Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp60950imm; Mon, 2 Jul 2018 07:41:24 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIY0t14lRMiT6MriLkUx+batHsoUch9D8lbJvthNFH1PKSGaein/6v3xe1wNh3DBgF5Ukgs X-Received: by 2002:a17:902:8206:: with SMTP id x6-v6mr25631327pln.220.1530542484922; Mon, 02 Jul 2018 07:41:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530542484; cv=none; d=google.com; s=arc-20160816; b=K0p1i+hXTQrYU72mRb26FPnEm4+sJlwYDYfRyCbBbiFY9+HttjlTOKtwIoOe93cmEJ w7NB46qpKoy4vDoasEsXgpGhnCHFWrgtuwQQH1xXdylonnaELdLKIAnj3DGGS7QeqhIF 5/w3LoigCvbifJ3yzBpe3md+15L0tn5oHqDzM0InkX3bHrT5KKEeSfyO+tmw6FzO+YPl oHJg8BgyuY0GOhbbQ2y/36GgGyZEqeHenl0iQUM5M2V75aRfDWLiqMQJSGb6KgBCf7Zd EYlryrPGzgtyx+9DjUmC/UbeNsDBQFgk9YJ6vOb9DV1yE/RTCyhumMxeC/fFc89/JCa+ UswQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from:arc-authentication-results; bh=QAxYVvfNlRoU4mWp854qJPk1eIpzA75t20J8hibKg+g=; b=VyCd2bCfpRAwyPe12EdHHNYbmO0sq8gELWB0lgdP0l1uvbU72nk6nCh/DbUqwxeyrw 07lRUYcN6ayan0KasHGDJEA4ZhueNrRfTU7sU/YP7ffNRdVdCGgtP4TObQ8hbKAIISsB Lqi89x2tIysNdZDkQrdwG7ozrfOEaSQXOeo/mQ4F5EAKTIs7H1/i2l0JQMfud5G6yyAZ iMPahWlEuiMKs7fcwYydmiM0wFTjT/4yUs7VDgHnphBBCKax8lCSvicAU8kQh6VeTe4q E+aTicoRFlpFYwfcL7MXpt4aSdr3bQWQsoTYlHs2OrlBCbDnfPK8BBEjnlLV32aBD2JG GHjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p35-v6si4485648pgl.202.2018.07.02.07.41.10; Mon, 02 Jul 2018 07:41:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752242AbeGBOju (ORCPT + 99 others); Mon, 2 Jul 2018 10:39:50 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33308 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752667AbeGBOjL (ORCPT ); Mon, 2 Jul 2018 10:39:11 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w62EcaYV118170 for ; Mon, 2 Jul 2018 10:39:11 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2jyk6eqn4f-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 02 Jul 2018 10:39:10 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 2 Jul 2018 15:39:09 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 2 Jul 2018 15:39:04 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w62Ed3Lr41550056 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 2 Jul 2018 14:39:03 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CEF0811C052; Mon, 2 Jul 2018 15:38:46 +0100 (BST) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0F76011C04C; Mon, 2 Jul 2018 15:38:44 +0100 (BST) Received: from localhost.ibm.com (unknown [9.80.97.108]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 2 Jul 2018 15:38:43 +0100 (BST) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , "Luis R . Rodriguez" , Kees Cook , "Serge E . Hallyn" , Stephen Boyd , Bjorn Andersson Subject: [PATCH v5 7/8] ima: based on policy warn about loading firmware (pre-allocated buffer) Date: Mon, 2 Jul 2018 10:38:02 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1530542283-26145-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1530542283-26145-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18070214-0028-0000-0000-000002D7529A X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18070214-0029-0000-0000-0000238ECF5F Message-Id: <1530542283-26145-8-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-02_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807020168 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Some systems are memory constrained but they need to load very large firmwares. The firmware subsystem allows drivers to request this firmware be loaded from the filesystem, but this requires that the entire firmware be loaded into kernel memory first before it's provided to the driver. This can lead to a situation where we map the firmware twice, once to load the firmware into kernel memory and once to copy the firmware into the final resting place. To resolve this problem, commit a098ecd2fa7d ("firmware: support loading into a pre-allocated buffer") introduced request_firmware_into_buf() API that allows drivers to request firmware be loaded directly into a pre-allocated buffer. (Based on the mailing list discussions, calling dma_alloc_coherent() is unnecessary and confusing.) (Very broken/buggy) devices using pre-allocated memory run the risk of the firmware being accessible to the device prior to the completion of IMA's signature verification. For the time being, this patch emits a warning, but does not prevent the loading of the firmware. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd Cc: Bjorn Andersson --- Changelog v5: - Instead of preventing loading firmware from a pre-allocate buffer, emit a warning. security/integrity/ima/ima_main.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e467664965e7..7da123d980ea 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -416,6 +416,15 @@ void ima_post_path_mknod(struct dentry *dentry) iint->flags |= IMA_NEW_FILE; } +static int read_idmap[READING_MAX_ID] = { + [READING_FIRMWARE] = FIRMWARE_CHECK, + [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, + [READING_MODULE] = MODULE_CHECK, + [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, + [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, + [READING_POLICY] = POLICY_CHECK +}; + /** * ima_read_file - pre-measure/appraise hook decision based on policy * @file: pointer to the file to be measured/appraised/audit @@ -439,18 +448,16 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) } return 0; /* We rely on module signature checking */ } + + if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_warn("device might be able to access firmware prior to signature verification completion.\n"); + } + } return 0; } -static int read_idmap[READING_MAX_ID] = { - [READING_FIRMWARE] = FIRMWARE_CHECK, - [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, - [READING_MODULE] = MODULE_CHECK, - [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, - [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, - [READING_POLICY] = POLICY_CHECK -}; - /** * ima_post_read_file - in memory collect/appraise/audit measurement * @file: pointer to the file to be measured/appraised/audit -- 2.7.5