Received: by 10.192.165.148 with SMTP id m20csp4954360imm;
        Tue, 1 May 2018 06:49:30 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZo2YGAXrZqWyYQOy2uK4V+14ZxyCZe8EsP3XbwRf1NLMBxTHS9QoVWfdLR86NiqApxtADbg
X-Received: by 10.98.160.150 with SMTP id p22mr15821003pfl.9.1525182570615;
        Tue, 01 May 2018 06:49:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525182570; cv=none;
        d=google.com; s=arc-20160816;
        b=tBR/iR2NdAMKw3ATnc/NT5+jSRa5TeQA/gZlNVmPxguf6r/F7iWqB97clfo5/zVD1p
         VnnvD475avoYYgPHNzQL85o1qFdcZEyWS3O24/CnIVhK0E+F0x4q7SdLVbVs6VDqFrk9
         4yxgZXY5NgOVkCeD7brXAfEPLz/iCGHowMFLAsJwHoJBztuNpq58I0QXdLa6LoZG8CfR
         zs61rwTq16/dFz+vGY77SEROJJUtDkT4jUjFpRoaya7vlBLZmsyUiSXSdwzGUOejdNCW
         RGygRAO9JKpdPI61+K/wKdXTj2WYjnikLGzV7yM+dwXNVswWYGODvVTgHp7WY1xVov8I
         lXzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:references:in-reply-to:date
         :subject:cc:to:from:arc-authentication-results;
        bh=K058MsBLYUnWLAmQPiy668o7ZYh/zM3wtcNe1NjbyVY=;
        b=dLZXPd4qcSUobEXeOGhK7xQsCzm3rQ+OKPZFUnhXa6km3/7S0aAHC0AHWXWJezaO7b
         3Z8om2YpU+P0eJ3Ya64ZBhvPNaUxrM791vtISjCNir01LLiHzt5DNlYR2OVcO8kBTZid
         hS/TeXuZNgMcT1SxscYNRfAtb6c3irzK5wB/NwmPyT5SVxUSVNioz0EfKmhC4VkSx/mj
         d5W/hX/iPlZRfFH4z6jNxGzqV0vAn9yjQhacsav9+/WjvagehcComFWlP/juMk6MvKpH
         qPMXjFfMcj7rlNdMwCQRRgIrLihqsipQMiiwrJkLTrOW8qgdZwUNEgbhDpEIhKU/s6e+
         j0yA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a21si9228906pfo.31.2018.05.01.06.49.16;
        Tue, 01 May 2018 06:49:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755839AbeEANtB (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Tue, 1 May 2018 09:49:01 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46400 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1755751AbeEANs5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 May 2018 09:48:57 -0400
Received: from pps.filterd (m0098413.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w41DiT5k081387
        for <linux-kernel@vger.kernel.org>; Tue, 1 May 2018 09:48:56 -0400
Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2hprw7hd92-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Tue, 01 May 2018 09:48:55 -0400
Received: from localhost
        by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Tue, 1 May 2018 14:48:53 +0100
Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198)
        by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Tue, 1 May 2018 14:48:49 +0100
Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60])
        by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w41Dmnjh24838226;
        Tue, 1 May 2018 13:48:49 GMT
Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id B7FB44203F;
        Tue,  1 May 2018 14:40:02 +0100 (BST)
Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 02E9642047;
        Tue,  1 May 2018 14:40:01 +0100 (BST)
Received: from localhost.ibm.com (unknown [9.80.105.194])
        by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Tue,  1 May 2018 14:40:00 +0100 (BST)
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     linux-integrity@vger.kernel.org
Cc:     Hans de Goede <hdegoede@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Peter Jones <pjones@redhat.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        "Luis R . Rodriguez" <mcgrof@suse.com>,
        Kees Cook <keescook@chromium.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Stephen Boyd <stephen.boyd@linaro.org>
Subject: [RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer
Date:   Tue,  1 May 2018 09:48:23 -0400
X-Mailer: git-send-email 2.7.5
In-Reply-To: <1525182503-13849-1-git-send-email-zohar@linux.vnet.ibm.com>
References: <1525182503-13849-1-git-send-email-zohar@linux.vnet.ibm.com>
X-TM-AS-GCONF: 00
x-cbid: 18050113-0040-0000-0000-00000434CDA3
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18050113-0041-0000-0000-00002638E68E
Message-Id: <1525182503-13849-7-git-send-email-zohar@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-01_07:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805010138
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Question: can the device access the pre-allocated buffer at any time?

By allowing devices to request firmware be loaded directly into a
pre-allocated buffer, will this allow the device access to the firmware
before the kernel has verified the firmware signature?

Is it dependent on the type of buffer allocated (eg. DMA)?  For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().

With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Stephen Boyd <stephen.boyd@linaro.org>
---
 security/integrity/ima/ima_main.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index eb9c273ab81d..3098131f77c4 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -454,6 +454,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
 		return 0;
 	}
 
+	if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) {
+		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+			pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n");
+			return -EACCES;
+		}
+		return 0;
+	}
+
 	if (read_id == READING_FIRMWARE_FALLBACK) {
 		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
 		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
-- 
2.7.5