From: Mimi Zohar <zohar@linux.vnet.ibm.com> To: linux-integrity@vger.kernel.org Cc: Hans de Goede <hdegoede@redhat.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Peter Jones <pjones@redhat.com>, Mimi Zohar <zohar@linux.vnet.ibm.com>, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>, "Luis R . Rodriguez" <mcgrof@kernel.org>, "Luis R . Rodriguez" <mcgrof@suse.com>, Kees Cook <keescook@chromium.org>, Seth Forshee <seth.forshee@canonical.com>, Johannes Berg <johannes.berg@intel.com> Subject: [PATCH 4/6] ima: coordinate with signed regulatory.db Date: Tue, 1 May 2018 09:48:21 -0400 [thread overview] Message-ID: <1525182503-13849-5-git-send-email-zohar@linux.vnet.ibm.com> (raw) In-Reply-To: <1525182503-13849-1-git-send-email-zohar@linux.vnet.ibm.com> Based on IMA policy, measure and appraise regulatory.db firmware as usual, but on signature verification failure rely on regdb signature. For systems wanting IMA-appraisal enforcement on all firmware, including regdb, do not enable CONFIG_CFG80211_REQUIRE_SIGNED_REGDB. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: David Howells <dhowells@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: Seth Forshee <seth.forshee@canonical.com> Cc: Johannes Berg <johannes.berg@intel.com> --- security/integrity/ima/ima_main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8759280dccf6..71b5a51c6709 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -468,6 +468,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) static int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, + [READING_FIRMWARE_REGULATORY_DB] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, @@ -515,8 +516,12 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, buf, size, - MAY_READ, func, 0); + ret = process_measurement(file, current_cred(), secid, buf, size, + MAY_READ, func, 0); + + /* Co-ordination with signed regdb */ + if (ret < -EACCES && read_id == READING_FIRMWARE_REGULATORY_DB) + return 0; } static int __init init_ima(void) -- 2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar) To: linux-security-module@vger.kernel.org Subject: [PATCH 4/6] ima: coordinate with signed regulatory.db Date: Tue, 1 May 2018 09:48:21 -0400 [thread overview] Message-ID: <1525182503-13849-5-git-send-email-zohar@linux.vnet.ibm.com> (raw) In-Reply-To: <1525182503-13849-1-git-send-email-zohar@linux.vnet.ibm.com> Based on IMA policy, measure and appraise regulatory.db firmware as usual, but on signature verification failure rely on regdb signature. For systems wanting IMA-appraisal enforcement on all firmware, including regdb, do not enable CONFIG_CFG80211_REQUIRE_SIGNED_REGDB. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: David Howells <dhowells@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: Seth Forshee <seth.forshee@canonical.com> Cc: Johannes Berg <johannes.berg@intel.com> --- security/integrity/ima/ima_main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8759280dccf6..71b5a51c6709 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -468,6 +468,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) static int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, + [READING_FIRMWARE_REGULATORY_DB] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, @@ -515,8 +516,12 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid(current, &secid); - return process_measurement(file, current_cred(), secid, buf, size, - MAY_READ, func, 0); + ret = process_measurement(file, current_cred(), secid, buf, size, + MAY_READ, func, 0); + + /* Co-ordination with signed regdb */ + if (ret < -EACCES && read_id == READING_FIRMWARE_REGULATORY_DB) + return 0; } static int __init init_ima(void) -- 2.7.5 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info@ http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-01 13:49 UTC|newest] Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-05-01 13:48 [PATCH 0/6] firmware: kernel signature verification Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-01 13:48 ` [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-04 0:02 ` Luis R. Rodriguez 2018-05-04 0:02 ` Luis R. Rodriguez 2018-05-04 0:36 ` Mimi Zohar 2018-05-04 0:36 ` Mimi Zohar 2018-05-04 0:36 ` Mimi Zohar 2018-05-01 13:48 ` [PATCH 2/6] ima: prevent sysfs fallback firmware loading Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-04 0:06 ` Luis R. Rodriguez 2018-05-04 0:06 ` Luis R. Rodriguez 2018-05-01 13:48 ` [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-04 0:07 ` Luis R. Rodriguez 2018-05-04 0:07 ` Luis R. Rodriguez 2018-05-04 0:24 ` Mimi Zohar 2018-05-04 0:24 ` Mimi Zohar 2018-05-04 0:24 ` Mimi Zohar 2018-05-08 17:34 ` Luis R. Rodriguez 2018-05-08 17:34 ` Luis R. Rodriguez 2018-05-08 17:34 ` Luis R. Rodriguez 2018-05-09 11:30 ` Mimi Zohar 2018-05-09 11:30 ` Mimi Zohar 2018-05-09 11:30 ` Mimi Zohar 2018-05-09 19:15 ` Luis R. Rodriguez 2018-05-09 19:15 ` Luis R. Rodriguez 2018-05-09 19:15 ` Luis R. Rodriguez 2018-05-09 19:57 ` Mimi Zohar 2018-05-09 19:57 ` Mimi Zohar 2018-05-09 19:57 ` Mimi Zohar 2018-05-09 21:22 ` Luis R. Rodriguez 2018-05-09 21:22 ` Luis R. Rodriguez 2018-05-09 21:22 ` Luis R. Rodriguez 2018-05-09 22:06 ` Mimi Zohar 2018-05-09 22:06 ` Mimi Zohar 2018-05-09 22:06 ` Mimi Zohar 2018-05-09 23:48 ` Luis R. Rodriguez 2018-05-09 23:48 ` Luis R. Rodriguez 2018-05-09 23:48 ` Luis R. Rodriguez 2018-05-10 2:00 ` Mimi Zohar 2018-05-10 2:00 ` Mimi Zohar 2018-05-10 2:00 ` Mimi Zohar 2018-05-10 23:26 ` Luis R. Rodriguez 2018-05-10 23:26 ` Luis R. Rodriguez 2018-05-10 23:26 ` Luis R. Rodriguez 2018-05-11 5:00 ` Mimi Zohar 2018-05-11 5:00 ` Mimi Zohar 2018-05-11 5:00 ` Mimi Zohar 2018-05-11 21:52 ` Luis R. Rodriguez 2018-05-11 21:52 ` Luis R. Rodriguez 2018-05-11 21:52 ` Luis R. Rodriguez 2018-05-14 12:58 ` Mimi Zohar 2018-05-14 12:58 ` Mimi Zohar 2018-05-14 12:58 ` Mimi Zohar 2018-05-14 19:28 ` Luis R. Rodriguez 2018-05-14 19:28 ` Luis R. Rodriguez 2018-05-14 19:28 ` Luis R. Rodriguez 2018-05-15 2:02 ` Mimi Zohar 2018-05-15 2:02 ` Mimi Zohar 2018-05-15 2:02 ` Mimi Zohar 2018-05-15 3:26 ` Luis R. Rodriguez 2018-05-15 3:26 ` Luis R. Rodriguez 2018-05-15 3:26 ` Luis R. Rodriguez 2018-05-15 12:32 ` Josh Boyer 2018-05-15 12:32 ` Josh Boyer 2018-05-15 12:43 ` Mimi Zohar 2018-05-15 12:43 ` Mimi Zohar 2018-05-15 12:43 ` Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar [this message] 2018-05-01 13:48 ` [PATCH 4/6] ima: coordinate with signed regulatory.db Mimi Zohar 2018-05-01 13:48 ` [PATCH 5/6] ima: verify kernel firmware signatures when using a preallocated buffer Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-01 13:48 ` [RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-04 0:10 ` Luis R. Rodriguez 2018-05-04 0:10 ` Luis R. Rodriguez
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1525182503-13849-5-git-send-email-zohar@linux.vnet.ibm.com \ --to=zohar@linux.vnet.ibm.com \ --cc=ard.biesheuvel@linaro.org \ --cc=dhowells@redhat.com \ --cc=hdegoede@redhat.com \ --cc=johannes.berg@intel.com \ --cc=keescook@chromium.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mcgrof@kernel.org \ --cc=mcgrof@suse.com \ --cc=pjones@redhat.com \ --cc=seth.forshee@canonical.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.