From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-security-module@vger.kernel.org, kexec@lists.infradead.org,
linux-modules@vger.kernel.org, fsdevel@vger.kernel.org,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [RFC PATCH v2 07/11] firmware: replace call to fw_read_file_contents() with kernel version
Date: Thu, 21 Jan 2016 00:39:19 +0100 [thread overview]
Message-ID: <20160120233919.GM11277@wotan.suse.de> (raw)
In-Reply-To: <1453129886-20192-8-git-send-email-zohar@linux.vnet.ibm.com>
On Mon, Jan 18, 2016 at 10:11:22AM -0500, Mimi Zohar wrote:
> Replace fw_read_file_contents() for reading a file with the common VFS
> kernel_read_file() function. A benefit of calling kernel_read_file()
> to read the firmware is the firmware is read only once, instead of once
> for measuring/appraising the firmware and again for reading the file
> contents into memory.
>
> This patch retains the kernel_fw_from_file() hook, which is called from
> security_kernel_post_read_file(), but removes the
> sercurity_kernel_fw_from_file() function.
>
> Changelog:
> - reordered and squashed firmware patches
> - fix MAX firmware size (Kees Cook)
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> drivers/base/firmware_class.c | 48 ++++++++++-------------------------
> include/linux/ima.h | 7 +----
> include/linux/security.h | 8 +-----
> security/integrity/ima/ima.h | 1 -
> security/integrity/ima/ima_appraise.c | 8 ------
> security/integrity/ima/ima_main.c | 18 +++++--------
> security/integrity/ima/ima_policy.c | 26 +++++++++----------
> security/integrity/integrity.h | 11 +++-----
> security/security.c | 28 ++++++++++----------
> 9 files changed, 54 insertions(+), 101 deletions(-)
>
> diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
> index 8524450..cc175f1 100644
> --- a/drivers/base/firmware_class.c
> +++ b/drivers/base/firmware_class.c
> @@ -29,6 +29,7 @@
> #include <linux/syscore_ops.h>
> #include <linux/reboot.h>
> #include <linux/security.h>
> +#include <linux/ima.h>
>
> #include <generated/utsrelease.h>
>
> @@ -291,40 +292,10 @@ static const char * const fw_path[] = {
> module_param_string(path, fw_path_para, sizeof(fw_path_para), 0644);
> MODULE_PARM_DESC(path, "customized firmware image search path with a higher priority than default path");
>
> -static int fw_read_file_contents(struct file *file, struct firmware_buf *fw_buf)
> -{
> - int size;
> - char *buf;
> - int rc;
> -
> - if (!S_ISREG(file_inode(file)->i_mode))
> - return -EINVAL;
> - size = i_size_read(file_inode(file));
> - if (size <= 0)
> - return -EINVAL;
> - buf = vmalloc(size);
> - if (!buf)
> - return -ENOMEM;
> - rc = kernel_read(file, 0, buf, size);
> - if (rc != size) {
> - if (rc > 0)
> - rc = -EIO;
> - goto fail;
> - }
> - rc = security_kernel_fw_from_file(file, buf, size);
> - if (rc)
> - goto fail;
> - fw_buf->data = buf;
> - fw_buf->size = size;
> - return 0;
> -fail:
> - vfree(buf);
> - return rc;
> -}
> -
> static int fw_get_filesystem_firmware(struct device *device,
> struct firmware_buf *buf)
> {
> + loff_t size;
> int i, len;
> int rc = -ENOENT;
> char *path;
> @@ -350,13 +321,18 @@ static int fw_get_filesystem_firmware(struct device *device,
> file = filp_open(path, O_RDONLY, 0);
> if (IS_ERR(file))
> continue;
> - rc = fw_read_file_contents(file, buf);
> +
> + buf->size = 0;
> + rc = kernel_read_file(file, &buf->data, &size, INT_MAX,
> + FIRMWARE_CHECK);
The way kernel firmware signing was implemented was that we'd first read the
foo.sig (or whatever extension we use). The same kernel_read_file() would be
used if this gets applied so this would still works well with that. Of course
folks using IMA and their own security policy would just disable the kernel
fw signing facility.
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index ae91938..0a7f039 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -16,6 +16,7 @@ struct linux_binprm;
> enum ima_policy_id {
> KEXEC_CHECK = 1,
> INITRAMFS_CHECK,
> + FIRMWARE_CHECK,
> IMA_MAX_READ_CHECK
> };
The only thing that is worth questioning here in light of kernel fw signing is
what int policy_id do we use? Would we be OK to add FIRMWARE_SIG_CHECK later
While at it, perhaps kernel_read_file() last argument should be enum
ima_policy_id then. If the policy_id is going to be used elsewhere outside of
IMA then perhaps ima.h is not the best place for it ? Would fs.h for type of
file be OK ? Then we'd have a list of known file types the kernel reads.
Luis
next prev parent reply other threads:[~2016-01-20 23:39 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-18 15:11 [RFC PATCH v2 00/11] vfss: support for a common kernel file loader Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 01/11] ima: separate 'security.ima' reading functionality from collect Mimi Zohar
2016-01-19 20:00 ` Dmitry Kasatkin
2016-01-21 13:19 ` Mimi Zohar
2016-01-21 18:18 ` Dmitry Kasatkin
2016-01-18 15:11 ` [RFC PATCH v2 02/11] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-01-20 1:09 ` Luis R. Rodriguez
2016-01-21 13:24 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 03/11] ima: provide buffer hash calculation function Mimi Zohar
2016-01-19 19:26 ` Dmitry Kasatkin
2016-01-21 13:18 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 04/11] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 05/11] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-01-20 3:22 ` Minfei Huang
2016-01-20 23:12 ` Luis R. Rodriguez
2016-01-21 0:27 ` Dmitry Torokhov
2016-01-25 6:37 ` Dave Young
2016-01-25 7:02 ` Dave Young
2016-01-25 15:04 ` Mimi Zohar
2016-01-25 20:34 ` Luis R. Rodriguez
2016-01-25 23:48 ` Mimi Zohar
2016-01-26 20:48 ` Luis R. Rodriguez
2016-01-26 1:20 ` Dave Young
2016-01-26 16:40 ` Mimi Zohar
2016-01-27 1:50 ` Dave Young
2016-01-18 15:11 ` [RFC PATCH v2 07/11] firmware: replace call to fw_read_file_contents() " Mimi Zohar
2016-01-20 0:10 ` Kees Cook
2016-01-21 12:04 ` Mimi Zohar
2016-01-20 23:39 ` Luis R. Rodriguez [this message]
2016-01-20 23:56 ` Luis R. Rodriguez
2016-01-21 12:05 ` Mimi Zohar
2016-01-21 16:49 ` Luis R. Rodriguez
2016-01-18 15:11 ` [RFC PATCH v2 08/11] module: replace copy_module_from_fd " Mimi Zohar
2016-01-21 0:03 ` Luis R. Rodriguez
2016-01-21 13:12 ` Mimi Zohar
2016-01-21 15:45 ` Paul Moore
2016-01-21 21:15 ` Mimi Zohar
2016-01-21 21:26 ` Paul Moore
2016-01-21 21:58 ` Kees Cook
2016-01-21 16:56 ` Luis R. Rodriguez
2016-01-21 20:37 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 09/11] ima: load policy using path Mimi Zohar
2016-01-21 0:05 ` Luis R. Rodriguez
2016-01-21 13:15 ` Mimi Zohar
2016-01-23 2:59 ` Luis R. Rodriguez
2016-01-18 15:11 ` [RFC PATCH v2 10/11] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 11/11] ima: require signed IMA policy Mimi Zohar
2016-01-21 20:16 ` [RFC PATCH v2 00/11] vfss: support for a common kernel file loader Luis R. Rodriguez
2016-01-21 20:18 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160120233919.GM11277@wotan.suse.de \
--to=mcgrof@suse.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=dwmw2@infradead.org \
--cc=fsdevel@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).