Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp8378imm; Thu, 12 Jul 2018 13:04:37 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeXDaup03nerxORQ/Xyxpk/LSWJCi+OfZtXzqv+Wvygwu08PhM3DrKFobbvZZGKkiPAZVWH X-Received: by 2002:a17:902:ab8e:: with SMTP id f14-v6mr3524608plr.5.1531425877384; Thu, 12 Jul 2018 13:04:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531425877; cv=none; d=google.com; s=arc-20160816; b=As1JUVZCeO8qJUklPuEEY5V5a54eP8QbCKw9toJ/aRO/VXhyDSCu2m4u2Jj6pB93eh gaqKs7obqo5fC1UCdjVL/2M3ri3VFQkI+oFf7o48RsJ1G+AL7x9ud0Ngfq1Fv9Sj1tmb 823icWSA7viN8YB2c86bnEM+jnXsCFRv1D/kWDg+H0mgymZsjqzxxnA8kFEH8RC4r+IC MhexpCXVO1v5Hm+YRKON5NdHAH+9BBtJ2/EW7eIadMNN2NNqt9n5fooEsPRieHUMyGW/ a9SXhMSlM/U79hDMSYAvwk/+U5sA7td/oOiaAmVn5mxi7GVxlH0bFH+OT19/tDtP5Pdv Vrjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=Oqwvl52lWP33GB7HO3CXATqEItrJ7vT2Tjrsqblp7Yc=; b=T8y+X9ujQlc1dyw9LVRRUEsFkY6eml+yEqcRS7ptYFhRybYuccE/u5TvWmifi6FpiJ XFbscMm6DbJzc4E63ylK9l1ep2XT3Yk3OsO1Czu4lpVpR46YD8Qu0AWZb3H4OoWeJKQo 64K7P/jAiv3oMWskgm9LDs3V4c5XYJYTZOnDRuB4AZqaIMgCIg+L1A4SpyWDhjpwqgYD bGy46VedOSDxKCBF69kWNbxYW45fwXa+0gH3aIhNF5ZKFLcTqcmPOcMfxzW89Twz+5Bj eRATGVMTNyQbFKPwTNQlZJl6UswKdALbp7f24T+KTrHvGOIcMj6rT/I22IbxG7NZvExj hSRw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h69-v6si23287670pfc.206.2018.07.12.13.04.21; Thu, 12 Jul 2018 13:04:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732485AbeGLUOl (ORCPT + 99 others); Thu, 12 Jul 2018 16:14:41 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:35644 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732298AbeGLUOk (ORCPT ); Thu, 12 Jul 2018 16:14:40 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6CJwiJK064252 for ; Thu, 12 Jul 2018 16:03:35 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2k69y8980r-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 12 Jul 2018 16:03:34 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 12 Jul 2018 21:03:32 +0100 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 12 Jul 2018 21:03:27 +0100 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w6CK3Q4t26869994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 12 Jul 2018 20:03:26 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 525D1A405D; Thu, 12 Jul 2018 23:03:47 +0100 (BST) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 631DDA4059; Thu, 12 Jul 2018 23:03:45 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.98.31]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 12 Jul 2018 23:03:45 +0100 (BST) Subject: Re: [PATCH v5 7/8] ima: based on policy warn about loading firmware (pre-allocated buffer) From: Mimi Zohar To: Ard Biesheuvel , Bjorn Andersson Cc: Mimi Zohar , linux-integrity , linux-security-module , Linux Kernel Mailing List , David Howells , "Luis R . Rodriguez" , Eric Biederman , Kexec Mailing List , Andres Rodriguez , Greg Kroah-Hartman , "Luis R . Rodriguez" , Kees Cook , "Serge E . Hallyn" , Stephen Boyd Date: Thu, 12 Jul 2018 16:03:13 -0400 In-Reply-To: References: <1530542283-26145-1-git-send-email-zohar@linux.vnet.ibm.com> <1530542283-26145-8-git-send-email-zohar@linux.vnet.ibm.com> <1531165294.3332.40.camel@linux.ibm.com> <20180710191951.GF1731@minitux> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18071220-0016-0000-0000-000001E634D8 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18071220-0017-0000-0000-0000323ACB02 Message-Id: <1531425793.3568.275.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-12_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807120210 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-07-11 at 08:24 +0200, Ard Biesheuvel wrote: > On 10 July 2018 at 21:19, Bjorn Andersson wrote: > > Tbh the only case I can think of where there would be a "race condition" > > here is if we have a device that is polling the last byte of a > > predefined firmware memory area for the firmware loader to read some > > specific data into it. In cases where the firmware request is followed > > by some explicit signalling to the device (or a power on sequence) I'm > > unable to see the issue discussed here. > > > > I agree. But the latter part is platform specific, and so it requires > some degree of trust in the driver author on the part of the IMA > routines that request_firmware() is called at an appropriate time. Exactly.  Qualcomm could be using the pre-allocated buffer appropriately, but that doesn't guarantee how it will be used in the future. > The point I am trying to make in this thread is that there are cases > where it makes no sense for the kernel to reason about these things, > given that higher privilege levels such as the TrustZone secure world > own the kernel's execution context entirely already, and given that > masters that are not behind an IOMMU can read and write all of memory > all of the time anyway. > The bottom line is that reality does not respect the layering that IMA > assumes, and so the only meaningful way to treat some of the use cases > is simply to ignore them entirely. So we should still perform all the > checks, but we will have to live with the limited utility of doing so > in some scenarios (and not print nasty warnings to the kernel log for > such cases) You have convinced me that the warning shouldn't be emitted in either the non IOMMU or in the IOMMU case, assuming the buffer has not been DMA mapped. The remaining concern is using the same buffer mapped to multiple devices or re-using the same buffer to load multiple firmware blobs. I'm not sure how easy that would be to detect. I need to stage the rest of the patch set to be upstreamed.  Could we just add a comment in the code reflecting this discussion? Mimi