From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Hans de Goede <hdegoede@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
Peter Jones <pjones@redhat.com>, Dave Olsthoorn <dave@bewaar.me>,
Will Deacon <will.deacon@arm.com>,
Andy Lutomirski <luto@kernel.org>,
Matt Fleming <matt@codeblueprint.co.uk>,
David Howells <dhowells@redhat.com>,
Josh Triplett <josh@joshtriplett.org>,
dmitry.torokhov@gmail.com, mfuzzey@parkeon.com,
Kalle Valo <kvalo@codeaurora.org>,
Arend Van Spriel <arend.vanspriel@broadcom.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
nbroeking@me.com, bjorn.andersson@linaro.org,
Torsten Duwe <duwe@suse.de>, Kees Cook <keesco>
Subject: Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support
Date: Thu, 03 May 2018 19:02:43 -0400 [thread overview]
Message-ID: <1525388563.3539.97.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180503222329.GD27853@wotan.suse.de>
On Thu, 2018-05-03 at 22:23 +0000, Luis R. Rodriguez wrote:
> On Tue, May 01, 2018 at 03:27:27PM -0400, Mimi Zohar wrote:
> > On Tue, 2018-05-01 at 21:11 +0200, Hans de Goede wrote:
> > > Only the pre hook? I believe the post-hook should still be called too,
> > > right? So that we've hashes of all loaded firmwares in the IMA core.
> >
> > Good catch! Right, if IMA-measurement is enabled, then we would want
> > to add the measurement.
>
> Mimi, just a heads up, we only use the post hook for the syfs fallback
> mechanism, ie, we don't even use the post hook for direct fs lookup.
> Do we want that there?
The direct fs lookup calls kernel_read_file_from_path(), which calls
the security_kernel_read_file() and security_kernel_post_read_file()
hooks. So there is no need to add a direct call to either of these
security calls.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 2/5] efi: Add embedded peripheral firmware support
Date: Thu, 03 May 2018 19:02:43 -0400 [thread overview]
Message-ID: <1525388563.3539.97.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180503222329.GD27853@wotan.suse.de>
On Thu, 2018-05-03 at 22:23 +0000, Luis R. Rodriguez wrote:
> On Tue, May 01, 2018 at 03:27:27PM -0400, Mimi Zohar wrote:
> > On Tue, 2018-05-01 at 21:11 +0200, Hans de Goede wrote:
> > > Only the pre hook? I believe the post-hook should still be called too,
> > > right? So that we've hashes of all loaded firmwares in the IMA core.
> >
> > Good catch! ?Right, if IMA-measurement is enabled, then we would want
> > to add the measurement.
>
> Mimi, just a heads up, we only use the post hook for the syfs fallback
> mechanism, ie, we don't even use the post hook for direct fs lookup.
> Do we want that there?
The direct fs lookup calls kernel_read_file_from_path(), which calls
the security_kernel_read_file() and security_kernel_post_read_file()
hooks. ?So there is no need to add a direct call to either of these
security calls.
Mimi
??
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Hans de Goede <hdegoede@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
Peter Jones <pjones@redhat.com>, Dave Olsthoorn <dave@bewaar.me>,
Will Deacon <will.deacon@arm.com>,
Andy Lutomirski <luto@kernel.org>,
Matt Fleming <matt@codeblueprint.co.uk>,
David Howells <dhowells@redhat.com>,
Josh Triplett <josh@joshtriplett.org>,
dmitry.torokhov@gmail.com, mfuzzey@parkeon.com,
Kalle Valo <kvalo@codeaurora.org>,
Arend Van Spriel <arend.vanspriel@broadcom.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
nbroeking@me.com, bjorn.andersson@linaro.org,
Torsten Duwe <duwe@suse.de>, Kees Cook <keescook@chromium.org>,
x86@kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support
Date: Thu, 03 May 2018 19:02:43 -0400 [thread overview]
Message-ID: <1525388563.3539.97.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180503222329.GD27853@wotan.suse.de>
On Thu, 2018-05-03 at 22:23 +0000, Luis R. Rodriguez wrote:
> On Tue, May 01, 2018 at 03:27:27PM -0400, Mimi Zohar wrote:
> > On Tue, 2018-05-01 at 21:11 +0200, Hans de Goede wrote:
> > > Only the pre hook? I believe the post-hook should still be called too,
> > > right? So that we've hashes of all loaded firmwares in the IMA core.
> >
> > Good catch! Right, if IMA-measurement is enabled, then we would want
> > to add the measurement.
>
> Mimi, just a heads up, we only use the post hook for the syfs fallback
> mechanism, ie, we don't even use the post hook for direct fs lookup.
> Do we want that there?
The direct fs lookup calls kernel_read_file_from_path(), which calls
the security_kernel_read_file() and security_kernel_post_read_file()
hooks. So there is no need to add a direct call to either of these
security calls.
Mimi
next prev parent reply other threads:[~2018-05-03 23:02 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-29 9:35 [PATCH v5 0/5] efi/firmware/platform-x86: Add EFI embedded fw support Hans de Goede
2018-04-29 9:35 ` [PATCH v5 1/5] efi: Export boot-services code and data as debugfs-blobs Hans de Goede
2018-04-29 9:35 ` [PATCH v5 2/5] efi: Add embedded peripheral firmware support Hans de Goede
2018-05-01 14:36 ` Mimi Zohar
2018-05-01 14:36 ` Mimi Zohar
2018-05-01 19:11 ` Hans de Goede
2018-05-01 19:11 ` Hans de Goede
2018-05-01 19:27 ` Mimi Zohar
2018-05-01 19:27 ` Mimi Zohar
2018-05-03 22:23 ` Luis R. Rodriguez
2018-05-03 22:23 ` Luis R. Rodriguez
2018-05-03 22:23 ` Luis R. Rodriguez
2018-05-03 23:02 ` Mimi Zohar [this message]
2018-05-03 23:02 ` Mimi Zohar
2018-05-03 23:02 ` Mimi Zohar
2018-05-01 19:29 ` Andy Lutomirski
2018-05-01 19:29 ` Andy Lutomirski
2018-05-01 19:29 ` Andy Lutomirski
2018-05-01 20:06 ` Lukas Wunner
2018-05-01 20:06 ` Lukas Wunner
2018-05-01 20:06 ` Lukas Wunner
2018-05-02 14:49 ` Hans de Goede
2018-05-02 14:49 ` Hans de Goede
2018-05-02 14:49 ` Hans de Goede
2018-05-03 22:31 ` Luis R. Rodriguez
2018-05-03 22:31 ` Luis R. Rodriguez
2018-05-03 22:31 ` Luis R. Rodriguez
2018-05-03 22:35 ` Andy Lutomirski
2018-05-03 22:35 ` Andy Lutomirski
2018-05-03 22:35 ` Andy Lutomirski
2018-05-13 11:41 ` Hans de Goede
2018-05-13 11:41 ` Hans de Goede
2018-05-13 11:41 ` Hans de Goede
2018-05-13 11:05 ` Hans de Goede
2018-05-13 11:05 ` Hans de Goede
2018-05-13 11:05 ` Hans de Goede
2018-05-03 23:29 ` Luis R. Rodriguez
2018-05-03 23:29 ` Luis R. Rodriguez
2018-05-04 5:54 ` Ard Biesheuvel
2018-05-04 5:54 ` Ard Biesheuvel
2018-05-08 17:12 ` Luis R. Rodriguez
2018-05-08 17:12 ` Luis R. Rodriguez
2018-05-13 14:10 ` Hans de Goede
2018-05-13 14:10 ` Hans de Goede
2018-05-04 5:56 ` Ard Biesheuvel
2018-05-04 5:56 ` Ard Biesheuvel
2018-05-13 11:03 ` Hans de Goede
2018-05-13 11:03 ` Hans de Goede
2018-05-13 11:43 ` Ard Biesheuvel
2018-05-13 11:43 ` Ard Biesheuvel
2018-05-13 13:26 ` Hans de Goede
2018-05-13 13:26 ` Hans de Goede
2018-04-29 9:35 ` [PATCH v5 3/5] platform/x86: Rename silead_dmi to touchscreen_dmi Hans de Goede
2018-04-29 9:35 ` [PATCH v5 4/5] platform/x86: touchscreen_dmi: Add EFI embedded firmware info support Hans de Goede
2018-04-29 9:35 ` [PATCH v5 5/5] platform/x86: touchscreen_dmi: Add info for the Chuwi Vi8 Plus tablet Hans de Goede
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1525388563.3539.97.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=arend.vanspriel@broadcom.com \
--cc=bjorn.andersson@linaro.org \
--cc=dave@bewaar.me \
--cc=dhowells@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=duwe@suse.de \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=hpa@zytor.com \
--cc=josh@joshtriplett.org \
--cc=kvalo@codeaurora.org \
--cc=luto@kernel.org \
--cc=matt@codeblueprint.co.uk \
--cc=mcgrof@kernel.org \
--cc=mfuzzey@parkeon.com \
--cc=mingo@redhat.com \
--cc=nbroeking@me.com \
--cc=pjones@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.