From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fLo95-0004wZ-Os for kexec@lists.infradead.org; Thu, 24 May 2018 11:11:29 +0000 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4OAxoEZ020120 for ; Thu, 24 May 2018 07:10:48 -0400 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 2j5tb1wsn6-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 24 May 2018 07:10:48 -0400 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 24 May 2018 12:10:46 +0100 From: Mimi Zohar Subject: [RFC PATCH v3 7/7] ima: based on policy prevent loading firmware (pre-allocated buffer) Date: Thu, 24 May 2018 07:09:36 -0400 In-Reply-To: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com> Message-Id: <1527160176-29269-8-git-send-email-zohar@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: linux-integrity@vger.kernel.org Cc: Andres Rodriguez , Kees Cook , Ard Biesheuvel , Stephen Boyd , Greg Kroah-Hartman , "Luis R . Rodriguez" , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, David Howells , linux-security-module@vger.kernel.org, Eric Biederman , "Serge E . Hallyn" , Mimi Zohar , "Luis R . Rodriguez" Question: can the device access the pre-allocated buffer at any time? (Still waiting to hear from Qualcomm...) By allowing devices to request firmware be loaded directly into a pre-allocated buffer, will this allow the device access to the firmware before the kernel has verified the firmware signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd --- security/integrity/ima/ima_main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dd1f263f950a..d114b7ad2c86 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -457,6 +457,12 @@ int ima_read_data(struct file *file, enum kernel_read_file_id read_id) pr_err("Prevent firmware sysfs fallback loading.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } + break; + case READING_FIRMWARE_PREALLOC_BUFFER: + if (ima_appraise & IMA_APPRAISE_FIRMWARE) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } default: break; } -- 2.7.5 _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec