From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware
Date: Fri, 10 Nov 2017 14:50:30 -0500 [thread overview]
Message-ID: <1510343430.3404.25.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171110193507.GP22894@wotan.suse.de>
On Fri, 2017-11-10 at 20:35 +0100, Luis R. Rodriguez wrote:
> On Fri, Nov 10, 2017 at 12:58:23PM -0500, Mimi Zohar wrote:
> > Hi David,
> >
> > If you are interested in preventing the loading of unsigned firmware,
> > the patch below is straight forward. ?The patch has ONLY been tested
> > with IMA-appraisal enabled, and works as intended - allowing only
> > signed firmware to be loaded.
>
> Very nice! This is the sort of thing that I mean by LSM'ifying fw access
> through a system policy.
>
> We currently handle the LSM aspect for firmware through
> kernel_read_file_from_path() and so the kernel_read_file LSM hook, so why a new
> hook here?
kernel_read_file(), itself, is not an LSM hook, but calls two LSM
hooks named security_kernel_read_file(), prior to reading a file, and
security_kernel_post_read_file(), post reading a file.
In this case, we want to reject even reading the file if it isn't
signed, so we're using the security_kernel_read_file() LSM hook.
>
> Where does this plug in?
This is a standalone, micro LSM that can be configured at build. ?For
now I left it is an optional Kconfig parameter, but at some point, you
might want to consider making it required.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Cc: David Howells <dhowells@redhat.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
David Woodhouse <dwmw2@infradead.org>,
Johannes Berg <johannes@sipsolutions.net>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Kees Cook <keescook@chromium.org>
Subject: Re: [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware
Date: Fri, 10 Nov 2017 14:50:30 -0500 [thread overview]
Message-ID: <1510343430.3404.25.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171110193507.GP22894@wotan.suse.de>
On Fri, 2017-11-10 at 20:35 +0100, Luis R. Rodriguez wrote:
> On Fri, Nov 10, 2017 at 12:58:23PM -0500, Mimi Zohar wrote:
> > Hi David,
> >
> > If you are interested in preventing the loading of unsigned firmware,
> > the patch below is straight forward. The patch has ONLY been tested
> > with IMA-appraisal enabled, and works as intended - allowing only
> > signed firmware to be loaded.
>
> Very nice! This is the sort of thing that I mean by LSM'ifying fw access
> through a system policy.
>
> We currently handle the LSM aspect for firmware through
> kernel_read_file_from_path() and so the kernel_read_file LSM hook, so why a new
> hook here?
kernel_read_file(), itself, is not an LSM hook, but calls two LSM
hooks named security_kernel_read_file(), prior to reading a file, and
security_kernel_post_read_file(), post reading a file.
In this case, we want to reject even reading the file if it isn't
signed, so we're using the security_kernel_read_file() LSM hook.
>
> Where does this plug in?
This is a standalone, micro LSM that can be configured at build. For
now I left it is an optional Kconfig parameter, but at some point, you
might want to consider making it required.
Mimi
next prev parent reply other threads:[~2017-11-10 19:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-10 17:58 [RFC PATCH] fw_lockdown: new micro LSM module to prevent loading unsigned firmware Mimi Zohar
2017-11-10 17:58 ` Mimi Zohar
2017-11-10 19:35 ` Luis R. Rodriguez
2017-11-10 19:35 ` Luis R. Rodriguez
2017-11-10 19:35 ` Luis R. Rodriguez
2017-11-10 19:50 ` Mimi Zohar [this message]
2017-11-10 19:50 ` Mimi Zohar
2017-11-10 20:13 ` Mimi Zohar
2017-11-10 20:13 ` Mimi Zohar
2017-11-10 20:30 ` Luis R. Rodriguez
2017-11-10 20:30 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1510343430.3404.25.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.