From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Hans de Goede <hdegoede@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
"Luis R . Rodriguez" <mcgrof@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>
Cc: Peter Jones <pjones@redhat.com>, Dave Olsthoorn <dave@bewaar.me>,
Will Deacon <will.deacon@arm.com>,
Andy Lutomirski <luto@kernel.org>,
Matt Fleming <matt@codeblueprint.co.uk>,
David Howells <dhowells@redhat.com>,
Josh Triplett <josh@joshtriplett.org>,
dmitry.torokhov@gmail.com, mfuzzey@parkeon.com,
Kalle Valo <kvalo@codeaurora.org>,
Arend Van Spriel <arend.vanspriel@broadcom.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
nbroeking@me.com, bjorn.andersson@linaro.org,
Torsten Duwe <duwe@suse.de>, Kees Cook <keescook@chromium.org>,
x86@kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support
Date: Tue, 01 May 2018 15:27:27 -0400 [thread overview]
Message-ID: <1525202847.5669.64.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <dc122066-9973-a1be-3456-6d6181a8fc9f@redhat.com>
On Tue, 2018-05-01 at 21:11 +0200, Hans de Goede wrote:
> Hi,
>
> On 01-05-18 16:36, Mimi Zohar wrote:
> > [Cc'ing linux-security]
> >
> > On Sun, 2018-04-29 at 11:35 +0200, Hans de Goede wrote:
> > [...]
> >> diff --git a/drivers/base/firmware_loader/fallback_efi.c b/drivers/base/firmware_loader/fallback_efi.c
> >> new file mode 100644
> >> index 000000000000..82ba82f48a79
> >> --- /dev/null
> >> +++ b/drivers/base/firmware_loader/fallback_efi.c
> >> @@ -0,0 +1,51 @@
> >> +// SPDX-License-Identifier: GPL-2.0
> >> +
> >> +#include <linux/efi_embedded_fw.h>
> >> +#include <linux/property.h>
> >> +#include <linux/security.h>
> >> +#include <linux/vmalloc.h>
> >> +
> >> +#include "fallback.h"
> >> +#include "firmware.h"
> >> +
> >> +int fw_get_efi_embedded_fw(struct device *dev, struct fw_priv *fw_priv,
> >> + enum fw_opt *opt_flags, int ret)
> >> +{
> >> + enum kernel_read_file_id id = READING_FIRMWARE;
> >
> > Please define a new kernel_read_file_id for this (eg.
> > READING_FIRMWARE_EFI_EMBEDDED).
>
> Are you sure, I wonder how useful it is to add a new
> kernel_read_file_id every time a new way to get firmware
> comes up?
>
> I especially wonder about the sense in adding a new id
> given that the quite old FIRMWARE_PREALLOC_BUFFER is
> still not supported / checked properly by the security code.
I posted patches earlier today[1], which address this. Patch 5/6 just
makes it equivalent to READING_FIRMWARE. Patch 6/6 questions whether
the device has access to the pre-allocated buffer *before* the
signature has been verified.
[1] kernsec.org/pipermail/linux-security-module-archive/2018-May/006639.html
>
> Anyways I can add a new id if you want me to, what about
> when fw_get_efi_embedded_fw is reading into a driver allocated
> buffer, do you want a separate EADING_FIRMWARE_EFI_EMBEDDED_PREALLOC_BUFFER
> for that ?
Without the kernel being able to verify the firmware's signature, I'm
not sure it makes much of a difference.
>
> >
> >> + size_t size, max = INT_MAX;
> >> + int rc;
> >> +
> >> + if (!dev)
> >> + return ret;
> >> +
> >> + if (!device_property_read_bool(dev, "efi-embedded-firmware"))
> >> + return ret;
> >
> > Instead of calling security_kernel_post_read_file(), either in
> > device_property_read_bool() or here call security_kernel_read_file().
> >
> > The pre read call is for deciding whether to allow this call
> > independent of the firmware being loaded, whereas the post security
> > call is currently being used by IMA-appraisal for verifying a
> > signature. There might be other LSMs using the post hook as well. As
> > there is no kernel signature associated with this firmware, use the
> > security pre read_file hook.
>
> Only the pre hook? I believe the post-hook should still be called too,
> right? So that we've hashes of all loaded firmwares in the IMA core.
Good catch! Right, if IMA-measurement is enabled, then we would want
to add the measurement.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 2/5] efi: Add embedded peripheral firmware support
Date: Tue, 01 May 2018 15:27:27 -0400 [thread overview]
Message-ID: <1525202847.5669.64.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <dc122066-9973-a1be-3456-6d6181a8fc9f@redhat.com>
On Tue, 2018-05-01 at 21:11 +0200, Hans de Goede wrote:
> Hi,
>
> On 01-05-18 16:36, Mimi Zohar wrote:
> > [Cc'ing linux-security]
> >
> > On Sun, 2018-04-29 at 11:35 +0200, Hans de Goede wrote:
> > [...]
> >> diff --git a/drivers/base/firmware_loader/fallback_efi.c b/drivers/base/firmware_loader/fallback_efi.c
> >> new file mode 100644
> >> index 000000000000..82ba82f48a79
> >> --- /dev/null
> >> +++ b/drivers/base/firmware_loader/fallback_efi.c
> >> @@ -0,0 +1,51 @@
> >> +// SPDX-License-Identifier: GPL-2.0
> >> +
> >> +#include <linux/efi_embedded_fw.h>
> >> +#include <linux/property.h>
> >> +#include <linux/security.h>
> >> +#include <linux/vmalloc.h>
> >> +
> >> +#include "fallback.h"
> >> +#include "firmware.h"
> >> +
> >> +int fw_get_efi_embedded_fw(struct device *dev, struct fw_priv *fw_priv,
> >> + enum fw_opt *opt_flags, int ret)
> >> +{
> >> + enum kernel_read_file_id id = READING_FIRMWARE;
> >
> > Please define a new kernel_read_file_id for this (eg.
> > READING_FIRMWARE_EFI_EMBEDDED).
>
> Are you sure, I wonder how useful it is to add a new
> kernel_read_file_id every time a new way to get firmware
> comes up?
>
> I especially wonder about the sense in adding a new id
> given that the quite old FIRMWARE_PREALLOC_BUFFER is
> still not supported / checked properly by the security code.
I posted patches earlier today[1], which address this. ?Patch 5/6 just
makes it equivalent to READING_FIRMWARE. ?Patch 6/6 questions whether
the device has access to the pre-allocated buffer *before* the
signature has been verified.
[1] kernsec.org/pipermail/linux-security-module-archive/2018-May/006639.html
>
> Anyways I can add a new id if you want me to, what about
> when fw_get_efi_embedded_fw is reading into a driver allocated
> buffer, do you want a separate EADING_FIRMWARE_EFI_EMBEDDED_PREALLOC_BUFFER
> for that ?
Without the kernel being able to verify the firmware's signature, I'm
not sure it makes much of a difference.
>
> >
> >> + size_t size, max = INT_MAX;
> >> + int rc;
> >> +
> >> + if (!dev)
> >> + return ret;
> >> +
> >> + if (!device_property_read_bool(dev, "efi-embedded-firmware"))
> >> + return ret;
> >
> > Instead of calling security_kernel_post_read_file(), either in
> > device_property_read_bool() or here call security_kernel_read_file().
> >
> > The pre read call is for deciding whether to allow this call
> > independent of the firmware being loaded, whereas the post security
> > call is currently being used by IMA-appraisal for verifying a
> > signature. ?There might be other LSMs using the post hook as well. ?As
> > there is no kernel signature associated with this firmware, use the
> > security pre read_file hook.
>
> Only the pre hook? I believe the post-hook should still be called too,
> right? So that we've hashes of all loaded firmwares in the IMA core.
Good catch! ?Right, if IMA-measurement is enabled, then we would want
to add the measurement.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-01 19:27 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-29 9:35 [PATCH v5 0/5] efi/firmware/platform-x86: Add EFI embedded fw support Hans de Goede
2018-04-29 9:35 ` [PATCH v5 1/5] efi: Export boot-services code and data as debugfs-blobs Hans de Goede
2018-04-29 9:35 ` [PATCH v5 2/5] efi: Add embedded peripheral firmware support Hans de Goede
2018-05-01 14:36 ` Mimi Zohar
2018-05-01 14:36 ` Mimi Zohar
2018-05-01 19:11 ` Hans de Goede
2018-05-01 19:11 ` Hans de Goede
2018-05-01 19:27 ` Mimi Zohar [this message]
2018-05-01 19:27 ` Mimi Zohar
2018-05-03 22:23 ` Luis R. Rodriguez
2018-05-03 22:23 ` Luis R. Rodriguez
2018-05-03 22:23 ` Luis R. Rodriguez
2018-05-03 23:02 ` Mimi Zohar
2018-05-03 23:02 ` Mimi Zohar
2018-05-03 23:02 ` Mimi Zohar
2018-05-01 19:29 ` Andy Lutomirski
2018-05-01 19:29 ` Andy Lutomirski
2018-05-01 19:29 ` Andy Lutomirski
2018-05-01 20:06 ` Lukas Wunner
2018-05-01 20:06 ` Lukas Wunner
2018-05-01 20:06 ` Lukas Wunner
2018-05-02 14:49 ` Hans de Goede
2018-05-02 14:49 ` Hans de Goede
2018-05-02 14:49 ` Hans de Goede
2018-05-03 22:31 ` Luis R. Rodriguez
2018-05-03 22:31 ` Luis R. Rodriguez
2018-05-03 22:31 ` Luis R. Rodriguez
2018-05-03 22:35 ` Andy Lutomirski
2018-05-03 22:35 ` Andy Lutomirski
2018-05-03 22:35 ` Andy Lutomirski
2018-05-13 11:41 ` Hans de Goede
2018-05-13 11:41 ` Hans de Goede
2018-05-13 11:41 ` Hans de Goede
2018-05-13 11:05 ` Hans de Goede
2018-05-13 11:05 ` Hans de Goede
2018-05-13 11:05 ` Hans de Goede
2018-05-03 23:29 ` Luis R. Rodriguez
2018-05-03 23:29 ` Luis R. Rodriguez
2018-05-04 5:54 ` Ard Biesheuvel
2018-05-04 5:54 ` Ard Biesheuvel
2018-05-08 17:12 ` Luis R. Rodriguez
2018-05-08 17:12 ` Luis R. Rodriguez
2018-05-13 14:10 ` Hans de Goede
2018-05-13 14:10 ` Hans de Goede
2018-05-04 5:56 ` Ard Biesheuvel
2018-05-04 5:56 ` Ard Biesheuvel
2018-05-13 11:03 ` Hans de Goede
2018-05-13 11:03 ` Hans de Goede
2018-05-13 11:43 ` Ard Biesheuvel
2018-05-13 11:43 ` Ard Biesheuvel
2018-05-13 13:26 ` Hans de Goede
2018-05-13 13:26 ` Hans de Goede
2018-04-29 9:35 ` [PATCH v5 3/5] platform/x86: Rename silead_dmi to touchscreen_dmi Hans de Goede
2018-04-29 9:35 ` [PATCH v5 4/5] platform/x86: touchscreen_dmi: Add EFI embedded firmware info support Hans de Goede
2018-04-29 9:35 ` [PATCH v5 5/5] platform/x86: touchscreen_dmi: Add info for the Chuwi Vi8 Plus tablet Hans de Goede
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1525202847.5669.64.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=arend.vanspriel@broadcom.com \
--cc=bjorn.andersson@linaro.org \
--cc=dave@bewaar.me \
--cc=dhowells@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=duwe@suse.de \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=hpa@zytor.com \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=kvalo@codeaurora.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=matt@codeblueprint.co.uk \
--cc=mcgrof@kernel.org \
--cc=mfuzzey@parkeon.com \
--cc=mingo@redhat.com \
--cc=nbroeking@me.com \
--cc=pjones@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.