Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp89150imm; Tue, 5 Jun 2018 15:38:03 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKQoXYlFx9iEcLxHwCQNRR8NT4aSuIdIJteoFmdwbD7enLeCPBb9hUR7lTgggdZdi5HMSrv X-Received: by 2002:a62:d9c5:: with SMTP id b66-v6mr462357pfl.41.1528238283778; Tue, 05 Jun 2018 15:38:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528238283; cv=none; d=google.com; s=arc-20160816; b=w/XPY2nCOSPFwtqoggKr0vinRw0A0SN5rb30LgTIre4mnjeIr1PviOlclakYXkmdEN YWtTIA/pl22W3l4Wa9M0Fh5WdKrtCo62+5wuFvzaOWMdRcu6TZC9t8BrIydNyqlwic0b Z/AC6oV0px8KUFaEUZORGHHUAgE5fwLRRItU8aB9orFnERFwr5gBCVIFg6n8893sSd2a fXfPHfI+QgvuK66bU/tmqfWac1Jd4W84JUoozZSiUeO6vKPFEdfcqfSo2IGH0fFhdekj CdECFbiAVrw/FbwPNCbpCY8PH1lg3ZdaRQrYUaaUKBwqLL7iny2qNpqOHewVoGyqwPLn i8Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=zCtIO8x4gn7jPAFObzM0jag4rqrR39q54ZtcYfHK2HU=; b=RYIGmyCI7VQFaWJy2ZpeKoTx3o2lbuxrOLgZDjTgqskDFYQTLmb0HobOwZ0MeF8pjD Jc4MBYqyYGM2nfu7kplAPtmKwXDUXwjCTCSW4Ygy/gGafkzn3J3cXQ7V8AC4vCaS9x7z WPqTNku2OQjT2FtlHHgfzAr7ibx+NHM9A99f1qHT3bwSzGfs6I3QaaQ+nhUIX7XPGEWa Vv3K+Bl1YBMavk3NR38GQ/2qAatKr5JuMTWTB6yO30s2AnikYGN/M1MQXsdStZlX3erU wDC+OHdEvnw4uZj32GR7jupr+vHuk6cVo5EMr8LrCaABugyuSVOjU1uG1KpZ477oiGZq ZO6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=HMsUxdW1; dkim=fail header.i=@chromium.org header.s=google header.b=KQAUl7Cw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z15-v6si11316953pll.490.2018.06.05.15.37.49; Tue, 05 Jun 2018 15:38:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=HMsUxdW1; dkim=fail header.i=@chromium.org header.s=google header.b=KQAUl7Cw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752498AbeFEWhZ (ORCPT + 99 others); Tue, 5 Jun 2018 18:37:25 -0400 Received: from mail-ua0-f195.google.com ([209.85.217.195]:42571 "EHLO mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752039AbeFEWhX (ORCPT ); Tue, 5 Jun 2018 18:37:23 -0400 Received: by mail-ua0-f195.google.com with SMTP id x18-v6so2789971uaj.9 for ; Tue, 05 Jun 2018 15:37:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zCtIO8x4gn7jPAFObzM0jag4rqrR39q54ZtcYfHK2HU=; b=HMsUxdW1j4kYeAcWYazSLi+SYdBboQ5SyloZ5S1HT24PC7qopjGBxZv7o4Mr0n6BHv rClMjhjAqFlCjZ5Oim4ibEHZiWSXtQQUnB8ziNVZR5hg1C41CUkO0TG9SpY6KuIB4gnv pfjHf07Asi5q1C0VI47bRBNsKi8kWnzgyJMhoT6o+/DQAbwU5RiT8ash2Ow8kwYyZW6I uGr8hRPhCC3I4LrIkSgvTSxDOcSB5Fdw/uihJ3kXrskG1nxKN+5h17St64vPaqATUqlq j4gF19/GF1JNOyoJLuDWSSOVgF0bRzI9oikhGMFpB6eI0zu5eae/QFHGV3SaqJA0kHG5 LpZA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zCtIO8x4gn7jPAFObzM0jag4rqrR39q54ZtcYfHK2HU=; b=KQAUl7CwW7qFn0ag9UXRzxHB8VGNgpq4+T6k5wY7+TLgpJUa5sGuivXDDcw1adABm1 GED4hxACjw29T/7VoJgSyAOXe+c1YC9uaWhGU/scSylIYJhQmd0P2YAPIUBFCo+HFAxI keREbBLaTI8YI0dTsx/ZWIAQD7bM9gDxZj5/s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zCtIO8x4gn7jPAFObzM0jag4rqrR39q54ZtcYfHK2HU=; b=CRBsMIvSh+lfcXOCI8F97EFhmcIAv47wieFGYbb8gNTxFRLGQk7umUMTm9S4FutgC1 ceSqObR9slFKBoCLbm//KYe/F5cxWOzEwA30km+t1cJLMYXZuJu8pZR8h971tsRwRb30 PK4fwC2m/cadC7SXBTkJ+C+isLdzF64cHfAwp0G61mLXMm5zSNewuVYnO+jgnLtJ1GJQ VRthl+vKwyZfCxHlgCeuesUqpkV3n2ZY5PIn+tZjFNGdqhwLBbkKnaM6Hq0Yu3i1vIWY RWzkJATPgmJiVue/AjjhSb3jsohedIRNcr6exnTRwwl4Z8nd2eQ9P6kDvUOTNPgoT6Pg 201Q== X-Gm-Message-State: APt69E3u/4iTJC8DCEci5uqe8khufQ8ZQizgbTMFw1ifYQ8U0yvti8jU AuVK+KE0WaUlV5g/zuC/JkETtIBDqwgL16SxYKUeRA== X-Received: by 2002:a9f:2823:: with SMTP id c32-v6mr402437uac.193.1528238242626; Tue, 05 Jun 2018 15:37:22 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1f:a085:0:0:0:0:0 with HTTP; Tue, 5 Jun 2018 15:37:22 -0700 (PDT) In-Reply-To: <20180601192545.GR4511@wotan.suse.de> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-8-git-send-email-zohar@linux.vnet.ibm.com> <20180601191545.GP4511@wotan.suse.de> <20180601192545.GR4511@wotan.suse.de> From: Kees Cook Date: Tue, 5 Jun 2018 15:37:22 -0700 X-Google-Sender-Auth: MJ7Pxo14ZmNoANrzpRrBdg93Vcw Message-ID: Subject: Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) To: Mimi Zohar , "Luis R. Rodriguez" Cc: Vlastimil Babka , Matthew Garrett , linux-integrity , linux-security-module , LKML , David Howells , Eric Biederman , Kexec Mailing List , Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , "Serge E . Hallyn" , Stephen Boyd , Laura Abbott , Rik van Riel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 1, 2018 at 12:25 PM, Luis R. Rodriguez wrote: > On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote: >> On Tue, May 29, 2018 at 02:01:59PM -0400, Mimi Zohar wrote: >> > Some systems are memory constrained but they need to load very large >> > firmwares. The firmware subsystem allows drivers to request this >> > firmware be loaded from the filesystem, but this requires that the >> > entire firmware be loaded into kernel memory first before it's provided >> > to the driver. This can lead to a situation where we map the firmware >> > twice, once to load the firmware into kernel memory and once to copy the >> > firmware into the final resting place. >> > >> > To resolve this problem, commit a098ecd2fa7d ("firmware: support loading >> > into a pre-allocated buffer") introduced request_firmware_into_buf() API >> > that allows drivers to request firmware be loaded directly into a >> > pre-allocated buffer. The QCOM_MDT_LOADER calls dma_alloc_coherent() to >> > allocate this buffer. According to Documentation/DMA-API.txt, >> > >> > Consistent memory is memory for which a write by either the >> > device or the processor can immediately be read by the processor >> > or device without having to worry about caching effects. (You >> > may however need to make sure to flush the processor's write >> > buffers before telling devices to read that memory.) >> > >> > Devices using pre-allocated DMA memory run the risk of the firmware >> > being accessible by the device prior to the kernel's firmware signature >> > verification has completed. >> >> Indeed. And since its DMA memory we have *no idea* what can happen in >> terms of consumption of this firmware from hardware, when it would start >> consuming it in particular. >> >> If the device has its own hardware firmware verification mechanism this is >> completely obscure to us, but it may however suffice certain security policies. >> >> The problem here lies in the conflicting security policies of the kernel wanting >> to not give away firmware until its complete and the current inability to enable >> us to have platforms suggest they trust hardware won't do something stupid. >> This becomes an issue since the semantics of the firmware API preallocated >> buffer do not require currently allow the kernel to inform LSMs of the fact >> that a buffer is DMA memory or not, and a way for certain platforms then >> to say that such use is fine for specific devices. >> >> Given a pointer can we determine if a piece of memory is DMA or not? > > FWIW > > Vlastimil suggests page_zone() or virt_to_page() may be able to. I don't see a PAGEFLAG for DMA, but I do see ZONE_DMA for page_zone()... So maybe something like struct page *page; page = virt_to_page(address); if (!page) fail closed... if (page_zone(page) == ZONE_DMA) handle dma case... else non-dma But I've CCed Laura and Rik, who I always lean on when I have these kinds of page questions... -Kees -- Kees Cook Pixel Security