From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5] helo=mx0a-001b2d01.pphosted.com) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fOsii-0007ks-E2 for kexec@lists.infradead.org; Fri, 01 Jun 2018 22:40:30 +0000 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w51Md8PK052030 for ; Fri, 1 Jun 2018 18:40:15 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2jb9nj43ce-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 01 Jun 2018 18:40:15 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 1 Jun 2018 23:40:13 +0100 Subject: Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) From: Mimi Zohar Date: Fri, 01 Jun 2018 18:39:55 -0400 In-Reply-To: <20180601182107.GO4511@wotan.suse.de> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-6-git-send-email-zohar@linux.vnet.ibm.com> <20180601182107.GO4511@wotan.suse.de> Mime-Version: 1.0 Message-Id: <1527892795.13403.26.camel@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: "Luis R. Rodriguez" Cc: Ard Biesheuvel , Greg Kroah-Hartman , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Matthew Garrett , David Howells , linux-security-module@vger.kernel.org, Eric Biederman , linux-integrity@vger.kernel.org, Andres Rodriguez T24gRnJpLCAyMDE4LTA2LTAxIGF0IDIwOjIxICswMjAwLCBMdWlzIFIuIFJvZHJpZ3VleiB3cm90 ZToKPiBPbiBUdWUsIE1heSAyOSwgMjAxOCBhdCAwMjowMTo1N1BNIC0wNDAwLCBNaW1pIFpvaGFy IHdyb3RlOgo+ID4gTHVpcywgaXMgdGhlIHNlY3VyaXR5X2tlcm5lbF9wb3N0X3JlYWRfZmlsZSBM U00gaG9vayBpbgo+ID4gZmlybXdhcmVfbG9hZGluZ19zdG9yZSgpIHN0aWxsIG5lZWRlZCBhZnRl ciB0aGlzIHBhdGNoPyAgU2hvdWxkIGl0IGJlCj4gPiBjYWxsaW5nIHNlY3VyaXR5X2tlcm5lbF9s b2FkX2RhdGEoKSBpbnN0ZWFkPwo+IAo+IFRoYXQncyB1cCB0byBLZWVzIHRvIGRlY2lkZSBhcyBo ZSBhZGRlZCB0aGF0IGhvb2ssIGFuZCBrbm93cwo+IHdoYXQgTFNNcyBtYXkgYmUgZG9pbmcgd2l0 aCBpdC4gRnJvbSBteSBwZXJzcGVjdGl2ZSBpdCBpcyBjb25mdXNpbmcKPiB0byBoYXZlIHRoYXQg aG9vayB0aGVyZSBzbyBJIHRoaW5rIGl0IGNvdWxkIGJlIHJlbW92ZWQgbm93Lgo+IAo+IEtlZXM/ CgpDb21taXTCoDY1OTNkOTIgKCJmaXJtd2FyZV9jbGFzczogcGVyZm9ybSBuZXcgTFNNIGNoZWNr cyIpIHJlZmVyZW5jZXMKdHdvIG1ldGhvZHMgb2YgbG9hZGluZyBmaXJtd2FyZSAtwqDCoGZpbGVz eXN0ZW0tZm91bmQgZmlybXdhcmUgYW5kCmRlbWFuZC1sb2FkZWQgYmxvYnMuIMKgSSBhc3N1bWUg dGhpcyBjYWxsIGluIGZpcm13YXJlX2xvYWRpbmdfc3RvcmUoKQppcyB0aGUgZGVtYW5kLWxvYWRl ZCBibG9icy4gwqBEb2VzIHRoYXQgbWV0aG9kIHN0aWxsIGV4aXN0PyDCoElzIGl0CnN0aWxsIGJl aW5nIHVzZWQ/Cgo+IAo+ICAgTHVpcwo+IAo+ID4gCj4gPiAtLS0KPiA+IAo+ID4gV2l0aCBhbiBJ TUEgcG9saWN5IHJlcXVpcmluZyBzaWduZWQgZmlybXdhcmUsIHRoaXMgcGF0Y2ggcHJldmVudHMK PiA+IHRoZSBzeXNmcyBmYWxsYmFjayBtZXRob2Qgb2YgbG9hZGluZyBmaXJtd2FyZS4KPiA+IAo+ ID4gU2lnbmVkLW9mZi1ieTogTWltaSBab2hhciA8em9oYXJAbGludXgudm5ldC5pYm0uY29tPgo+ ID4gQ2M6IEx1aXMgUi4gUm9kcmlndWV6IDxtY2dyb2ZAc3VzZS5jb20+Cj4gPiBDYzogRGF2aWQg SG93ZWxscyA8ZGhvd2VsbHNAcmVkaGF0LmNvbT4KPiA+IENjOiBNYXR0aGV3IEdhcnJldHQgPG1q ZzU5QGdvb2dsZS5jb20+Cj4gPiAtLS0KPiA+ICBzZWN1cml0eS9pbnRlZ3JpdHkvaW1hL2ltYV9t YWluLmMgfCAxMCArKysrKysrKystCj4gPiAgMSBmaWxlIGNoYW5nZWQsIDkgaW5zZXJ0aW9ucygr KSwgMSBkZWxldGlvbigtKQo+ID4gCj4gPiBkaWZmIC0tZ2l0IGEvc2VjdXJpdHkvaW50ZWdyaXR5 L2ltYS9pbWFfbWFpbi5jIGIvc2VjdXJpdHkvaW50ZWdyaXR5L2ltYS9pbWFfbWFpbi5jCj4gPiBp bmRleCBhNTY1ZDQ2MDg0YzIuLjRhODdmNzgwOThjOCAxMDA2NDQKPiA+IC0tLSBhL3NlY3VyaXR5 L2ludGVncml0eS9pbWEvaW1hX21haW4uYwo+ID4gKysrIGIvc2VjdXJpdHkvaW50ZWdyaXR5L2lt YS9pbWFfbWFpbi5jCj4gPiBAQCAtNDc1LDggKzQ3NSwxMCBAQCBpbnQgaW1hX3Bvc3RfcmVhZF9m aWxlKHN0cnVjdCBmaWxlICpmaWxlLCB2b2lkICpidWYsIGxvZmZfdCBzaXplLAo+ID4gIAo+ID4g IAlpZiAoIWZpbGUgJiYgcmVhZF9pZCA9PSBSRUFESU5HX0ZJUk1XQVJFKSB7Cj4gPiAgCQlpZiAo KGltYV9hcHByYWlzZSAmIElNQV9BUFBSQUlTRV9GSVJNV0FSRSkgJiYKPiA+IC0JCSAgICAoaW1h X2FwcHJhaXNlICYgSU1BX0FQUFJBSVNFX0VORk9SQ0UpKQo+ID4gKwkJICAgIChpbWFfYXBwcmFp c2UgJiBJTUFfQVBQUkFJU0VfRU5GT1JDRSkpIHsKPiA+ICsJCQlwcl9lcnIoIlByZXZlbnQgZmly bXdhcmUgbG9hZGluZ19zdG9yZS5cbiIpOwo+ID4gIAkJCXJldHVybiAtRUFDQ0VTOwkvKiBJTlRF R1JJVFlfVU5LTk9XTiAqLwo+ID4gKwkJfQo+ID4gIAkJcmV0dXJuIDA7Cj4gPiAgCX0KPiA+ICAK PiA+IEBAIC01MjAsNiArNTIyLDEyIEBAIGludCBpbWFfbG9hZF9kYXRhKGVudW0ga2VybmVsX2xv YWRfZGF0YV9pZCBpZCkKPiA+ICAJCQlwcl9lcnIoImltcG9zc2libGUgdG8gYXBwcmFpc2UgYSBr ZXJuZWwgaW1hZ2Ugd2l0aG91dCBhIGZpbGUgZGVzY3JpcHRvcjsgdHJ5IHVzaW5nIGtleGVjX2Zp bGVfbG9hZCBzeXNjYWxsLlxuIik7Cj4gPiAgCQkJcmV0dXJuIC1FQUNDRVM7CS8qIElOVEVHUklU WV9VTktOT1dOICovCj4gPiAgCQl9Cj4gPiArCQlicmVhazsKPiA+ICsJY2FzZSBMT0FESU5HX0ZJ Uk1XQVJFOgo+ID4gKwkJaWYgKGltYV9hcHByYWlzZSAmIElNQV9BUFBSQUlTRV9GSVJNV0FSRSkg ewo+ID4gKwkJCXByX2VycigiUHJldmVudCBmaXJtd2FyZSBzeXNmcyBmYWxsYmFjayBsb2FkaW5n LlxuIik7Cj4gPiArCQkJcmV0dXJuIC1FQUNDRVM7CS8qIElOVEVHUklUWV9VTktOT1dOICovCj4g PiArCQl9Cj4gPiAgCWRlZmF1bHQ6Cj4gPiAgCQlicmVhazsKPiA+ICAJfQo+ID4gLS0gCj4gPiAy LjcuNQo+ID4gCj4gPiAKPiAKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXwprZXhlYyBtYWlsaW5nIGxpc3QKa2V4ZWNAbGlzdHMuaW5mcmFkZWFkLm9yZwpo dHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2tleGVjCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44100 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751022AbeFAWkQ (ORCPT ); Fri, 1 Jun 2018 18:40:16 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w51Md7RQ052322 for ; Fri, 1 Jun 2018 18:40:15 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2jbf2j03wc-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 01 Jun 2018 18:40:15 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 1 Jun 2018 23:40:13 +0100 Subject: Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) From: Mimi Zohar To: "Luis R. Rodriguez" Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Matthew Garrett Date: Fri, 01 Jun 2018 18:39:55 -0400 In-Reply-To: <20180601182107.GO4511@wotan.suse.de> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-6-git-send-email-zohar@linux.vnet.ibm.com> <20180601182107.GO4511@wotan.suse.de> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1527892795.13403.26.camel@linux.vnet.ibm.com> Sender: linux-integrity-owner@vger.kernel.org List-ID: On Fri, 2018-06-01 at 20:21 +0200, Luis R. Rodriguez wrote: > On Tue, May 29, 2018 at 02:01:57PM -0400, Mimi Zohar wrote: > > Luis, is the security_kernel_post_read_file LSM hook in > > firmware_loading_store() still needed after this patch? Should it be > > calling security_kernel_load_data() instead? > > That's up to Kees to decide as he added that hook, and knows > what LSMs may be doing with it. From my perspective it is confusing > to have that hook there so I think it could be removed now. > > Kees? Commit 6593d92 ("firmware_class: perform new LSM checks") references two methods of loading firmware - filesystem-found firmware and demand-loaded blobs. I assume this call in firmware_loading_store() is the demand-loaded blobs. Does that method still exist? Is it still being used? > > Luis > > > > > --- > > > > With an IMA policy requiring signed firmware, this patch prevents > > the sysfs fallback method of loading firmware. > > > > Signed-off-by: Mimi Zohar > > Cc: Luis R. Rodriguez > > Cc: David Howells > > Cc: Matthew Garrett > > --- > > security/integrity/ima/ima_main.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > > index a565d46084c2..4a87f78098c8 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -475,8 +475,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > > > > if (!file && read_id == READING_FIRMWARE) { > > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > > - (ima_appraise & IMA_APPRAISE_ENFORCE)) > > + (ima_appraise & IMA_APPRAISE_ENFORCE)) { > > + pr_err("Prevent firmware loading_store.\n"); > > return -EACCES; /* INTEGRITY_UNKNOWN */ > > + } > > return 0; > > } > > > > @@ -520,6 +522,12 @@ int ima_load_data(enum kernel_load_data_id id) > > pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); > > return -EACCES; /* INTEGRITY_UNKNOWN */ > > } > > + break; > > + case LOADING_FIRMWARE: > > + if (ima_appraise & IMA_APPRAISE_FIRMWARE) { > > + pr_err("Prevent firmware sysfs fallback loading.\n"); > > + return -EACCES; /* INTEGRITY_UNKNOWN */ > > + } > > default: > > break; > > } > > -- > > 2.7.5 > > > > > From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Fri, 01 Jun 2018 18:39:55 -0400 Subject: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) In-Reply-To: <20180601182107.GO4511@wotan.suse.de> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-6-git-send-email-zohar@linux.vnet.ibm.com> <20180601182107.GO4511@wotan.suse.de> Message-ID: <1527892795.13403.26.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Fri, 2018-06-01 at 20:21 +0200, Luis R. Rodriguez wrote: > On Tue, May 29, 2018 at 02:01:57PM -0400, Mimi Zohar wrote: > > Luis, is the security_kernel_post_read_file LSM hook in > > firmware_loading_store() still needed after this patch? Should it be > > calling security_kernel_load_data() instead? > > That's up to Kees to decide as he added that hook, and knows > what LSMs may be doing with it. From my perspective it is confusing > to have that hook there so I think it could be removed now. > > Kees? Commit?6593d92 ("firmware_class: perform new LSM checks") references two methods of loading firmware -??filesystem-found firmware and demand-loaded blobs. ?I assume this call in firmware_loading_store() is the demand-loaded blobs. ?Does that method still exist? ?Is it still being used? > > Luis > > > > > --- > > > > With an IMA policy requiring signed firmware, this patch prevents > > the sysfs fallback method of loading firmware. > > > > Signed-off-by: Mimi Zohar > > Cc: Luis R. Rodriguez > > Cc: David Howells > > Cc: Matthew Garrett > > --- > > security/integrity/ima/ima_main.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > > index a565d46084c2..4a87f78098c8 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -475,8 +475,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > > > > if (!file && read_id == READING_FIRMWARE) { > > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > > - (ima_appraise & IMA_APPRAISE_ENFORCE)) > > + (ima_appraise & IMA_APPRAISE_ENFORCE)) { > > + pr_err("Prevent firmware loading_store.\n"); > > return -EACCES; /* INTEGRITY_UNKNOWN */ > > + } > > return 0; > > } > > > > @@ -520,6 +522,12 @@ int ima_load_data(enum kernel_load_data_id id) > > pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); > > return -EACCES; /* INTEGRITY_UNKNOWN */ > > } > > + break; > > + case LOADING_FIRMWARE: > > + if (ima_appraise & IMA_APPRAISE_FIRMWARE) { > > + pr_err("Prevent firmware sysfs fallback loading.\n"); > > + return -EACCES; /* INTEGRITY_UNKNOWN */ > > + } > > default: > > break; > > } > > -- > > 2.7.5 > > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751348AbeFAWkS (ORCPT ); Fri, 1 Jun 2018 18:40:18 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33492 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751048AbeFAWkQ (ORCPT ); Fri, 1 Jun 2018 18:40:16 -0400 Subject: Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) From: Mimi Zohar To: "Luis R. Rodriguez" Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Matthew Garrett Date: Fri, 01 Jun 2018 18:39:55 -0400 In-Reply-To: <20180601182107.GO4511@wotan.suse.de> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-6-git-send-email-zohar@linux.vnet.ibm.com> <20180601182107.GO4511@wotan.suse.de> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18060122-0008-0000-0000-00000242E2D9 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18060122-0009-0000-0000-000021A89770 Message-Id: <1527892795.13403.26.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-06-01_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806010257 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-06-01 at 20:21 +0200, Luis R. Rodriguez wrote: > On Tue, May 29, 2018 at 02:01:57PM -0400, Mimi Zohar wrote: > > Luis, is the security_kernel_post_read_file LSM hook in > > firmware_loading_store() still needed after this patch? Should it be > > calling security_kernel_load_data() instead? > > That's up to Kees to decide as he added that hook, and knows > what LSMs may be doing with it. From my perspective it is confusing > to have that hook there so I think it could be removed now. > > Kees? Commit 6593d92 ("firmware_class: perform new LSM checks") references two methods of loading firmware -  filesystem-found firmware and demand-loaded blobs.  I assume this call in firmware_loading_store() is the demand-loaded blobs.  Does that method still exist?  Is it still being used? > > Luis > > > > > --- > > > > With an IMA policy requiring signed firmware, this patch prevents > > the sysfs fallback method of loading firmware. > > > > Signed-off-by: Mimi Zohar > > Cc: Luis R. Rodriguez > > Cc: David Howells > > Cc: Matthew Garrett > > --- > > security/integrity/ima/ima_main.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > > index a565d46084c2..4a87f78098c8 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -475,8 +475,10 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > > > > if (!file && read_id == READING_FIRMWARE) { > > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > > - (ima_appraise & IMA_APPRAISE_ENFORCE)) > > + (ima_appraise & IMA_APPRAISE_ENFORCE)) { > > + pr_err("Prevent firmware loading_store.\n"); > > return -EACCES; /* INTEGRITY_UNKNOWN */ > > + } > > return 0; > > } > > > > @@ -520,6 +522,12 @@ int ima_load_data(enum kernel_load_data_id id) > > pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); > > return -EACCES; /* INTEGRITY_UNKNOWN */ > > } > > + break; > > + case LOADING_FIRMWARE: > > + if (ima_appraise & IMA_APPRAISE_FIRMWARE) { > > + pr_err("Prevent firmware sysfs fallback loading.\n"); > > + return -EACCES; /* INTEGRITY_UNKNOWN */ > > + } > > default: > > break; > > } > > -- > > 2.7.5 > > > > >