From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD4ACC433E1 for ; Wed, 13 May 2020 23:00:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D778E206F5 for ; Wed, 13 May 2020 23:00:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589410852; bh=VVjNDeeIgYoZFS50soF+P5zbE1stcrvByt0YiN6Be34=; h=Subject:From:To:Cc:Date:In-Reply-To:References:List-ID:From; b=f5r7xYZn3A8XcRGRSB7t0o8oz7CJwl3UZzfDTJOBHc9OpgVff4aQza0TYtjj6vH+w NSHa0tGjoUsyp1hGRVbJQPMQg4gtog+s35pWAEqRssvdK1Fwquc3/Z/Wk3AMFyegNj N9UsDrL6hnESOMph7zd8T6tsL6wauntiTyeCuj0I= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732120AbgEMXAr (ORCPT ); Wed, 13 May 2020 19:00:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:38196 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731815AbgEMXAr (ORCPT ); Wed, 13 May 2020 19:00:47 -0400 Received: from localhost.localdomain (pool-96-246-152-186.nycmny.fios.verizon.net [96.246.152.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CF5FF2053B; Wed, 13 May 2020 23:00:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589410846; bh=VVjNDeeIgYoZFS50soF+P5zbE1stcrvByt0YiN6Be34=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=iyf3QafJgjWbHnErgMyhd1vfA3wniNq2U4Qt3zp+q7cWJuqp24NxT1b5N/pMCeR+L GQmpCyucvUhwMdZbUsIxGAp+8ttCTKSWpqtwxvb9jVPWwDOTg7bBg51Do/syJkRlOW cb+Iv/JK3W8I9m+N+N9VhcffQLDEuI4BuckjWZq8= Message-ID: <1589410843.5098.220.camel@kernel.org> Subject: Re: [PATCH v5 1/7] fs: introduce kernel_pread_file* support From: Mimi Zohar To: Scott Branden , Luis Chamberlain Cc: Greg Kroah-Hartman , David Brown , Alexander Viro , Shuah Khan , bjorn.andersson@linaro.org, Shuah Khan , Arnd Bergmann , "Rafael J . Wysocki" , linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-fsdevel@vger.kernel.org, BCM Kernel Feedback , Olof Johansson , Andrew Morton , Dan Carpenter , Colin Ian King , Kees Cook , Takashi Iwai , linux-kselftest@vger.kernel.org, Andy Gross , linux-security-module , linux-integrity Date: Wed, 13 May 2020 19:00:43 -0400 In-Reply-To: References: <20200508002739.19360-1-scott.branden@broadcom.com> <20200508002739.19360-2-scott.branden@broadcom.com> <1589395153.5098.158.camel@kernel.org> <0e6b5f65-8c61-b02e-7d35-b4ae52aebcf3@broadcom.com> <1589396593.5098.166.camel@kernel.org> <1589398747.5098.178.camel@kernel.org> <1589404814.5098.185.camel@kernel.org> <20200513212847.GT11244@42.do-not-panic.com> <1589407924.5098.208.camel@kernel.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org On Wed, 2020-05-13 at 15:48 -0700, Scott Branden wrote: > > On 2020-05-13 3:12 p.m., Mimi Zohar wrote: > > On Wed, 2020-05-13 at 21:28 +0000, Luis Chamberlain wrote: > >> On Wed, May 13, 2020 at 05:20:14PM -0400, Mimi Zohar wrote: > >>> On Wed, 2020-05-13 at 12:41 -0700, Scott Branden wrote: > >>>> On 2020-05-13 12:39 p.m., Mimi Zohar wrote: > >>>>> On Wed, 2020-05-13 at 12:18 -0700, Scott Branden wrote: > >>>>>> On 2020-05-13 12:03 p.m., Mimi Zohar wrote: > >>>>>>> On Wed, 2020-05-13 at 11:53 -0700, Scott Branden wrote: > >>>>>> Even if the kernel successfully verified the firmware file signature it > >>>>>> would just be wasting its time.  The kernel in these use cases is not always > >>>>>> trusted.  The device needs to authenticate the firmware image itself. > >>>>> There are also environments where the kernel is trusted and limits the > >>>>> firmware being provided to the device to one which they signed. > >>>>> > >>>>>>> The device firmware is being downloaded piecemeal from somewhere and > >>>>>>> won't be measured? > >>>>>> It doesn't need to be measured for current driver needs. > >>>>> Sure the device doesn't need the kernel measuring the firmware, but > >>>>> hardened environments do measure firmware. > >>>>> > >>>>>> If someone has such need the infrastructure could be added to the kernel > >>>>>> at a later date.  Existing functionality is not broken in any way by > >>>>>> this patch series. > >>>>> Wow!  You're saying that your patch set takes precedence over the > >>>>> existing expectations and can break them. > >>>> Huh? I said existing functionality is NOT broken by this patch series. > >>> Assuming a system is configured to measure and appraise firmware > >>> (rules below), with this change the firmware file will not be properly > >>> measured and will fail signature verification. > So no existing functionality has been broken. > >>> > >>> Sample IMA policy rules: > >>> measure func=FIRMWARE_CHECK > >>> appraise func=FIRMWARE_CHECK appraise_type=imasig > >> Would a pre and post lsm hook for pread do it? > > IMA currently measures and verifies the firmware file signature on the > > post hook.  The file is read once into a buffer.  With this change, > > IMA would need to be on the pre hook, to read the entire file, > > calculating the file hash and verifying the file signature.  Basically > > the firmware would be read once for IMA and again for the device. > The entire file may not fit into available memory to measure and > verify.  Hence the reason for a partial read. Previously, IMA pre-read the file in page size chunks in order to calculate the file hash.  To avoid reading the file twice, the file is now read into a buffer. > > Is there some way we could add a flag when calling the > request_firmware_into_buf to indicate it is ok that the data requested > does not need to be measured? The decision as to what needs to be measured is a policy decision left up to the system owner, which they express by loading an IMA policy. Mimi