From: Kees Cook <keescook@chromium.org> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Kees Cook <keescook@chromium.org>, Scott Branden <scott.branden@broadcom.com>, Mimi Zohar <zohar@linux.ibm.com>, Luis Chamberlain <mcgrof@kernel.org>, Takashi Iwai <tiwai@suse.de>, Jessica Yu <jeyu@kernel.org>, SeongJae Park <sjpark@amazon.de>, KP Singh <kpsingh@chromium.org>, linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 00/17] Introduce partial kernel_read_file() support Date: Wed, 29 Jul 2020 10:58:28 -0700 [thread overview] Message-ID: <20200729175845.1745471-1-keescook@chromium.org> (raw) v4: - add more reviews (mimi, luis) - adjusted comment (mimi) - fixed build error when not building firmware tests (0day, sfr) - fixed needless .xz read (tiwai) - rebased to driver-core-next v3: https://lore.kernel.org/lkml/20200724213640.389191-1-keescook@chromium.org/ v2: lost to the ether v1: https://lore.kernel.org/lkml/20200717174309.1164575-1-keescook@chromium.org/ Hi, Here's my tree for adding partial read support in kernel_read_file(), which fixes a number of issues along the way. It's got Scott's firmware and IMA patches ported and everything tests cleanly for me (even with CONFIG_IMA_APPRAISE=y), and now appears to pass 0day. :) The intention is for this to go via Greg's tree since Scott's driver code will depend on it. Thanks, -Kees Kees Cook (13): test_firmware: Test platform fw loading on non-EFI systems fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum fs/kernel_read_file: Split into separate source file fs/kernel_read_file: Remove redundant size argument fs/kernel_read_file: Switch buffer size arg to size_t fs/kernel_read_file: Add file_size output argument LSM: Introduce kernel_post_load_data() hook firmware_loader: Use security_post_load_data() module: Call security_kernel_post_load_data() LSM: Add "contents" flag to kernel_read_file hook fs/kernel_file_read: Add "offset" arg for partial reads firmware: Store opt_flags in fw_priv Scott Branden (4): fs/kernel_read_file: Split into separate include file IMA: Add support for file reads without contents firmware: Add request_partial_firmware_into_buf() test_firmware: Test partial read support drivers/base/firmware_loader/fallback.c | 19 +- drivers/base/firmware_loader/fallback.h | 5 +- .../base/firmware_loader/fallback_platform.c | 11 +- drivers/base/firmware_loader/firmware.h | 7 +- drivers/base/firmware_loader/main.c | 135 ++++++++++--- drivers/firmware/efi/embedded-firmware.c | 21 +- drivers/firmware/efi/embedded-firmware.h | 21 ++ fs/Makefile | 3 +- fs/exec.c | 132 +----------- fs/kernel_read_file.c | 189 ++++++++++++++++++ include/linux/efi_embedded_fw.h | 13 -- include/linux/firmware.h | 12 ++ include/linux/fs.h | 39 ---- include/linux/ima.h | 19 +- include/linux/kernel_read_file.h | 55 +++++ include/linux/lsm_hook_defs.h | 6 +- include/linux/lsm_hooks.h | 12 ++ include/linux/security.h | 19 +- kernel/kexec.c | 2 +- kernel/kexec_file.c | 19 +- kernel/module.c | 24 ++- lib/test_firmware.c | 159 +++++++++++++-- security/integrity/digsig.c | 8 +- security/integrity/ima/ima_fs.c | 10 +- security/integrity/ima/ima_main.c | 70 +++++-- security/integrity/ima/ima_policy.c | 1 + security/loadpin/loadpin.c | 17 +- security/security.c | 26 ++- security/selinux/hooks.c | 8 +- .../selftests/firmware/fw_filesystem.sh | 91 +++++++++ 30 files changed, 839 insertions(+), 314 deletions(-) create mode 100644 drivers/firmware/efi/embedded-firmware.h create mode 100644 fs/kernel_read_file.c create mode 100644 include/linux/kernel_read_file.h -- 2.25.1
next reply other threads:[~2020-07-29 18:00 UTC|newest] Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-07-29 17:58 Kees Cook [this message] 2020-07-29 17:58 ` [PATCH v4 01/17] test_firmware: Test platform fw loading on non-EFI systems Kees Cook 2020-07-29 17:58 ` [PATCH v4 02/17] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum Kees Cook 2020-07-29 17:58 ` [PATCH v4 03/17] fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum Kees Cook 2020-07-29 17:58 ` [PATCH v4 04/17] fs/kernel_read_file: Split into separate include file Kees Cook 2020-07-30 2:22 ` James Morris 2020-07-29 17:58 ` [PATCH v4 05/17] fs/kernel_read_file: Split into separate source file Kees Cook 2020-07-29 17:58 ` [PATCH v4 06/17] fs/kernel_read_file: Remove redundant size argument Kees Cook 2020-07-30 2:25 ` James Morris 2020-07-29 17:58 ` [PATCH v4 07/17] fs/kernel_read_file: Switch buffer size arg to size_t Kees Cook 2020-07-30 2:25 ` James Morris 2020-07-29 17:58 ` [PATCH v4 08/17] fs/kernel_read_file: Add file_size output argument Kees Cook 2020-07-30 2:26 ` James Morris 2020-07-29 17:58 ` [PATCH v4 09/17] LSM: Introduce kernel_post_load_data() hook Kees Cook 2020-08-06 21:59 ` Mimi Zohar 2020-08-07 0:21 ` KP Singh 2020-07-29 17:58 ` [PATCH v4 10/17] firmware_loader: Use security_post_load_data() Kees Cook 2020-08-06 22:07 ` Mimi Zohar 2020-07-29 17:58 ` [PATCH v4 11/17] module: Call security_kernel_post_load_data() Kees Cook 2020-08-05 14:53 ` Jessica Yu 2020-08-07 0:22 ` KP Singh 2020-07-29 17:58 ` [PATCH v4 12/17] LSM: Add "contents" flag to kernel_read_file hook Kees Cook 2020-08-07 0:23 ` Mimi Zohar 2020-07-29 17:58 ` [PATCH v4 13/17] IMA: Add support for file reads without contents Kees Cook 2020-07-29 17:58 ` [PATCH v4 14/17] fs/kernel_file_read: Add "offset" arg for partial reads Kees Cook 2020-07-29 17:58 ` [PATCH v4 15/17] firmware: Store opt_flags in fw_priv Kees Cook 2020-07-29 17:58 ` [PATCH v4 16/17] firmware: Add request_partial_firmware_into_buf() Kees Cook 2020-07-29 17:58 ` [PATCH v4 17/17] test_firmware: Test partial read support Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200729175845.1745471-1-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=gregkh@linuxfoundation.org \ --cc=jeyu@kernel.org \ --cc=kpsingh@chromium.org \ --cc=linux-efi@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-kselftest@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mcgrof@kernel.org \ --cc=scott.branden@broadcom.com \ --cc=selinux@vger.kernel.org \ --cc=sjpark@amazon.de \ --cc=tiwai@suse.de \ --cc=zohar@linux.ibm.com \ --subject='Re: [PATCH v4 00/17] Introduce partial kernel_read_file() support' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).