Received: by 10.192.165.148 with SMTP id m20csp5333402imm;
        Tue, 1 May 2018 13:07:11 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZots19d8X/mzWJNWvefIyWaYnHDWwiCgKp34gw6q5paiJg6pzu3IOr+N/i0AdhXzJTBMQyq
X-Received: by 2002:a65:4289:: with SMTP id j9-v6mr4738365pgp.136.1525205231364;
        Tue, 01 May 2018 13:07:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525205231; cv=none;
        d=google.com; s=arc-20160816;
        b=bK7YIyTwqAX6u324fTkgEZehZ6gr0+8KjrzKUJ+vkJ98czn47Ey+mNkl5lZCWbIip/
         anqe32vMBvI3zAJ36ktWcQ1LKhWHhCCSyKlbq2mmprv61+09jDGalYk9R1PnInWNGHkw
         f+AKuMvb1NBPLmE7vO/iOBOLwjJzbGboRb9G4b/WX/0Jh8GfZ7gbB0A7dzeafXW1EWtL
         LLKMbHOJ+qpT4Qo6dkBNNiNxKLCNVRIwa0jzijhrAITTPmad++yoxqaB4dQvlrIw4odY
         /eXfXpU4vJQlbWuRiCcRGR9i2sliqypbKQ8dg39D63mAoP3S1NuUG98Iy7M/o8iHFM9v
         CVPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=TYzt7dlomvLmqbmXxZqRigp16+Yt3zBmVSeT2kWBSGU=;
        b=M2dUjLEK5TKdb1s4oQ8onuB3SjxPrg3C1VwrGEdgFMP58K2Qe+kTyPRGYKWUViMDhm
         xns+phBTaMw8e+CkVdHTZN61HbUd54FRtQP6kv7DUP/2j2vpM3sBbDcu6c13YG6e564D
         6droy/WNRCUzLr5Q4OdVtV5el33/HG4Pzf4KYMvrbucODlm7qwMZKGI6gyQQ7p7ouuZO
         yph6I5QQt4Xm3pE4SXwhxWtGtj465VIdYgfkC72UwIGY6M5nudqiYAmEkOQ+jWxGc3SE
         ycGdRa65w7oQHyB2Fe7dQJqYG+w8VuuE0vjM5BtVY3uAb9N80LdytaQGxnIwPxi73cVB
         lwuA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l188si10794090pfc.266.2018.05.01.13.06.55;
        Tue, 01 May 2018 13:07:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751175AbeEAUGo (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 1 May 2018 16:06:44 -0400
Received: from bmailout3.hostsharing.net ([176.9.242.62]:60613 "EHLO
        bmailout3.hostsharing.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750863AbeEAUGm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 May 2018 16:06:42 -0400
Received: from h08.hostsharing.net (h08.hostsharing.net [83.223.95.28])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (Client CN "*.hostsharing.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
        by bmailout3.hostsharing.net (Postfix) with ESMTPS id C010A103821C3;
        Tue,  1 May 2018 22:06:39 +0200 (CEST)
Received: by h08.hostsharing.net (Postfix, from userid 100393)
        id 4A54380051; Tue,  1 May 2018 22:06:39 +0200 (CEST)
Date:   Tue, 1 May 2018 22:06:39 +0200
From:   Lukas Wunner <lukas@wunner.de>
To:     Andy Lutomirski <luto@kernel.org>
Cc:     Hans de Goede <hdegoede@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        "Luis R. Rodriguez" <mcgrof@kernel.org>,
        Greg KH <gregkh@linuxfoundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, Peter Jones <pjones@redhat.com>,
        dave@bewaar.me, Will Deacon <will.deacon@arm.com>,
        Matt Fleming <matt@codeblueprint.co.uk>,
        David Howells <dhowells@redhat.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Josh Triplett <josh@joshtriplett.org>,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Martin Fuzzey <mfuzzey@parkeon.com>,
        Kalle Valo <kvalo@codeaurora.org>,
        Arend Van Spriel <arend.vanspriel@broadcom.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        nbroeking@me.com, Bjorn Andersson <bjorn.andersson@linaro.org>,
        duwe@suse.de, Kees Cook <keescook@chromium.org>,
        X86 ML <x86@kernel.org>, linux-efi <linux-efi@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support
Message-ID: <20180501200639.GA3628@wunner.de>
References: <20180429093558.5411-1-hdegoede@redhat.com>
 <20180429093558.5411-3-hdegoede@redhat.com>
 <CALCETrXDrcxyESajDZs3L7sAAfDXXc_CUzy5nUZxLPxaTHZ80g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALCETrXDrcxyESajDZs3L7sAAfDXXc_CUzy5nUZxLPxaTHZ80g@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 01, 2018 at 07:29:19PM +0000, Andy Lutomirski wrote:
> On Sun, Apr 29, 2018 at 2:36 AM Hans de Goede <hdegoede@redhat.com> wrote:
> > +       for (i = 0; i < size; i += 8) {
> > +               if (*((u64 *)(mem + i)) != *((u64 *)desc->prefix))
> > +                       continue;
> > +
> > +               /* Seed with ~0, invert to match crc32 userspace utility
> */
> > +               crc = ~crc32(~0, mem + i, desc->length);
> > +               if (crc == desc->crc)
> > +                       break;
> > +       }
> 
> I hate to play the security card, but this stinks a bit.  The kernel
> obviously needs to trust the EFI boot services code since the EFI boot
> services code is free to modify the kernel image.  But your patch is not
> actually getting this firmware blob from the boot services code via any
> defined interface -- you're literally snarfing up the blob from a range of
> memory.  I fully expect there to be any number of ways for untrustworthy
> entities to inject malicious blobs into this memory range on quite a few
> implementations.
[snip]
> It would be really nice if there was a way to pull a blob out of EFI space
> that is marked, by EFI, as belonging to a particular device.

Upthread I suggested to read the firmware from the EFI Firmware Volume.
From my point of view that would fulfill your requirements:
https://lkml.org/lkml/2018/4/3/568

In the case of Hans' HID device, the firmware is embedded as a binary
array in the EFI driver for the device.  So the kernel would read the
driver from the Firmware Volume, but it would still have to extract
the firmware from the driver, either by scanning for the 8 byte magic
or by hardcoding the offset and length in the kernel.

An attacker would have to modify the Firmware Volume as opposed to
just modifying a particular space in memory.

My suggestion was dismissed by Hans and Peter Jones on the grounds of
causing additional work without perceived benefit, given that a working
(albeit admitted to be hackish) solution exists.

Moreover Ard criticized that the EFI Firmware Volume Protocol is not
part of the UEFI spec.

I agree with you completely BTW.

Thanks,

Lukas