Received: by 10.192.165.148 with SMTP id m20csp182105imm; Thu, 3 May 2018 17:38:29 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoqwGRMR06laMY7aKSMTG+mTf1aU8XTTfYvQ513VGk2J0kvC6dXrSelhjaTSpEiHR3u58Kv X-Received: by 2002:a65:508d:: with SMTP id r13-v6mr14557114pgp.134.1525394309282; Thu, 03 May 2018 17:38:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525394309; cv=none; d=google.com; s=arc-20160816; b=W4gbhogKG89hixUV9MltepR1C7YEGAYPsBGz1P6tS6cLu6dk7j8QyL4n8nIdc4p7YG Du8wNCWt4Amsf7Vq1FtuvbCzCgvZN6WeBZh4WttfhYFPb+7GYsnEEgSBXYUhQh1Yvn5e 9oqIZzthdCda6WVbCyYrLQETJ8dRXnNFd4d37RAml3dlk5tqGgq7FjlkqBNHfZkDgKm0 S9ZJYKhGTTA6UIj+t1ibPztXIePc/uywGXU9jJJD1SEGjv6qMg/nEctNyro/A1MW673J n8q4+60i2LHP+/aryQDG5SrW0V8Zv4TCvx+US2atJLLd7ZKiEO/6wKIBSuoFQTwyEdJ4 YVbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=nS9bYFiEstG8bfrFxSyg0oTPF3HTgqxTYEn9jX9CznE=; b=fxZE9ZvNfQP128W9Mn7jwSWHvWIRvHuphMaWLUhaan4uHA+6Bt5U4pNrPN2cB/mdTI fQWeR6EdaXagCr+EfeBlkGHddKNGlFEIavdVXQ2edHbjuROhlaovVSz+wg6oP+rhxixS o21uW6B+rJehkZ7wNHGs0MXcUex6X8JYk00UBtIU4Ujc/viuqoEwf5qaLR794vV7hHyC 5mN0anhf/ls2KCco7u6eOzh6iKtcUXBJpLoBaLqmqa9F4/XzN0c3Q7KQuq4bJ3mVEZPg WzTJ6ARz/ieZiKSV5A48VsNwQRRw9/7T8UA244bBUczOf2BfjI9acvUaM8qmTdyzO0J3 nurg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c84si1604503pfd.89.2018.05.03.17.38.14; Thu, 03 May 2018 17:38:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751308AbeEDAgv (ORCPT + 99 others); Thu, 3 May 2018 20:36:51 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:43104 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751116AbeEDAgt (ORCPT ); Thu, 3 May 2018 20:36:49 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w440Y60h024690 for ; Thu, 3 May 2018 20:36:49 -0400 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0a-001b2d01.pphosted.com with ESMTP id 2hramkvx64-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 03 May 2018 20:36:48 -0400 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 4 May 2018 01:36:46 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 4 May 2018 01:36:41 +0100 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w440aers16318874; Fri, 4 May 2018 00:36:40 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A90C7A404D; Fri, 4 May 2018 01:28:27 +0100 (BST) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 33AE6A4040; Fri, 4 May 2018 01:28:26 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.107.24]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 4 May 2018 01:28:26 +0100 (BST) Subject: Re: [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading From: Mimi Zohar To: "Luis R. Rodriguez" Cc: linux-integrity@vger.kernel.org, Hans de Goede , Ard Biesheuvel , Peter Jones , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , Kees Cook , Matthew Garrett , Andres Rodriguez , Greg Kroah-Hartman Date: Thu, 03 May 2018 20:36:38 -0400 In-Reply-To: <20180504000258.GP27853@wotan.suse.de> References: <1525182503-13849-1-git-send-email-zohar@linux.vnet.ibm.com> <1525182503-13849-2-git-send-email-zohar@linux.vnet.ibm.com> <20180504000258.GP27853@wotan.suse.de> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18050400-0020-0000-0000-00000418C265 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18050400-0021-0000-0000-000042ADE6C3 Message-Id: <1525394198.3539.143.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-03_10:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805040004 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-05-04 at 00:02 +0000, Luis R. Rodriguez wrote: > If you can add Andres Rodriguez , and Greg to your Cc list > in the future patches that'd be appreciated. > > On Tue, May 01, 2018 at 09:48:18AM -0400, Mimi Zohar wrote: > > Add an LSM hook prior to allowing firmware sysfs fallback loading. > > > > Signed-off-by: Mimi Zohar > > Cc: Luis R. Rodriguez > > Cc: David Howells > > Cc: Kees Cook > > Cc: Matthew Garrett > > --- > > drivers/base/firmware_loader/fallback.c | 7 +++++++ > > include/linux/fs.h | 1 + > > 2 files changed, 8 insertions(+) > > > > diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c > > index 31b5015b59fe..23d2af30474e 100644 > > --- a/drivers/base/firmware_loader/fallback.c > > +++ b/drivers/base/firmware_loader/fallback.c > > @@ -651,6 +651,8 @@ static bool fw_force_sysfs_fallback(unsigned int opt_flags) > > > > static bool fw_run_sysfs_fallback(unsigned int opt_flags) > > { > > + int ret; > > + > > if (fw_fallback_config.ignore_sysfs_fallback) { > > pr_info_once("Ignoring firmware sysfs fallback due to sysctl knob\n"); > > return false; > > @@ -659,6 +661,11 @@ static bool fw_run_sysfs_fallback(unsigned int opt_flags) > > if ((opt_flags & FW_OPT_NOFALLBACK)) > > return false; > > > > + /* Also permit LSMs and IMA to fail firmware sysfs fallback */ > > + ret = security_kernel_read_file(NULL, READING_FIRMWARE_FALLBACK); > > + if (ret < 0) > > + return ret; > > + > > return fw_force_sysfs_fallback(opt_flags); > > } > > > > diff --git a/include/linux/fs.h b/include/linux/fs.h > > index 760d8da1b6c7..dc16a73c3d38 100644 > > --- a/include/linux/fs.h > > +++ b/include/linux/fs.h > > @@ -2810,6 +2810,7 @@ extern int do_pipe_flags(int *, int); > > id(UNKNOWN, unknown) \ > > id(FIRMWARE, firmware) \ > > id(FIRMWARE_PREALLOC_BUFFER, firmware) \ > > + id(FIRMWARE_FALLBACK, firmware) \ > > If you're going to add this perhaps FIRMWARE_FALLBACK_SYSFS as we may later > get FIRMWARE_FALLBACK_EFI. From an IMA signature verification perspective, both are buffer based.  The file signature is stored as a security xattr.  Without a file descriptor, the kernel cannot verify the firmware signature. I don't have a problem with defining another enumeration.  Perhaps other LSMs will want to be able to differentiate between sysfs and EFI fallback methods. Mimi