From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: linux-integrity@vger.kernel.org,
Hans de Goede <hdegoede@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Peter Jones <pjones@redhat.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
Kees Cook <keescook@chromium.org>,
Matthew Garrett <mjg59@google.com>,
Andres Rodriguez <andresx7@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading
Date: Thu, 03 May 2018 20:36:38 -0400 [thread overview]
Message-ID: <1525394198.3539.143.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180504000258.GP27853@wotan.suse.de>
On Fri, 2018-05-04 at 00:02 +0000, Luis R. Rodriguez wrote:
> If you can add Andres Rodriguez <andresx7@gmail.com>, and Greg to your Cc list
> in the future patches that'd be appreciated.
>
> On Tue, May 01, 2018 at 09:48:18AM -0400, Mimi Zohar wrote:
> > Add an LSM hook prior to allowing firmware sysfs fallback loading.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > Cc: Luis R. Rodriguez <mcgrof@suse.com>
> > Cc: David Howells <dhowells@redhat.com>
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Matthew Garrett <mjg59@google.com>
> > ---
> > drivers/base/firmware_loader/fallback.c | 7 +++++++
> > include/linux/fs.h | 1 +
> > 2 files changed, 8 insertions(+)
> >
> > diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c
> > index 31b5015b59fe..23d2af30474e 100644
> > --- a/drivers/base/firmware_loader/fallback.c
> > +++ b/drivers/base/firmware_loader/fallback.c
> > @@ -651,6 +651,8 @@ static bool fw_force_sysfs_fallback(unsigned int opt_flags)
> >
> > static bool fw_run_sysfs_fallback(unsigned int opt_flags)
> > {
> > + int ret;
> > +
> > if (fw_fallback_config.ignore_sysfs_fallback) {
> > pr_info_once("Ignoring firmware sysfs fallback due to sysctl knob\n");
> > return false;
> > @@ -659,6 +661,11 @@ static bool fw_run_sysfs_fallback(unsigned int opt_flags)
> > if ((opt_flags & FW_OPT_NOFALLBACK))
> > return false;
> >
> > + /* Also permit LSMs and IMA to fail firmware sysfs fallback */
> > + ret = security_kernel_read_file(NULL, READING_FIRMWARE_FALLBACK);
> > + if (ret < 0)
> > + return ret;
> > +
> > return fw_force_sysfs_fallback(opt_flags);
> > }
> >
> > diff --git a/include/linux/fs.h b/include/linux/fs.h
> > index 760d8da1b6c7..dc16a73c3d38 100644
> > --- a/include/linux/fs.h
> > +++ b/include/linux/fs.h
> > @@ -2810,6 +2810,7 @@ extern int do_pipe_flags(int *, int);
> > id(UNKNOWN, unknown) \
> > id(FIRMWARE, firmware) \
> > id(FIRMWARE_PREALLOC_BUFFER, firmware) \
> > + id(FIRMWARE_FALLBACK, firmware) \
>
> If you're going to add this perhaps FIRMWARE_FALLBACK_SYSFS as we may later
> get FIRMWARE_FALLBACK_EFI.
>From an IMA signature verification perspective, both are buffer based.
The file signature is stored as a security xattr. Without a file
descriptor, the kernel cannot verify the firmware signature.
I don't have a problem with defining another enumeration. Perhaps
other LSMs will want to be able to differentiate between sysfs and EFI
fallback methods.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading
Date: Thu, 03 May 2018 20:36:38 -0400 [thread overview]
Message-ID: <1525394198.3539.143.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180504000258.GP27853@wotan.suse.de>
On Fri, 2018-05-04 at 00:02 +0000, Luis R. Rodriguez wrote:
> If you can add Andres Rodriguez <andresx7@gmail.com>, and Greg to your Cc list
> in the future patches that'd be appreciated.
>
> On Tue, May 01, 2018 at 09:48:18AM -0400, Mimi Zohar wrote:
> > Add an LSM hook prior to allowing firmware sysfs fallback loading.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > Cc: Luis R. Rodriguez <mcgrof@suse.com>
> > Cc: David Howells <dhowells@redhat.com>
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Matthew Garrett <mjg59@google.com>
> > ---
> > drivers/base/firmware_loader/fallback.c | 7 +++++++
> > include/linux/fs.h | 1 +
> > 2 files changed, 8 insertions(+)
> >
> > diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c
> > index 31b5015b59fe..23d2af30474e 100644
> > --- a/drivers/base/firmware_loader/fallback.c
> > +++ b/drivers/base/firmware_loader/fallback.c
> > @@ -651,6 +651,8 @@ static bool fw_force_sysfs_fallback(unsigned int opt_flags)
> >
> > static bool fw_run_sysfs_fallback(unsigned int opt_flags)
> > {
> > + int ret;
> > +
> > if (fw_fallback_config.ignore_sysfs_fallback) {
> > pr_info_once("Ignoring firmware sysfs fallback due to sysctl knob\n");
> > return false;
> > @@ -659,6 +661,11 @@ static bool fw_run_sysfs_fallback(unsigned int opt_flags)
> > if ((opt_flags & FW_OPT_NOFALLBACK))
> > return false;
> >
> > + /* Also permit LSMs and IMA to fail firmware sysfs fallback */
> > + ret = security_kernel_read_file(NULL, READING_FIRMWARE_FALLBACK);
> > + if (ret < 0)
> > + return ret;
> > +
> > return fw_force_sysfs_fallback(opt_flags);
> > }
> >
> > diff --git a/include/linux/fs.h b/include/linux/fs.h
> > index 760d8da1b6c7..dc16a73c3d38 100644
> > --- a/include/linux/fs.h
> > +++ b/include/linux/fs.h
> > @@ -2810,6 +2810,7 @@ extern int do_pipe_flags(int *, int);
> > id(UNKNOWN, unknown) \
> > id(FIRMWARE, firmware) \
> > id(FIRMWARE_PREALLOC_BUFFER, firmware) \
> > + id(FIRMWARE_FALLBACK, firmware) \
>
> If you're going to add this perhaps FIRMWARE_FALLBACK_SYSFS as we may later
> get FIRMWARE_FALLBACK_EFI.
>From an IMA signature verification perspective, both are buffer based.
?The file signature is stored as a security xattr. ?Without a file
descriptor, the kernel cannot verify the firmware signature.
I don't have a problem with defining another enumeration. ?Perhaps
other LSMs will want to be able to differentiate between sysfs and EFI
fallback methods.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: linux-integrity@vger.kernel.org,
Hans de Goede <hdegoede@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Peter Jones <pjones@redhat.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
Kees Cook <keescook@chromium.org>,
Matthew Garrett <mjg59@google.com>,
Andres Rodriguez <andresx7@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading
Date: Thu, 03 May 2018 20:36:38 -0400 [thread overview]
Message-ID: <1525394198.3539.143.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180504000258.GP27853@wotan.suse.de>
On Fri, 2018-05-04 at 00:02 +0000, Luis R. Rodriguez wrote:
> If you can add Andres Rodriguez <andresx7@gmail.com>, and Greg to your Cc list
> in the future patches that'd be appreciated.
>
> On Tue, May 01, 2018 at 09:48:18AM -0400, Mimi Zohar wrote:
> > Add an LSM hook prior to allowing firmware sysfs fallback loading.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > Cc: Luis R. Rodriguez <mcgrof@suse.com>
> > Cc: David Howells <dhowells@redhat.com>
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Matthew Garrett <mjg59@google.com>
> > ---
> > drivers/base/firmware_loader/fallback.c | 7 +++++++
> > include/linux/fs.h | 1 +
> > 2 files changed, 8 insertions(+)
> >
> > diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c
> > index 31b5015b59fe..23d2af30474e 100644
> > --- a/drivers/base/firmware_loader/fallback.c
> > +++ b/drivers/base/firmware_loader/fallback.c
> > @@ -651,6 +651,8 @@ static bool fw_force_sysfs_fallback(unsigned int opt_flags)
> >
> > static bool fw_run_sysfs_fallback(unsigned int opt_flags)
> > {
> > + int ret;
> > +
> > if (fw_fallback_config.ignore_sysfs_fallback) {
> > pr_info_once("Ignoring firmware sysfs fallback due to sysctl knob\n");
> > return false;
> > @@ -659,6 +661,11 @@ static bool fw_run_sysfs_fallback(unsigned int opt_flags)
> > if ((opt_flags & FW_OPT_NOFALLBACK))
> > return false;
> >
> > + /* Also permit LSMs and IMA to fail firmware sysfs fallback */
> > + ret = security_kernel_read_file(NULL, READING_FIRMWARE_FALLBACK);
> > + if (ret < 0)
> > + return ret;
> > +
> > return fw_force_sysfs_fallback(opt_flags);
> > }
> >
> > diff --git a/include/linux/fs.h b/include/linux/fs.h
> > index 760d8da1b6c7..dc16a73c3d38 100644
> > --- a/include/linux/fs.h
> > +++ b/include/linux/fs.h
> > @@ -2810,6 +2810,7 @@ extern int do_pipe_flags(int *, int);
> > id(UNKNOWN, unknown) \
> > id(FIRMWARE, firmware) \
> > id(FIRMWARE_PREALLOC_BUFFER, firmware) \
> > + id(FIRMWARE_FALLBACK, firmware) \
>
> If you're going to add this perhaps FIRMWARE_FALLBACK_SYSFS as we may later
> get FIRMWARE_FALLBACK_EFI.
>From an IMA signature verification perspective, both are buffer based.
The file signature is stored as a security xattr. Without a file
descriptor, the kernel cannot verify the firmware signature.
I don't have a problem with defining another enumeration. Perhaps
other LSMs will want to be able to differentiate between sysfs and EFI
fallback methods.
Mimi
next prev parent reply other threads:[~2018-05-04 0:36 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-01 13:48 [PATCH 0/6] firmware: kernel signature verification Mimi Zohar
2018-05-01 13:48 ` Mimi Zohar
2018-05-01 13:48 ` [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading Mimi Zohar
2018-05-01 13:48 ` Mimi Zohar
2018-05-04 0:02 ` Luis R. Rodriguez
2018-05-04 0:02 ` Luis R. Rodriguez
2018-05-04 0:36 ` Mimi Zohar [this message]
2018-05-04 0:36 ` Mimi Zohar
2018-05-04 0:36 ` Mimi Zohar
2018-05-01 13:48 ` [PATCH 2/6] ima: prevent sysfs fallback firmware loading Mimi Zohar
2018-05-01 13:48 ` Mimi Zohar
2018-05-04 0:06 ` Luis R. Rodriguez
2018-05-04 0:06 ` Luis R. Rodriguez
2018-05-01 13:48 ` [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware Mimi Zohar
2018-05-01 13:48 ` Mimi Zohar
2018-05-04 0:07 ` Luis R. Rodriguez
2018-05-04 0:07 ` Luis R. Rodriguez
2018-05-04 0:24 ` Mimi Zohar
2018-05-04 0:24 ` Mimi Zohar
2018-05-04 0:24 ` Mimi Zohar
2018-05-08 17:34 ` Luis R. Rodriguez
2018-05-08 17:34 ` Luis R. Rodriguez
2018-05-08 17:34 ` Luis R. Rodriguez
2018-05-09 11:30 ` Mimi Zohar
2018-05-09 11:30 ` Mimi Zohar
2018-05-09 11:30 ` Mimi Zohar
2018-05-09 19:15 ` Luis R. Rodriguez
2018-05-09 19:15 ` Luis R. Rodriguez
2018-05-09 19:15 ` Luis R. Rodriguez
2018-05-09 19:57 ` Mimi Zohar
2018-05-09 19:57 ` Mimi Zohar
2018-05-09 19:57 ` Mimi Zohar
2018-05-09 21:22 ` Luis R. Rodriguez
2018-05-09 21:22 ` Luis R. Rodriguez
2018-05-09 21:22 ` Luis R. Rodriguez
2018-05-09 22:06 ` Mimi Zohar
2018-05-09 22:06 ` Mimi Zohar
2018-05-09 22:06 ` Mimi Zohar
2018-05-09 23:48 ` Luis R. Rodriguez
2018-05-09 23:48 ` Luis R. Rodriguez
2018-05-09 23:48 ` Luis R. Rodriguez
2018-05-10 2:00 ` Mimi Zohar
2018-05-10 2:00 ` Mimi Zohar
2018-05-10 2:00 ` Mimi Zohar
2018-05-10 23:26 ` Luis R. Rodriguez
2018-05-10 23:26 ` Luis R. Rodriguez
2018-05-10 23:26 ` Luis R. Rodriguez
2018-05-11 5:00 ` Mimi Zohar
2018-05-11 5:00 ` Mimi Zohar
2018-05-11 5:00 ` Mimi Zohar
2018-05-11 21:52 ` Luis R. Rodriguez
2018-05-11 21:52 ` Luis R. Rodriguez
2018-05-11 21:52 ` Luis R. Rodriguez
2018-05-14 12:58 ` Mimi Zohar
2018-05-14 12:58 ` Mimi Zohar
2018-05-14 12:58 ` Mimi Zohar
2018-05-14 19:28 ` Luis R. Rodriguez
2018-05-14 19:28 ` Luis R. Rodriguez
2018-05-14 19:28 ` Luis R. Rodriguez
2018-05-15 2:02 ` Mimi Zohar
2018-05-15 2:02 ` Mimi Zohar
2018-05-15 2:02 ` Mimi Zohar
2018-05-15 3:26 ` Luis R. Rodriguez
2018-05-15 3:26 ` Luis R. Rodriguez
2018-05-15 3:26 ` Luis R. Rodriguez
2018-05-15 12:32 ` Josh Boyer
2018-05-15 12:32 ` Josh Boyer
2018-05-15 12:43 ` Mimi Zohar
2018-05-15 12:43 ` Mimi Zohar
2018-05-15 12:43 ` Mimi Zohar
2018-05-01 13:48 ` [PATCH 4/6] ima: coordinate with signed regulatory.db Mimi Zohar
2018-05-01 13:48 ` Mimi Zohar
2018-05-01 13:48 ` [PATCH 5/6] ima: verify kernel firmware signatures when using a preallocated buffer Mimi Zohar
2018-05-01 13:48 ` Mimi Zohar
2018-05-01 13:48 ` [RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer Mimi Zohar
2018-05-01 13:48 ` Mimi Zohar
2018-05-04 0:10 ` Luis R. Rodriguez
2018-05-04 0:10 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1525394198.3539.143.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=andresx7@gmail.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mjg59@google.com \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.