Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3376211imm; Thu, 17 May 2018 07:51:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo+Q2rRxwtPAW9gl+1JFMvzEzfr/416IrR2NRKsqWF2h67ZhoPSB96AXVxMH3fZ+Z57pLCZ X-Received: by 2002:a63:9711:: with SMTP id n17-v6mr4391101pge.431.1526568700116; Thu, 17 May 2018 07:51:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526568700; cv=none; d=google.com; s=arc-20160816; b=S97pyBirXG83/Jfpx+xH1nbYk/+oRY5Wo02jkfnQp5R91EEnqg1d3xy6QDUrqEjN0t HXFE56jdafaHQpz5I7w4DFAYEmofwc05ithlPpN/oLrToiijPbI/2IJonqweXosBbHCZ joLxH1/xCkTgVvqAuRgaqJdAx/d57gXeiq7TyD7oNhHxhly7m4ktEbQWkpCDXshA27i2 C8UOPbqV2ZSNnbjoOZYbO3zX02XMIs4q+NEGvGdRfGdzBjJsPIX2UWqRIHpI9Cf8jwV+ rFR68fSGepUuGUVdUaUP7Ipn/ghaJTp/zQ0pJD9o8BgmSfQP7IJ9EGRXHKgrZ/yNW1WP TkHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from:arc-authentication-results; bh=mLUxgtHp3GVlK/7SoqUs7p2KCRZPui/uXdiesPhz+/0=; b=IMiDIX4R+SIyrAxj7Skjoq6UE0HjFLGtTKvtHpCRPZejUj1RCxsufhjV+NLDRLlDyB wec2D7SBYoLQ8Id7AEcU6xOYG62k+Axp0KGgUhagAnS8lenwJ7llsfDfKMK0JSd7+MoF axTZ3HMiFUXvK2vtfUD6lAYy9d9jl+bKGclmbiHXirp2aQHhGmnZHuu98htjU752Ulem fvdGfi4Y9b/cR2tHIeZFtMS4jSAjluRiyxNyeo/Ub3vwoXRdIPlwDbjNYVFZ3JZ1+vmq Cwtl7uO9s0dyEresVh6b2nEhVwTf0ahFTlfleYv4lYT7k0p4GiuAvrqfvLrLOT+eNeCN kT7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a21-v6si4223034pgd.97.2018.05.17.07.51.25; Thu, 17 May 2018 07:51:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752612AbeEQOuF (ORCPT + 99 others); Thu, 17 May 2018 10:50:05 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:57878 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752594AbeEQOuB (ORCPT ); Thu, 17 May 2018 10:50:01 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4HEjLBm075329 for ; Thu, 17 May 2018 10:50:00 -0400 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0b-001b2d01.pphosted.com with ESMTP id 2j18qm1hb3-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 17 May 2018 10:50:00 -0400 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 17 May 2018 15:49:58 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 17 May 2018 15:49:53 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4HEnqXG6947186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 17 May 2018 14:49:52 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F3C2C4C044; Thu, 17 May 2018 15:41:40 +0100 (BST) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2C2204C046; Thu, 17 May 2018 15:41:39 +0100 (BST) Received: from localhost.ibm.com (unknown [9.80.108.64]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 17 May 2018 15:41:39 +0100 (BST) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , "Luis R . Rodriguez" , Kees Cook , "Serge E . Hallyn" , Stephen Boyd Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer) Date: Thu, 17 May 2018 10:48:50 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18051714-0012-0000-0000-000005D7A706 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051714-0013-0000-0000-00001954D35F Message-Id: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-17_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805170137 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Question: can the device access the pre-allocated buffer at any time? By allowing devices to request firmware be loaded directly into a pre-allocated buffer, will this allow the device access to the firmware before the kernel has verified the firmware signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd --- security/integrity/ima/ima_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 29d1a929af5c..6224468845e6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } + return 0; + } + if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { -- 2.7.5