load firmware for in-kernel driver

load firmware for in-kernel driver

[Hr. Philip Rueegsegger]

Hi list,

I hope I have chosen the right mailing list for my problem. 

I want to use a monolithic kernel (loadable module support disabled) for 
security reasons. The in-kernel-driver for the network card (bnx2) needs 
firmware to be loaded. Of course, when the kernel boots there is no filesystem 
available from where the firmware can be loaded nor a firmware loader agent. 
Thus I created a initrd containing the needed firmware in /lib/firmware and a 
firmware loader agent script in /sbin/hotplug like this:

######################
#!/bin/sh -e
#
# firmware loader agent
#
if [ ! -e /sys/$DEVPATH/loading ]; then
    mesg "/sys/$DEVPATH/ does not exist"
    exit 1
fi

if [ -e "/lib/firmware/$FIRMWARE" ] ; then
    echo 1 > /sys/$DEVPATH/loading
    cat "/lib/firmware/$FIRMWARE" > /sys/$DEVPATH/data
    echo 0 > /sys/$DEVPATH/loading
    exit 0
done

# the firmware was not found
echo -1 > /sys/$DEVPATH/loading

mesg "Cannot find the $FIRMWARE firmware"
exit 1
######################

There is also a script /init mounting /proc and /sys.

The problem is, the kernel starts BEFORE the script /init of the ram disk is 
executed. Thus I still have the problem of missing firmware support for the 
in-kernel-driver.  

Here are some additional infos:

Kernel version: 2.6.26 (Kernel source from Debian)
Distribution: Debian Lenny

The following firmware -and initrd related kernel features are enabled:
CONFIG_FW_LOADER=y
CONFIG_BLK_DEV_INITRD=y


Thanks in advance for any help or hint.


Cheers,
Phil

Re: load firmware for in-kernel driver

[Andrey Borzenkov]

On Wed, Oct 27, 2010 at 2:19 AM, Hr. Philip Rueegsegger <rue@generali.ch> wrote:
> Hi list,
>
> I hope I have chosen the right mailing list for my problem.
>
> I want to use a monolithic kernel (loadable module support disabled) for
> security reasons. The in-kernel-driver for the network card (bnx2) needs
> firmware to be loaded. Of course, when the kernel boots there is no filesystem
> available from where the firmware can be loaded nor a firmware loader agent.

You can also compile firmware in kernel in which case request from
driver will be transparently served by compiled-in firmware.


> Kernel version: 2.6.26 (Kernel source from Debian)

Not sure when compiled-in firmware support was introduced first. Check
for CONFIG_FIRMWARE_IN_KERNEL.

Re: load firmware for in-kernel driver

[Hr. Philip Rueegsegger]

>> I want to use a monolithic kernel (loadable module support disabled) for
>> security reasons. The in-kernel-driver for the network card (bnx2) needs
>> firmware to be loaded. Of course, when the kernel boots there is no 
filesystem
>> available from where the firmware can be loaded nor a firmware loader agent.
>

>You can also compile firmware in kernel in which case request from
>driver will be transparently served by compiled-in firmware.

>Not sure when compiled-in firmware support was introduced first. Check
>for CONFIG_FIRMWARE_IN_KERNEL.

Unfortunately, for the kernel I'm using (2.6.26 from Debian Lenny), this is not 
the case.

Is there no other possibility to accomplish this? For example, kind of postpone 
loading of the driver?

Re: load firmware for in-kernel driver

[Kay Sievers]

On Wed, Oct 27, 2010 at 16:01, Hr. Philip Rueegsegger <rue@generali.ch> wrote:
>>> I want to use a monolithic kernel (loadable module support disabled) for
>>> security reasons. The in-kernel-driver for the network card (bnx2) needs
>>> firmware to be loaded. Of course, when the kernel boots there is no
> filesystem
>>> available from where the firmware can be loaded nor a firmware loader agent.
>>
>
>>You can also compile firmware in kernel in which case request from
>>driver will be transparently served by compiled-in firmware.
>
>>Not sure when compiled-in firmware support was introduced first. Check
>>for CONFIG_FIRMWARE_IN_KERNEL.
>
> Unfortunately, for the kernel I'm using (2.6.26 from Debian Lenny), this is not
> the case.
>
> Is there no other possibility to accomplish this? For example, kind of postpone
> loading of the driver?

Yeah, you should use a recent kernel. :)

You can try to unbind/bind the driver from/to the device with
/sys/bus/pci/drivers/*/*bind. For some drivers it works that way.

Anyway, it's probably easier to leave it as a module. There are
thousand ways to get code into the running kernel with the right
permissions, disabling the module loader does not really add security.

Kay

Re: load firmware for in-kernel driver

[Hr. Philip Rueegsegger]

>>>> I want to use a monolithic kernel (loadable module support disabled) for
>>>> security reasons. The in-kernel-driver for the network card (bnx2) needs
>>>> firmware to be loaded. Of course, when the kernel boots there is no
>>>> filesystem available from where the firmware can be loaded nor a firmware 
>>>> loader agent.

>>>You can also compile firmware in kernel in which case request from
>>>driver will be transparently served by compiled-in firmware.
>>>
>>>Not sure when compiled-in firmware support was introduced first. Check
>>>for CONFIG_FIRMWARE_IN_KERNEL.

>> Unfortunately, for the kernel I'm using (2.6.26 from Debian Lenny), this is 
>> not the case.
>>
>> Is there no other possibility to accomplish this? For example, kind of
>> postpone loading of the driver?

>Yeah, you should use a recent kernel. :)
>
>You can try to unbind/bind the driver from/to the device with
>/sys/bus/pci/drivers/*/*bind. For some drivers it works that way.
>
>Anyway, it's probably easier to leave it as a module. There are
>thousand ways to get code into the running kernel with the right
>permissions, disabling the module loader does not really add security.

Ah really? Even if /dev/kmem is disabled in the kernel? So, you mean it's not 
worth the pain of having a monolithic kernel concerning security?

But still, besides this unbind/bind stuff or more recent kernel, is there really 
no other solution to have a in-kernel-driver needing firmware? You know, I'd 
like to stick with the kernel source provided by Debian just because of security 
updates.

Thanks and Cheers,
Phil

Re: load firmware for in-kernel driver

[Karl O. Pinc]

On 10/27/2010 11:23:57 AM, Hr. Philip Rueegsegger wrote:
>  You
> know, I'd 
> like to stick with the kernel source provided by Debian just because
> of security 
> updates.

Use the newer kernel from backports.debian.org.



Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Re: load firmware for in-kernel driver

[Hr. Philip Rueegsegger]

>On 10/27/2010 11:23:57 AM, Hr. Philip Rueegsegger wrote:
>>  You
>> know, I'd 
>> like to stick with the kernel source provided by Debian just because
>> of security 
>> updates.
>
>Use the newer kernel from backports.debian.org.

What about security updates? Are they delivered equally regularely as from the 
stable tree? After a quick look on http://backports.debian.org I couldn't see an 
answer to my question. Thanks.

Cheers,
Phil

Re: load firmware for in-kernel driver

[Karl O. Pinc]

On 10/27/2010 12:48:35 PM, Hr. Philip Rueegsegger wrote:
> >On 10/27/2010 11:23:57 AM, Hr. Philip Rueegsegger wrote:
> >>  You
> >> know, I'd 
> >> like to stick with the kernel source provided by Debian just
> because
> >> of security 
> >> updates.
> >
> >Use the newer kernel from backports.debian.org.
> 
> What about security updates? Are they delivered equally regularely as
> from the 
> stable tree? After a quick look on http://backports.debian.org I
> couldn't see an 
> answer to my question. Thanks.

Good question.  I'd like to be sure of the answer myself.

Traditionally not, but backports is recently officially part of
Debian so things may have changed.  The kernel also tends
to be more rigorously maintained and may be a
special case.  The backports.debian.org FAQ says
security is best-effort but depends on the maintainer.
You might try asking security@debian.org or possibly 
debian-kernel@lists.debian.org. The latter seems
to be listed as one of the package maintainers
so might be the right choice.  

(The security team
faq says nothing about backports and now that it's
official maybe it should.  The question in the
backports faq is weirdly grey-ed out and italicized;
that confuses me slightly.)




Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Re: load firmware for in-kernel driver

[Greg KH]

On Wed, Oct 27, 2010 at 07:48:35PM +0200, Hr. Philip Rueegsegger wrote:
> >On 10/27/2010 11:23:57 AM, Hr. Philip Rueegsegger wrote:
> >>  You
> >> know, I'd 
> >> like to stick with the kernel source provided by Debian just because
> >> of security 
> >> updates.
> >
> >Use the newer kernel from backports.debian.org.
> 
> What about security updates? Are they delivered equally regularely as from the 
> stable tree? After a quick look on http://backports.debian.org I couldn't see an 
> answer to my question. Thanks.

Why would you ask this on the linux-hotplug list and not the debian
lists?

If you are sticking with an old, obsolete kernel version like you want
to, you really are on your own, OR you need to get support from your
distro, not the upstream community.

good luck,

greg k-h

Re: load firmware for in-kernel driver

[Hr. Philip Rueegsegger]

>Anyway, it's probably easier to leave it as a module. There are
>thousand ways to get code into the running kernel with the right
>permissions, disabling the module loader does not really add security.
>
>Kay

Is it really possible to get code into the running kernel with module loader 
turned off and no /dev/kmem support? If so, what can be done to prevent this?

Cheers,
Philip

Re: load firmware for in-kernel driver

[Greg KH]

On Mon, Nov 01, 2010 at 07:57:23PM +0100, Hr. Philip Rueegsegger wrote:
> >Anyway, it's probably easier to leave it as a module. There are
> >thousand ways to get code into the running kernel with the right
> >permissions, disabling the module loader does not really add security.
> >
> >Kay
> 
> Is it really possible to get code into the running kernel with module loader 
> turned off and no /dev/kmem support?

Yes it is.

For examples of how to do this, use google.

And it's way off-topic here so please don't discuss it here.

good luck,

greg k-h