From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751104AbdE3QJ3 (ORCPT <rfc822;w@1wt.eu>);
        Tue, 30 May 2017 12:09:29 -0400
Received: from mga02.intel.com ([134.134.136.20]:16620 "EHLO mga02.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751062AbdE3QJ2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 May 2017 12:09:28 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.38,418,1491289200"; 
   d="scan'208";a="108271621"
Message-ID: <1496160437.5682.6.camel@linux.intel.com>
Subject: Re: [PATCH 1/4] firmware: add firmware signing
From: Alan Cox <alan@linux.intel.com>
To: AKASHI Takahiro <takahiro.akashi@linaro.org>, mcgrof@kernel.org
Cc: rusty@rustcorp.com.au, dhowells@redhat.com, ming.lei@canonical.com,
        seth.forshee@canonical.com, kyle@kernel.org, David.Woodhouse@intel.com,
        linux-kernel@vger.kernel.org, "Luis R . Rodriguez" <mcgrof@suse.com>
In-Reply-To: <20170526030609.1414-2-takahiro.akashi@linaro.org>
References: <20170526030609.1414-1-takahiro.akashi@linaro.org>
         <20170526030609.1414-2-takahiro.akashi@linaro.org>
Organization: Intel Corporation
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 30 May 2017 17:07:17 +0100
Mime-Version: 1.0
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 2017-05-26 at 12:06 +0900, AKASHI Takahiro wrote:
> There is one driver data option, DRIVER_DATA_REQ_NO_SIG_CHECK,
> which will skip signature verification check at load time
> even in enforcing mode.
> This option is solely for non security-sensitive data.

It's also for firmware that is already signed and checked by the
hardware. In the x86 world almost all modern era firmware is already
signed and the signature checked by the device.

> +static ssize_t firmware_sig_data_write(struct file *filp, struct
> kobject *kobj,
> +				       struct bin_attribute
> *bin_attr,
> +				       char *buffer, loff_t offset,
> +				       size_t count)
> +{
> +	struct device *dev = kobj_to_dev(kobj);
> +	struct firmware_priv *fw_priv = to_firmware_priv(dev);
> +	struct firmware_buf *buf;
> +	void *buf_tmp;
> +	size_t new_size;
> +	ssize_t ret_count;
> +
> +	if (!capable(CAP_SYS_RAWIO))
> +		return -EPERM;
> +
> +	mutex_lock(&fw_lock);
> +	buf = fw_priv->buf;
> +	if (!buf || fw_state_is_done(&buf->fw_st)) {
> +		ret_count = -ENODEV;
> +		goto out;
> +	}
> +
> +	if (buf->sig_data && (offset + count > buf->sig_size)) {

If I do a ridiculously long amount of I/O what stops offset + count
overflowing ? It's no big deal as its CAP_SYS_RAWIO anyway but I'm just
wondering if there is a test missing ?

Alan