPRT_ERROR, vrc,
+                               tr("Couldn't resolve the library path of the crpytographic support module for extension pack '%s'"),
+                               strExtPack.c_str());
+    }
+
+    if (SUCCEEDED(hrc))
+    {
+        ASMAtomicIncU32(&m->cRefsCrypto);
+        *ppCryptoIf = m->pCryptoIf;
+    }
+
+    return hrc;
+}
+
+
+/**
+ * Releases the reference of the given cryptographic interface.
+ *
+ * @returns COM status code.
+ * @param   pCryptoIf           Pointer to the cryptographic interface to release.
+ *
+ * @note Locks this object for writing.
+ */
+HRESULT VirtualBox::i_releaseCryptoIf(PCVBOXCRYPTOIF pCryptoIf)
+{
+    AutoCaller autoCaller(this);
+    AssertComRCReturnRC(autoCaller.rc());
+
+    AutoWriteLock wlock(this COMMA_LOCKVAL_SRC_POS);
+
+    AssertReturn(pCryptoIf == m->pCryptoIf, E_INVALIDARG);
+
+    ASMAtomicDecU32(&m->cRefsCrypto);
+    return S_OK;
+}
+
+
+/**
+ * Tries to unload any loaded cryptographic support module if it is not in use currently.
+ *
+ * @returns COM status code.
+ *
+ * @note Locks this object for writing.
+ */
+HRESULT VirtualBox::i_unloadCryptoIfModule(void)
+{
+    AutoCaller autoCaller(this);
+    AssertComRCReturnRC(autoCaller.rc());
+
+    AutoWriteLock wlock(this COMMA_LOCKVAL_SRC_POS);
+
+    if (m->cRefsCrypto)
+        return setError(E_ACCESSDENIED,
+                        tr("The cryptographic support module is in use and can't be unloaded"));
+
+    if (m->hLdrModCrypto != NIL_RTLDRMOD)
+    {
+        int vrc = RTLdrClose(m->hLdrModCrypto);
+        AssertRC(vrc);
+        m->hLdrModCrypto = NIL_RTLDRMOD;
+    }
+
+    return S_OK;
+}
+
+
 #ifdef RT_OS_WINDOWS
 #include <psapi.h>