Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3660593imm; Tue, 29 May 2018 11:04:41 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq6RVQhQNxlfDE/8MK/AXelpy6DbF4fXrgCz1WoTgxkUuJGqcSVohsPlH2Vg46Fc2Ekfe7K X-Received: by 2002:a63:798d:: with SMTP id u135-v6mr14249108pgc.401.1527617081079; Tue, 29 May 2018 11:04:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527617081; cv=none; d=google.com; s=arc-20160816; b=iTX0chbpmmulhlEED2+ey05cf9/eETVehAOKI1x2hw+zn+A71S6ofR6u2x3oe+LbM5 VEM5R5TvXFtwPKmDEdrJoYxUhiN/lxN6rNjIAwlx62iuRuQSicgmecAWgi5Xkng/t0uK V1QdEz0RgO/0MRBuBG0F3XJkccgg7LKYo+K6ws6gezYuoEIBR3j0mdcGv37v8BQKS2f1 A/4dCOB2R3Wy2pLouzdWTShjbru2CingDmkLBPDDNZO2NqFU1AEsO0nnbspmulX6knPJ Btpo5ksxwzJT59RWba/qmU5+yDUabLslzssJZlXrDmnz4uS8lFXVUv4iZqP9yS+6GvEO BqUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from:arc-authentication-results; bh=nHur37ysxDxjlnSTfw2ug3Cxf+oIYBAP8wnR8SLiRuY=; b=Y5DArO0YAXO07n459T14DKmMX8UuT/EfVC6Ao4TwXquno1Y8467305c3LZ8gdFZeA1 zt8HzvdKM0Cdzh8J55fZ7uII3MTb1g3Z7HBTJ97ZvpBLLq7DK6487osAeTWANbcJqLCm EaNPE8ZYIFSwed3zW4V3NnM3JJ3huF9RHW+4RZTA2NT58o0xpEG5ieNIa+hWz9xy/hr9 hqNQtLaqihUwOYXXvBxLSwUXGR5uyVvVWo4m+nxRF+4ozd+72JbvqgTGaqDyAb/2/0LM v4Frx352DqohwQWQMXgqGsW+rqibACsGaAvYjVIkNTlX+km0qCIqE+W7ElyzqT5gVItm RjLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u123-v6si3319628pfc.178.2018.05.29.11.04.26; Tue, 29 May 2018 11:04:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965891AbeE2SCl (ORCPT + 99 others); Tue, 29 May 2018 14:02:41 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43096 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S965849AbeE2SCf (ORCPT ); Tue, 29 May 2018 14:02:35 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4THsaFH107313 for ; Tue, 29 May 2018 14:02:35 -0400 Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by mx0b-001b2d01.pphosted.com with ESMTP id 2j98y188rn-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 29 May 2018 14:02:33 -0400 Received: from localhost by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 29 May 2018 19:02:30 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 29 May 2018 19:02:26 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4TI2Pal11730980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 29 May 2018 18:02:25 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 20B3AAE05D; Tue, 29 May 2018 18:51:32 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A4082AE045; Tue, 29 May 2018 18:51:30 +0100 (BST) Received: from dhcp-9-2-54-219.watson.ibm.com (unknown [9.2.54.219]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 29 May 2018 18:51:30 +0100 (BST) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , "Luis R . Rodriguez" , Kees Cook , "Serge E . Hallyn" , Stephen Boyd Subject: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) Date: Tue, 29 May 2018 14:01:59 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18052918-0040-0000-0000-0000043F061F X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18052918-0041-0000-0000-0000264456B3 Message-Id: <1527616920-5415-8-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-29_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=5 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805290195 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Some systems are memory constrained but they need to load very large firmwares. The firmware subsystem allows drivers to request this firmware be loaded from the filesystem, but this requires that the entire firmware be loaded into kernel memory first before it's provided to the driver. This can lead to a situation where we map the firmware twice, once to load the firmware into kernel memory and once to copy the firmware into the final resting place. To resolve this problem, commit a098ecd2fa7d ("firmware: support loading into a pre-allocated buffer") introduced request_firmware_into_buf() API that allows drivers to request firmware be loaded directly into a pre-allocated buffer. The QCOM_MDT_LOADER calls dma_alloc_coherent() to allocate this buffer. According to Documentation/DMA-API.txt, Consistent memory is memory for which a write by either the device or the processor can immediately be read by the processor or device without having to worry about caching effects. (You may however need to make sure to flush the processor's write buffers before telling devices to read that memory.) Devices using pre-allocated DMA memory run the risk of the firmware being accessible by the device prior to the kernel's firmware signature verification has completed. Loading firmware already calls the security_kernel_read_file LSM hook. With an IMA policy requiring signed firmware, this patch prevents loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd --- security/integrity/ima/ima_main.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 4a87f78098c8..3dae605a1604 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -419,6 +419,15 @@ void ima_post_path_mknod(struct dentry *dentry) iint->flags |= IMA_NEW_FILE; } +static int read_idmap[READING_MAX_ID] = { + [READING_FIRMWARE] = FIRMWARE_CHECK, + [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, + [READING_MODULE] = MODULE_CHECK, + [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, + [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, + [READING_POLICY] = POLICY_CHECK +}; + /** * ima_read_file - pre-measure/appraise hook decision based on policy * @file: pointer to the file to be measured/appraised/audit @@ -442,18 +451,17 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) } return 0; /* We rely on module signature checking */ } + + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n"); + return -EACCES; + } + } return 0; } -static int read_idmap[READING_MAX_ID] = { - [READING_FIRMWARE] = FIRMWARE_CHECK, - [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, - [READING_MODULE] = MODULE_CHECK, - [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, - [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, - [READING_POLICY] = POLICY_CHECK -}; - /** * ima_post_read_file - in memory collect/appraise/audit measurement * @file: pointer to the file to be measured/appraised/audit -- 2.7.5