From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AB8JxZoAmlTfjmiCxTyu8+vfkUKjkPKzCwfjkENaZVcmQhJSwtUerT0xvs5uh1isc7AsUS03q3DY ARC-Seal: i=1; a=rsa-sha256; t=1526568602; cv=none; d=google.com; s=arc-20160816; b=Epz74VIpVhoLqH9CevOMJm0qF0/+WvRyOazBuudJhiv/tM5ax5GzsSk+/O5F2B6b8J 0Uci90Sh98ClUfbmF4IdDNPKQarBRJbyklwZFejC8yLFkRcresuzX63n+Kbi/Gz+2Dqy 7QUol1Y64IeBqMaSKvidce5t4WnH/zH95qsdwaCj/DUABcVN7IvM0FGxer2EkZ3qA5Zs BmzOobxIca7gQ7DCnWJ04V5jhsc2EuRT4Mv4ey0Di++HfWP35E+okCIHuN2odrifzK+t JQPd1KK7io0K/YsiASYKv4uEGWVKSVcMnrbvMUl13Y6jIZYAECINBxFz+l4N7mJNO/Lz cByA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:references:in-reply-to:date:subject:cc:to:from :arc-authentication-results; bh=mLUxgtHp3GVlK/7SoqUs7p2KCRZPui/uXdiesPhz+/0=; b=aupP/SlbGoZz+vA28t6AT0s2Ihol6Eop7Qy91gr6tUZW2Jeo5WyCd4ROcfFCCHROuv vwbNyC+wZH1NoLsQEtvXClfsUC87FzUcCV6jMttgizE90aaanQmwBuqBSvYUDsnx8UUU 1zC7qWlUCS5ca07oXS9LSFMqTljnL/37E0IfkblHuOrFsXTIGb9d7cMq0Qc2jGRM2zTn hgRKke3lnc3lCq374fxLePYpHL/sR2EoPcIE3RQbdDXAPS+MuJLG5o+T4MAbaCW4KfpR q0d6b+MX3iDNtcZE5kaXdRaA1L2XkS2KTYhl4eH+XkFqIFdikypT5IZ/JJoEdU9rHwp7 As0g== ARC-Authentication-Results: i=1; mx.google.com; spf=neutral (google.com: 148.163.156.1 is neither permitted nor denied by best guess record for domain of zohar@linux.vnet.ibm.com) smtp.mailfrom=zohar@linux.vnet.ibm.com; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Authentication-Results: mx.google.com; spf=neutral (google.com: 148.163.156.1 is neither permitted nor denied by best guess record for domain of zohar@linux.vnet.ibm.com) smtp.mailfrom=zohar@linux.vnet.ibm.com; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , "Luis R . Rodriguez" , Kees Cook , "Serge E . Hallyn" , Stephen Boyd Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer) Date: Thu, 17 May 2018 10:48:50 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18051714-0012-0000-0000-000005D7A706 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051714-0013-0000-0000-00001954D35F Message-Id: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-17_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805170137 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1600723199422453169?= X-GMAIL-MSGID: =?utf-8?q?1600723199422453169?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: Question: can the device access the pre-allocated buffer at any time? By allowing devices to request firmware be loaded directly into a pre-allocated buffer, will this allow the device access to the firmware before the kernel has verified the firmware signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd --- security/integrity/ima/ima_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 29d1a929af5c..6224468845e6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } + return 0; + } + if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { -- 2.7.5 From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Thu, 17 May 2018 10:48:50 -0400 Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer) In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> Message-ID: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Question: can the device access the pre-allocated buffer at any time? By allowing devices to request firmware be loaded directly into a pre-allocated buffer, will this allow the device access to the firmware before the kernel has verified the firmware signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd --- security/integrity/ima/ima_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 29d1a929af5c..6224468845e6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } + return 0; + } + if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { -- 2.7.5 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fJKEE-0001rv-KQ for kexec@lists.infradead.org; Thu, 17 May 2018 14:50:15 +0000 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4HEj8oZ042872 for ; Thu, 17 May 2018 10:50:01 -0400 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 2j1aebd108-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 17 May 2018 10:50:00 -0400 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 17 May 2018 15:49:58 +0100 From: Mimi Zohar Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer) Date: Thu, 17 May 2018 10:48:50 -0400 In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> Message-Id: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: linux-integrity@vger.kernel.org Cc: Andres Rodriguez , Kees Cook , Ard Biesheuvel , Greg Kroah-Hartman , "Luis R . Rodriguez" , Stephen Boyd , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, David Howells , linux-security-module@vger.kernel.org, Eric Biederman , "Serge E . Hallyn" , Mimi Zohar , "Luis R . Rodriguez" Question: can the device access the pre-allocated buffer at any time? By allowing devices to request firmware be loaded directly into a pre-allocated buffer, will this allow the device access to the firmware before the kernel has verified the firmware signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd --- security/integrity/ima/ima_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 29d1a929af5c..6224468845e6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } + return 0; + } + if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { -- 2.7.5 _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec