From: Mimi Zohar <zohar@linux.vnet.ibm.com> To: linux-integrity@vger.kernel.org Cc: Hans de Goede <hdegoede@redhat.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Peter Jones <pjones@redhat.com>, Mimi Zohar <zohar@linux.vnet.ibm.com>, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>, "Luis R . Rodriguez" <mcgrof@kernel.org>, "Luis R . Rodriguez" <mcgrof@suse.com>, Kees Cook <keescook@chromium.org>, "Serge E . Hallyn" <serge@hallyn.com>, Stephen Boyd <stephen.boyd@linaro.org> Subject: [RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer Date: Tue, 1 May 2018 09:48:23 -0400 [thread overview] Message-ID: <1525182503-13849-7-git-send-email-zohar@linux.vnet.ibm.com> (raw) In-Reply-To: <1525182503-13849-1-git-send-email-zohar@linux.vnet.ibm.com> Question: can the device access the pre-allocated buffer at any time? By allowing devices to request firmware be loaded directly into a pre-allocated buffer, will this allow the device access to the firmware before the kernel has verified the firmware signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: David Howells <dhowells@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: Serge E. Hallyn <serge@hallyn.com> Cc: Stephen Boyd <stephen.boyd@linaro.org> --- security/integrity/ima/ima_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index eb9c273ab81d..3098131f77c4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -454,6 +454,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } + return 0; + } + if (read_id == READING_FIRMWARE_FALLBACK) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { -- 2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar) To: linux-security-module@vger.kernel.org Subject: [RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer Date: Tue, 1 May 2018 09:48:23 -0400 [thread overview] Message-ID: <1525182503-13849-7-git-send-email-zohar@linux.vnet.ibm.com> (raw) In-Reply-To: <1525182503-13849-1-git-send-email-zohar@linux.vnet.ibm.com> Question: can the device access the pre-allocated buffer at any time? By allowing devices to request firmware be loaded directly into a pre-allocated buffer, will this allow the device access to the firmware before the kernel has verified the firmware signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: David Howells <dhowells@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: Serge E. Hallyn <serge@hallyn.com> Cc: Stephen Boyd <stephen.boyd@linaro.org> --- security/integrity/ima/ima_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index eb9c273ab81d..3098131f77c4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -454,6 +454,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } + return 0; + } + if (read_id == READING_FIRMWARE_FALLBACK) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { -- 2.7.5 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-01 13:49 UTC|newest] Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-05-01 13:48 [PATCH 0/6] firmware: kernel signature verification Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-01 13:48 ` [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-04 0:02 ` Luis R. Rodriguez 2018-05-04 0:02 ` Luis R. Rodriguez 2018-05-04 0:36 ` Mimi Zohar 2018-05-04 0:36 ` Mimi Zohar 2018-05-04 0:36 ` Mimi Zohar 2018-05-01 13:48 ` [PATCH 2/6] ima: prevent sysfs fallback firmware loading Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-04 0:06 ` Luis R. Rodriguez 2018-05-04 0:06 ` Luis R. Rodriguez 2018-05-01 13:48 ` [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-04 0:07 ` Luis R. Rodriguez 2018-05-04 0:07 ` Luis R. Rodriguez 2018-05-04 0:24 ` Mimi Zohar 2018-05-04 0:24 ` Mimi Zohar 2018-05-04 0:24 ` Mimi Zohar 2018-05-08 17:34 ` Luis R. Rodriguez 2018-05-08 17:34 ` Luis R. Rodriguez 2018-05-08 17:34 ` Luis R. Rodriguez 2018-05-09 11:30 ` Mimi Zohar 2018-05-09 11:30 ` Mimi Zohar 2018-05-09 11:30 ` Mimi Zohar 2018-05-09 19:15 ` Luis R. Rodriguez 2018-05-09 19:15 ` Luis R. Rodriguez 2018-05-09 19:15 ` Luis R. Rodriguez 2018-05-09 19:57 ` Mimi Zohar 2018-05-09 19:57 ` Mimi Zohar 2018-05-09 19:57 ` Mimi Zohar 2018-05-09 21:22 ` Luis R. Rodriguez 2018-05-09 21:22 ` Luis R. Rodriguez 2018-05-09 21:22 ` Luis R. Rodriguez 2018-05-09 22:06 ` Mimi Zohar 2018-05-09 22:06 ` Mimi Zohar 2018-05-09 22:06 ` Mimi Zohar 2018-05-09 23:48 ` Luis R. Rodriguez 2018-05-09 23:48 ` Luis R. Rodriguez 2018-05-09 23:48 ` Luis R. Rodriguez 2018-05-10 2:00 ` Mimi Zohar 2018-05-10 2:00 ` Mimi Zohar 2018-05-10 2:00 ` Mimi Zohar 2018-05-10 23:26 ` Luis R. Rodriguez 2018-05-10 23:26 ` Luis R. Rodriguez 2018-05-10 23:26 ` Luis R. Rodriguez 2018-05-11 5:00 ` Mimi Zohar 2018-05-11 5:00 ` Mimi Zohar 2018-05-11 5:00 ` Mimi Zohar 2018-05-11 21:52 ` Luis R. Rodriguez 2018-05-11 21:52 ` Luis R. Rodriguez 2018-05-11 21:52 ` Luis R. Rodriguez 2018-05-14 12:58 ` Mimi Zohar 2018-05-14 12:58 ` Mimi Zohar 2018-05-14 12:58 ` Mimi Zohar 2018-05-14 19:28 ` Luis R. Rodriguez 2018-05-14 19:28 ` Luis R. Rodriguez 2018-05-14 19:28 ` Luis R. Rodriguez 2018-05-15 2:02 ` Mimi Zohar 2018-05-15 2:02 ` Mimi Zohar 2018-05-15 2:02 ` Mimi Zohar 2018-05-15 3:26 ` Luis R. Rodriguez 2018-05-15 3:26 ` Luis R. Rodriguez 2018-05-15 3:26 ` Luis R. Rodriguez 2018-05-15 12:32 ` Josh Boyer 2018-05-15 12:32 ` Josh Boyer 2018-05-15 12:43 ` Mimi Zohar 2018-05-15 12:43 ` Mimi Zohar 2018-05-15 12:43 ` Mimi Zohar 2018-05-01 13:48 ` [PATCH 4/6] ima: coordinate with signed regulatory.db Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-01 13:48 ` [PATCH 5/6] ima: verify kernel firmware signatures when using a preallocated buffer Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar 2018-05-01 13:48 ` Mimi Zohar [this message] 2018-05-01 13:48 ` [RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer Mimi Zohar 2018-05-04 0:10 ` Luis R. Rodriguez 2018-05-04 0:10 ` Luis R. Rodriguez
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1525182503-13849-7-git-send-email-zohar@linux.vnet.ibm.com \ --to=zohar@linux.vnet.ibm.com \ --cc=ard.biesheuvel@linaro.org \ --cc=dhowells@redhat.com \ --cc=hdegoede@redhat.com \ --cc=keescook@chromium.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mcgrof@kernel.org \ --cc=mcgrof@suse.com \ --cc=pjones@redhat.com \ --cc=serge@hallyn.com \ --cc=stephen.boyd@linaro.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.