Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1994255imm;
        Thu, 24 May 2018 04:11:55 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZq94yItuo2rhNNQiOrvLYeOSAxIbxS7GcNCX1ej9qyqWZlrWEsni5b59ext5x/MYrVAigoB
X-Received: by 2002:a17:902:9689:: with SMTP id n9-v6mr6745392plp.363.1527160315486;
        Thu, 24 May 2018 04:11:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527160315; cv=none;
        d=google.com; s=arc-20160816;
        b=gr4D+m+iKeTDj9bT1UuSyMs+m40pv0DXy0S22BL1J6PrV0oLrrGa4Obn9AQXfrC81F
         4st1eJYsiI3OffIM5yBtSqdzF2U8LLVxkDwYubQJuIlkevgsfb0WHqIBruv4vwmkTc7u
         gVeIQ1x1DAREq+oO/6VAK3tW8tS/C1sME6ZBuL2QHW4sH0K1sJXBmY+kA5ucyy1gawiU
         B0t7otlnxvH+jKd1GF0MgrLXqyb2YMUMkiBSFv9+ud83zKEcn2Bz8kt0tNStEZNrXAnp
         L4k/GcEJGHjcrO05NRBS0RSaLjQSvLyhJFggxQXj4/mjm3ZnrPPmWQA89MW6ZA0KgNwc
         Kmhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:references:in-reply-to:date
         :subject:cc:to:from:arc-authentication-results;
        bh=9EavGooki/1myAFw5ug5zNqJ4Swr523oiHSfwA12lrA=;
        b=KNNL1C00LFSR2Qz6CdT9PxO7dtj+tMXtuoBfEhOZI8KSjykMnuJMf3w1+8/Xd6fmWb
         gvm+DYUEsLx4slCyPh0A6DySaa+cFtFQd7TYHZOIIr3EgOqGhY+3piS0mDXrbmMzC2qC
         0BH9h+d85rNkKk9ig8UKwB/g64wEIG11Z5Ogjr8sRU7XpGswDS+/+qtzJ3vz1xpYB6BG
         PJLzRjXBmGMHwGUwTtLEshjkTCQzs4lGfTcdQ28GyTHlP9rZHZWYVry4CHI5TvlAFI4S
         zPEosCgr104cmAfq7HpBpJ4sxbu2tjFqDfhc+EOTFksw8/C2qCXR/2eTA3ipv77ZPJDU
         71KA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f11-v6si16670763pgo.406.2018.05.24.04.11.40;
        Thu, 24 May 2018 04:11:55 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S968224AbeEXLK6 (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 07:10:58 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:58218 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1033076AbeEXLKt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 07:10:49 -0400
Received: from pps.filterd (m0098399.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4OB0GAQ038010
        for <linux-kernel@vger.kernel.org>; Thu, 24 May 2018 07:10:49 -0400
Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2j5tescvjp-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 24 May 2018 07:10:48 -0400
Received: from localhost
        by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Thu, 24 May 2018 12:10:46 +0100
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Thu, 24 May 2018 12:10:42 +0100
Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4OBAfa516777704;
        Thu, 24 May 2018 11:10:41 GMT
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 094AA11C04A;
        Thu, 24 May 2018 12:01:46 +0100 (BST)
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 34A5A11C04C;
        Thu, 24 May 2018 12:01:44 +0100 (BST)
Received: from localhost.ibm.com (unknown [9.80.85.225])
        by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Thu, 24 May 2018 12:01:44 +0100 (BST)
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     linux-integrity@vger.kernel.org
Cc:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        Eric Biederman <ebiederm@xmission.com>,
        kexec@lists.infradead.org, Andres Rodriguez <andresx7@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        "Luis R . Rodriguez" <mcgrof@suse.com>,
        Kees Cook <keescook@chromium.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Stephen Boyd <sboyd@kernel.org>
Subject: [RFC PATCH v3 7/7] ima: based on policy prevent loading firmware (pre-allocated buffer)
Date:   Thu, 24 May 2018 07:09:36 -0400
X-Mailer: git-send-email 2.7.5
In-Reply-To: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com>
References: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com>
X-TM-AS-GCONF: 00
x-cbid: 18052411-0012-0000-0000-000005DA20F0
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18052411-0013-0000-0000-000019576FA2
Message-Id: <1527160176-29269-8-git-send-email-zohar@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-24_03:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805240132
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Question: can the device access the pre-allocated buffer at any time?
(Still waiting to hear from Qualcomm...)

By allowing devices to request firmware be loaded directly into a
pre-allocated buffer, will this allow the device access to the firmware
before the kernel has verified the firmware signature?

Is it dependent on the type of buffer allocated (eg. DMA)?  For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().

With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Stephen Boyd <sboyd@kernel.org>
---
 security/integrity/ima/ima_main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index dd1f263f950a..d114b7ad2c86 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -457,6 +457,12 @@ int ima_read_data(struct file *file, enum kernel_read_file_id read_id)
 			pr_err("Prevent firmware sysfs fallback loading.\n");
 			return -EACCES;	/* INTEGRITY_UNKNOWN */
 		}
+		break;
+	case READING_FIRMWARE_PREALLOC_BUFFER:
+		if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
+			pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n");
+			return -EACCES;
+		}
 	default:
 		break;
 	}
-- 
2.7.5