From: Kees Cook <keescook@chromium.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
"Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>,
Matthew Garrett <mjg59@srcf.ucam.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Eric Biederman <ebiederm@xmission.com>,
Kexec Mailing List <kexec@lists.infradead.org>,
Andres Rodriguez <andresx7@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
Stephen Boyd <sboyd@kernel.org>,
Laura Abbott <labbott@redhat.com>, Rik van Riel <riel@redhat.com>
Subject: Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer)
Date: Tue, 5 Jun 2018 15:37:22 -0700 [thread overview]
Message-ID: <CAGXu5jKkg_=iHGgrED4qB4TCFJaWgLkLp61RHgJ6UEhAj89GwQ@mail.gmail.com> (raw)
In-Reply-To: <20180601192545.GR4511@wotan.suse.de>
On Fri, Jun 1, 2018 at 12:25 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote:
>> On Tue, May 29, 2018 at 02:01:59PM -0400, Mimi Zohar wrote:
>> > Some systems are memory constrained but they need to load very large
>> > firmwares. The firmware subsystem allows drivers to request this
>> > firmware be loaded from the filesystem, but this requires that the
>> > entire firmware be loaded into kernel memory first before it's provided
>> > to the driver. This can lead to a situation where we map the firmware
>> > twice, once to load the firmware into kernel memory and once to copy the
>> > firmware into the final resting place.
>> >
>> > To resolve this problem, commit a098ecd2fa7d ("firmware: support loading
>> > into a pre-allocated buffer") introduced request_firmware_into_buf() API
>> > that allows drivers to request firmware be loaded directly into a
>> > pre-allocated buffer. The QCOM_MDT_LOADER calls dma_alloc_coherent() to
>> > allocate this buffer. According to Documentation/DMA-API.txt,
>> >
>> > Consistent memory is memory for which a write by either the
>> > device or the processor can immediately be read by the processor
>> > or device without having to worry about caching effects. (You
>> > may however need to make sure to flush the processor's write
>> > buffers before telling devices to read that memory.)
>> >
>> > Devices using pre-allocated DMA memory run the risk of the firmware
>> > being accessible by the device prior to the kernel's firmware signature
>> > verification has completed.
>>
>> Indeed. And since its DMA memory we have *no idea* what can happen in
>> terms of consumption of this firmware from hardware, when it would start
>> consuming it in particular.
>>
>> If the device has its own hardware firmware verification mechanism this is
>> completely obscure to us, but it may however suffice certain security policies.
>>
>> The problem here lies in the conflicting security policies of the kernel wanting
>> to not give away firmware until its complete and the current inability to enable
>> us to have platforms suggest they trust hardware won't do something stupid.
>> This becomes an issue since the semantics of the firmware API preallocated
>> buffer do not require currently allow the kernel to inform LSMs of the fact
>> that a buffer is DMA memory or not, and a way for certain platforms then
>> to say that such use is fine for specific devices.
>>
>> Given a pointer can we determine if a piece of memory is DMA or not?
>
> FWIW
>
> Vlastimil suggests page_zone() or virt_to_page() may be able to.
I don't see a PAGEFLAG for DMA, but I do see ZONE_DMA for
page_zone()... So maybe something like
struct page *page;
page = virt_to_page(address);
if (!page)
fail closed...
if (page_zone(page) == ZONE_DMA)
handle dma case...
else
non-dma
But I've CCed Laura and Rik, who I always lean on when I have these
kinds of page questions...
-Kees
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer)
Date: Tue, 5 Jun 2018 15:37:22 -0700 [thread overview]
Message-ID: <CAGXu5jKkg_=iHGgrED4qB4TCFJaWgLkLp61RHgJ6UEhAj89GwQ@mail.gmail.com> (raw)
In-Reply-To: <20180601192545.GR4511@wotan.suse.de>
On Fri, Jun 1, 2018 at 12:25 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote:
>> On Tue, May 29, 2018 at 02:01:59PM -0400, Mimi Zohar wrote:
>> > Some systems are memory constrained but they need to load very large
>> > firmwares. The firmware subsystem allows drivers to request this
>> > firmware be loaded from the filesystem, but this requires that the
>> > entire firmware be loaded into kernel memory first before it's provided
>> > to the driver. This can lead to a situation where we map the firmware
>> > twice, once to load the firmware into kernel memory and once to copy the
>> > firmware into the final resting place.
>> >
>> > To resolve this problem, commit a098ecd2fa7d ("firmware: support loading
>> > into a pre-allocated buffer") introduced request_firmware_into_buf() API
>> > that allows drivers to request firmware be loaded directly into a
>> > pre-allocated buffer. The QCOM_MDT_LOADER calls dma_alloc_coherent() to
>> > allocate this buffer. According to Documentation/DMA-API.txt,
>> >
>> > Consistent memory is memory for which a write by either the
>> > device or the processor can immediately be read by the processor
>> > or device without having to worry about caching effects. (You
>> > may however need to make sure to flush the processor's write
>> > buffers before telling devices to read that memory.)
>> >
>> > Devices using pre-allocated DMA memory run the risk of the firmware
>> > being accessible by the device prior to the kernel's firmware signature
>> > verification has completed.
>>
>> Indeed. And since its DMA memory we have *no idea* what can happen in
>> terms of consumption of this firmware from hardware, when it would start
>> consuming it in particular.
>>
>> If the device has its own hardware firmware verification mechanism this is
>> completely obscure to us, but it may however suffice certain security policies.
>>
>> The problem here lies in the conflicting security policies of the kernel wanting
>> to not give away firmware until its complete and the current inability to enable
>> us to have platforms suggest they trust hardware won't do something stupid.
>> This becomes an issue since the semantics of the firmware API preallocated
>> buffer do not require currently allow the kernel to inform LSMs of the fact
>> that a buffer is DMA memory or not, and a way for certain platforms then
>> to say that such use is fine for specific devices.
>>
>> Given a pointer can we determine if a piece of memory is DMA or not?
>
> FWIW
>
> Vlastimil suggests page_zone() or virt_to_page() may be able to.
I don't see a PAGEFLAG for DMA, but I do see ZONE_DMA for
page_zone()... So maybe something like
struct page *page;
page = virt_to_page(address);
if (!page)
fail closed...
if (page_zone(page) == ZONE_DMA)
handle dma case...
else
non-dma
But I've CCed Laura and Rik, who I always lean on when I have these
kinds of page questions...
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
"Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>,
Rik van Riel <riel@redhat.com>, Laura Abbott <labbott@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Stephen Boyd <sboyd@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kexec Mailing List <kexec@lists.infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
Vlastimil Babka <vbabka@suse.cz>,
Andres Rodriguez <andresx7@gmail.com>
Subject: Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer)
Date: Tue, 5 Jun 2018 15:37:22 -0700 [thread overview]
Message-ID: <CAGXu5jKkg_=iHGgrED4qB4TCFJaWgLkLp61RHgJ6UEhAj89GwQ@mail.gmail.com> (raw)
In-Reply-To: <20180601192545.GR4511@wotan.suse.de>
On Fri, Jun 1, 2018 at 12:25 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote:
>> On Tue, May 29, 2018 at 02:01:59PM -0400, Mimi Zohar wrote:
>> > Some systems are memory constrained but they need to load very large
>> > firmwares. The firmware subsystem allows drivers to request this
>> > firmware be loaded from the filesystem, but this requires that the
>> > entire firmware be loaded into kernel memory first before it's provided
>> > to the driver. This can lead to a situation where we map the firmware
>> > twice, once to load the firmware into kernel memory and once to copy the
>> > firmware into the final resting place.
>> >
>> > To resolve this problem, commit a098ecd2fa7d ("firmware: support loading
>> > into a pre-allocated buffer") introduced request_firmware_into_buf() API
>> > that allows drivers to request firmware be loaded directly into a
>> > pre-allocated buffer. The QCOM_MDT_LOADER calls dma_alloc_coherent() to
>> > allocate this buffer. According to Documentation/DMA-API.txt,
>> >
>> > Consistent memory is memory for which a write by either the
>> > device or the processor can immediately be read by the processor
>> > or device without having to worry about caching effects. (You
>> > may however need to make sure to flush the processor's write
>> > buffers before telling devices to read that memory.)
>> >
>> > Devices using pre-allocated DMA memory run the risk of the firmware
>> > being accessible by the device prior to the kernel's firmware signature
>> > verification has completed.
>>
>> Indeed. And since its DMA memory we have *no idea* what can happen in
>> terms of consumption of this firmware from hardware, when it would start
>> consuming it in particular.
>>
>> If the device has its own hardware firmware verification mechanism this is
>> completely obscure to us, but it may however suffice certain security policies.
>>
>> The problem here lies in the conflicting security policies of the kernel wanting
>> to not give away firmware until its complete and the current inability to enable
>> us to have platforms suggest they trust hardware won't do something stupid.
>> This becomes an issue since the semantics of the firmware API preallocated
>> buffer do not require currently allow the kernel to inform LSMs of the fact
>> that a buffer is DMA memory or not, and a way for certain platforms then
>> to say that such use is fine for specific devices.
>>
>> Given a pointer can we determine if a piece of memory is DMA or not?
>
> FWIW
>
> Vlastimil suggests page_zone() or virt_to_page() may be able to.
I don't see a PAGEFLAG for DMA, but I do see ZONE_DMA for
page_zone()... So maybe something like
struct page *page;
page = virt_to_page(address);
if (!page)
fail closed...
if (page_zone(page) == ZONE_DMA)
handle dma case...
else
non-dma
But I've CCed Laura and Rik, who I always lean on when I have these
kinds of page questions...
-Kees
--
Kees Cook
Pixel Security
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2018-06-05 22:37 UTC|newest]
Thread overview: 139+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 18:01 [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` [PATCH v4 1/8] security: define new LSM hook named security_kernel_load_data Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-06-04 19:59 ` Serge E. Hallyn
2018-06-04 19:59 ` Serge E. Hallyn
2018-06-04 19:59 ` Serge E. Hallyn
2018-05-29 18:01 ` [PATCH v4 2/8] kexec: add call to LSM hook in original kexec_load syscall Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-06-04 20:00 ` Serge E. Hallyn
2018-06-04 20:00 ` Serge E. Hallyn
2018-06-04 20:00 ` Serge E. Hallyn
2018-05-29 18:01 ` [PATCH v4 3/8] ima: based on policy require signed kexec kernel images Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` [PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-06-01 18:19 ` Luis R. Rodriguez
2018-06-01 18:19 ` Luis R. Rodriguez
2018-06-01 18:19 ` Luis R. Rodriguez
2018-05-29 18:01 ` [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-06-01 18:21 ` Luis R. Rodriguez
2018-06-01 18:21 ` Luis R. Rodriguez
2018-06-01 18:21 ` Luis R. Rodriguez
2018-06-01 22:39 ` Mimi Zohar
2018-06-01 22:39 ` Mimi Zohar
2018-06-01 22:39 ` Mimi Zohar
2018-06-01 22:39 ` Mimi Zohar
2018-06-01 22:46 ` Luis R. Rodriguez
2018-06-01 22:46 ` Luis R. Rodriguez
2018-06-01 22:46 ` Luis R. Rodriguez
2018-06-01 22:46 ` Luis R. Rodriguez
2018-06-01 23:04 ` Mimi Zohar
2018-06-01 23:04 ` Mimi Zohar
2018-06-01 23:04 ` Mimi Zohar
2018-06-01 23:04 ` Mimi Zohar
2018-05-29 18:01 ` [PATCH v4 6/8] ima: add build time policy Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-05-29 18:01 ` Mimi Zohar
2018-06-01 19:15 ` Luis R. Rodriguez
2018-06-01 19:15 ` Luis R. Rodriguez
2018-06-01 19:15 ` Luis R. Rodriguez
2018-06-01 19:25 ` Luis R. Rodriguez
2018-06-01 19:25 ` Luis R. Rodriguez
2018-06-01 19:25 ` Luis R. Rodriguez
2018-06-05 22:37 ` Kees Cook [this message]
2018-06-05 22:37 ` Kees Cook
2018-06-05 22:37 ` Kees Cook
2018-06-06 6:20 ` Ard Biesheuvel
2018-06-06 6:20 ` Ard Biesheuvel
2018-06-06 6:20 ` Ard Biesheuvel
2018-06-06 22:06 ` Luis R. Rodriguez
2018-06-06 22:06 ` Luis R. Rodriguez
2018-06-06 22:06 ` Luis R. Rodriguez
2018-05-29 18:02 ` [PATCH v4 8/8] module: replace the existing LSM hook in init_module Mimi Zohar
2018-05-29 18:02 ` Mimi Zohar
2018-05-29 18:02 ` Mimi Zohar
2018-05-29 22:39 ` Paul Moore
2018-05-29 22:39 ` Paul Moore
2018-05-29 22:39 ` Paul Moore
2018-05-29 23:14 ` Mimi Zohar
2018-05-29 23:14 ` Mimi Zohar
2018-05-29 23:14 ` Mimi Zohar
2018-05-29 23:14 ` Mimi Zohar
2018-05-30 21:00 ` Paul Moore
2018-05-30 21:00 ` Paul Moore
2018-05-30 21:00 ` Paul Moore
2018-05-31 15:23 ` [PATCH v4a " Mimi Zohar
2018-05-31 15:23 ` Mimi Zohar
2018-05-31 15:23 ` Mimi Zohar
2018-06-01 22:28 ` Paul Moore
2018-06-01 22:28 ` Paul Moore
2018-06-01 22:28 ` Paul Moore
2018-06-04 9:19 ` Jessica Yu
2018-06-04 9:19 ` Jessica Yu
2018-06-04 9:19 ` Jessica Yu
2018-06-05 19:45 ` Kees Cook
2018-06-05 19:45 ` Kees Cook
2018-06-05 19:45 ` Kees Cook
2018-06-05 21:35 ` Mimi Zohar
2018-06-05 21:35 ` Mimi Zohar
2018-06-05 21:35 ` Mimi Zohar
2018-06-05 21:35 ` Mimi Zohar
2018-06-05 22:26 ` Kees Cook
2018-06-05 22:26 ` Kees Cook
2018-06-05 22:26 ` Kees Cook
2018-06-05 22:40 ` Mimi Zohar
2018-06-05 22:40 ` Mimi Zohar
2018-06-05 22:40 ` Mimi Zohar
2018-06-05 22:40 ` Mimi Zohar
2018-05-29 23:25 ` [PATCH v4 " Mimi Zohar
2018-05-29 23:25 ` Mimi Zohar
2018-05-29 23:25 ` Mimi Zohar
2018-05-29 23:25 ` Mimi Zohar
2018-05-30 2:25 ` Eric W. Biederman
2018-05-30 2:25 ` Eric W. Biederman
2018-05-30 2:25 ` Eric W. Biederman
2018-05-30 21:09 ` Paul Moore
2018-05-30 21:09 ` Paul Moore
2018-05-30 21:09 ` Paul Moore
2018-06-04 14:03 ` [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures Mimi Zohar
2018-06-04 14:03 ` Mimi Zohar
2018-06-04 14:03 ` Mimi Zohar
2018-06-04 14:03 ` Mimi Zohar
2018-06-04 19:32 ` Serge E. Hallyn
2018-06-04 19:32 ` Serge E. Hallyn
2018-06-04 19:32 ` Serge E. Hallyn
2018-06-04 19:32 ` Serge E. Hallyn
2018-06-04 19:53 ` Mimi Zohar
2018-06-04 19:53 ` Mimi Zohar
2018-06-04 19:53 ` Mimi Zohar
2018-06-04 19:53 ` Mimi Zohar
2018-06-04 22:03 ` Kees Cook
2018-06-04 22:03 ` Kees Cook
2018-06-04 22:03 ` Kees Cook
2018-06-05 4:09 ` Serge E. Hallyn
2018-06-05 4:09 ` Serge E. Hallyn
2018-06-05 4:09 ` Serge E. Hallyn
2018-06-05 12:19 ` Kees Cook
2018-06-05 12:19 ` Kees Cook
2018-06-05 12:19 ` Kees Cook
2018-06-05 13:25 ` Serge E. Hallyn
2018-06-05 13:25 ` Serge E. Hallyn
2018-06-05 13:25 ` Serge E. Hallyn
2018-06-05 13:43 ` Kees Cook
2018-06-05 13:43 ` Kees Cook
2018-06-05 13:43 ` Kees Cook
2018-06-05 14:05 ` Mimi Zohar
2018-06-05 14:05 ` Mimi Zohar
2018-06-05 14:05 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jKkg_=iHGgrED4qB4TCFJaWgLkLp61RHgJ6UEhAj89GwQ@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=andresx7@gmail.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=kexec@lists.infradead.org \
--cc=labbott@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=riel@redhat.com \
--cc=sboyd@kernel.org \
--cc=serge@hallyn.com \
--cc=vbabka@suse.cz \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.