From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
"Luis R . Rodriguez" <mcgrof@kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
kexec@lists.infradead.org, Andres Rodriguez <andresx7@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
"Luis R . Rodriguez" <mcgrof@suse.com>,
Kees Cook <keescook@chromium.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
Stephen Boyd <stephen.boyd@linaro.org>
Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer)
Date: Thu, 17 May 2018 10:48:50 -0400 [thread overview]
Message-ID: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com>
Question: can the device access the pre-allocated buffer at any time?
By allowing devices to request firmware be loaded directly into a
pre-allocated buffer, will this allow the device access to the firmware
before the kernel has verified the firmware signature?
Is it dependent on the type of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Stephen Boyd <stephen.boyd@linaro.org>
---
security/integrity/ima/ima_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 29d1a929af5c..6224468845e6 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
return 0;
}
+ if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) {
+ if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+ pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n");
+ return -EACCES;
+ }
+ return 0;
+ }
+
if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) {
if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer)
Date: Thu, 17 May 2018 10:48:50 -0400 [thread overview]
Message-ID: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com>
Question: can the device access the pre-allocated buffer at any time?
By allowing devices to request firmware be loaded directly into a
pre-allocated buffer, will this allow the device access to the firmware
before the kernel has verified the firmware signature?
Is it dependent on the type of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Stephen Boyd <stephen.boyd@linaro.org>
---
security/integrity/ima/ima_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 29d1a929af5c..6224468845e6 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
return 0;
}
+ if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) {
+ if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+ pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n");
+ return -EACCES;
+ }
+ return 0;
+ }
+
if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) {
if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
--
2.7.5
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Andres Rodriguez <andresx7@gmail.com>,
Kees Cook <keescook@chromium.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Luis R . Rodriguez" <mcgrof@suse.com>,
Stephen Boyd <stephen.boyd@linaro.org>,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
David Howells <dhowells@redhat.com>,
linux-security-module@vger.kernel.org,
Eric Biederman <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
"Luis R . Rodriguez" <mcgrof@kernel.org>
Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer)
Date: Thu, 17 May 2018 10:48:50 -0400 [thread overview]
Message-ID: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com>
Question: can the device access the pre-allocated buffer at any time?
By allowing devices to request firmware be loaded directly into a
pre-allocated buffer, will this allow the device access to the firmware
before the kernel has verified the firmware signature?
Is it dependent on the type of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Stephen Boyd <stephen.boyd@linaro.org>
---
security/integrity/ima/ima_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 29d1a929af5c..6224468845e6 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
return 0;
}
+ if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) {
+ if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+ pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n");
+ return -EACCES;
+ }
+ return 0;
+ }
+
if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) {
if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
--
2.7.5
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2018-05-17 14:48 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-17 14:48 [PATCH v2 0/9] kexec/firmware: support system wide policy requiring signatures Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 1/9] ima: based on policy verify firmware signatures (pre-allocated buffer) Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 2/9] ima: fix updating the ima_appraise flag Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-18 0:24 ` Casey Schaufler
2018-05-18 0:24 ` Casey Schaufler
2018-05-18 0:24 ` Casey Schaufler
2018-05-18 3:37 ` Eric W. Biederman
2018-05-18 3:37 ` Eric W. Biederman
2018-05-18 3:37 ` Eric W. Biederman
2018-05-18 3:37 ` Eric W. Biederman
2018-05-18 11:30 ` Mimi Zohar
2018-05-18 11:30 ` Mimi Zohar
2018-05-18 11:30 ` Mimi Zohar
2018-05-18 11:30 ` Mimi Zohar
2018-05-18 14:58 ` Casey Schaufler
2018-05-18 14:58 ` Casey Schaufler
2018-05-18 14:58 ` Casey Schaufler
2018-05-18 14:58 ` Casey Schaufler
2018-05-18 15:29 ` Mimi Zohar
2018-05-18 15:29 ` Mimi Zohar
2018-05-18 15:29 ` Mimi Zohar
2018-05-18 17:13 ` James Morris
2018-05-18 17:13 ` James Morris
2018-05-18 17:13 ` James Morris
2018-05-18 17:55 ` Mimi Zohar
2018-05-18 17:55 ` Mimi Zohar
2018-05-18 17:55 ` Mimi Zohar
2018-05-18 17:55 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 4/9] kexec: add call to LSM hook in original kexec_load syscall Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 5/9] ima: based on policy require signed kexec kernel images Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 6/9] firmware: add call to LSM hook before firmware sysfs fallback Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 7/9] ima: based on policy require signed firmware (sysfs fallback) Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` [PATCH v2 8/9] ima: add build time policy Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar [this message]
2018-05-17 14:48 ` [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer) Mimi Zohar
2018-05-17 14:48 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=andresx7@gmail.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mcgrof@suse.com \
--cc=serge@hallyn.com \
--cc=stephen.boyd@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.