Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp2338907ybg; Fri, 5 Jun 2020 11:19:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfBHTYGEYzP1buAnK0bTCvGoS5MaMzVvo5fPM8W1LR8NaBmrYsicG1vifaeVfPnXcwbo8I X-Received: by 2002:a17:906:28da:: with SMTP id p26mr9502687ejd.551.1591381188081; Fri, 05 Jun 2020 11:19:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591381188; cv=none; d=google.com; s=arc-20160816; b=JdZvqJ8XAIwofP++YF/bS3vNEZ5oRCAZJFItAzHXSWa81jnYvuTJ12qZjXJU/mDyVx uDCOU/qHpU+1Z/vEhU+SI7TWtcG4mTtoFNmcZC1CtVHbgJo2QpUPtYqNXhb6Q9Xd8NIy VJFSRA2vQWEJ5f9RxFgcLuZmEU02dXFI3nn6+2uliTaHL7yvHVrb11LJe/mq7OgUSgvn sXUoZ+sFMEti51GCDbCNAG+KCXIVx3BviF7xj1hsOyYQ0jIR1zs8cV7mt21B1IykmoxM Hp1j9uo8+PkaN/GrDVApObsRhYkaTf89qa08Vas4A5NQSxX4RyJjHw5k+VtYh/0ultVt UVXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=esmpnZfFmK3cVOEF7B5Xrx0JRzL/dAN0UyhbSUY5XOU=; b=Bu3u1ST182CFkmPxgOzHKUamFZfd0QSzvpltwb4oyk04iMPlaBbmMb8TtZQZ8j0SDZ cyGMxAladjPuw/75xpC/vDzWLlh7PGZ7edqVuKZkGfJxp9Laan6C8JgvUKsXbHieHkM1 SDuZxD7XUTpCdkquVtteuS3QrYtEihWc3nagvknmUljW/at+IIsoAeS+opybr2hNkgvh b9N7fJBPinG+/mzx0uuqQAXU6jjsw+Nf2TO5hRA1bJtiinXz0ei8/7VsREgA3+7KTWqC DXwT0AwiRoxdZKNWuTHoA/6YO8qHQHo9vzrmztyttMO4lvE9xIiC/1NVEmygZpz7kHR7 Y4TQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=cOcYA+tC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u2si4362818edx.353.2020.06.05.11.19.25; Fri, 05 Jun 2020 11:19:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=cOcYA+tC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726900AbgFESPb (ORCPT + 99 others); Fri, 5 Jun 2020 14:15:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726351AbgFESP2 (ORCPT ); Fri, 5 Jun 2020 14:15:28 -0400 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F49DC08C5C2 for ; Fri, 5 Jun 2020 11:15:28 -0700 (PDT) Received: by mail-pf1-x441.google.com with SMTP id b201so5367155pfb.0 for ; Fri, 05 Jun 2020 11:15:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=esmpnZfFmK3cVOEF7B5Xrx0JRzL/dAN0UyhbSUY5XOU=; b=cOcYA+tCbSiD62uF7VZPNASE+6dozCHWTwtyvAv86J4CHtUt/BKZxe9Hl8emWeJu32 NmToqo3tnfYNAFrtfZAe9DVKolOa1e6H2hwmafgv8/uG4iS4t+bJfKetLXM5cH7dUqwK 3Wi+k5Txc+6B/rmQRnq5aNqkpcI8toqLOgkyk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=esmpnZfFmK3cVOEF7B5Xrx0JRzL/dAN0UyhbSUY5XOU=; b=DvU+ZWkmoGSughiTKK7ebZpcgsiGCO0IfeySYKFtmyhITKOQrsjyxSC6Z2pGy46Anb Q6YVTnT35N61JpxvCQdZaqAs/zMkpfCpDXRFhwsRRrXBJMRdqmQRuwdfnNTM3s2FgUAB 3VoUtES0AbgpJE5VPkPkh56xaFsBsFjKbEOkbI9FpzXToK7mbXR/A4nYuLgSn6Xul0ba PZPD3caRoW3u1U+o2ksqFfAvtZy6fKKLdMMcUbKOQkQfz+KSdm1etabmSf7lMu1Iyssq A6bpt9yIXxBVpxskKMDBwxqZShhSw6zEkXTDo37PloHV9WXiGyGNMNLCZiI4OfYVBbj3 5P2A== X-Gm-Message-State: AOAM531cAzwVoDWhkUsdzRTUiOhecs539O4mBA1/z/l/2t4Vo/3FM4K9 Mfs3cbv7Zr4xl6Ts+AH6Zc9l1+W/WAwLwXYRUegq5fYhgVHKgLl1lZ120L/ev0LDlYPJvQul0hM 29H2q6bc5AXQ1g0lKh87L2J5r0Nsa77WDnY+K/gV9dgZ2gDuYsYlMJfnFyX0biZB2kk63HMZ7SN IAGwG+ljNwCmI= X-Received: by 2002:a63:9d0a:: with SMTP id i10mr10476176pgd.209.1591380926608; Fri, 05 Jun 2020 11:15:26 -0700 (PDT) Received: from [10.136.13.65] ([192.19.228.250]) by smtp.gmail.com with ESMTPSA id w24sm286555pfn.11.2020.06.05.11.15.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 05 Jun 2020 11:15:25 -0700 (PDT) Subject: Re: [PATCH 0/3] fs: reduce export usage of kerne_read*() calls To: Mimi Zohar , Kees Cook Cc: Christoph Hellwig , Luis Chamberlain , viro@zeniv.linux.org.uk, gregkh@linuxfoundation.org, rafael@kernel.org, ebiederm@xmission.com, jeyu@kernel.org, jmorris@namei.org, paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, nayna@linux.ibm.com, dan.carpenter@oracle.com, skhan@linuxfoundation.org, geert@linux-m68k.org, tglx@linutronix.de, bauerman@linux.ibm.com, dhowells@redhat.com, linux-integrity@vger.kernel.org, linux-fsdevel@vger.kernel.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org References: <20200513152108.25669-1-mcgrof@kernel.org> <20200513181736.GA24342@infradead.org> <20200515212933.GD11244@42.do-not-panic.com> <20200518062255.GB15641@infradead.org> <1589805462.5111.107.camel@linux.ibm.com> <7525ca03-def7-dfe2-80a9-25270cb0ae05@broadcom.com> <202005221551.5CA1372@keescook> <1590288736.5111.431.camel@linux.ibm.com> From: Scott Branden Message-ID: <1c68c0c7-1b0a-dfec-0e50-1b65eedc3dc7@broadcom.com> Date: Fri, 5 Jun 2020 11:15:21 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <1590288736.5111.431.camel@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mimi, On 2020-05-23 7:52 p.m., Mimi Zohar wrote: > On Fri, 2020-05-22 at 16:25 -0700, Scott Branden wrote: >> Hi Kees, >> >> On 2020-05-22 4:04 p.m., Kees Cook wrote: >>> On Fri, May 22, 2020 at 03:24:32PM -0700, Scott Branden wrote: >>>> On 2020-05-18 5:37 a.m., Mimi Zohar wrote: >>>>> On Sun, 2020-05-17 at 23:22 -0700, Christoph Hellwig wrote: >>>>>> On Fri, May 15, 2020 at 09:29:33PM +0000, Luis Chamberlain wrote: >>>>>>> On Wed, May 13, 2020 at 11:17:36AM -0700, Christoph Hellwig wrote: >>>>>>>> Can you also move kernel_read_* out of fs.h? That header gets pulled >>>>>>>> in just about everywhere and doesn't really need function not related >>>>>>>> to the general fs interface. >>>>>>> Sure, where should I dump these? >>>>>> Maybe a new linux/kernel_read_file.h? Bonus points for a small top >>>>>> of the file comment explaining the point of the interface, which I >>>>>> still don't get :) >>>>> Instead of rolling your own method of having the kernel read a file, >>>>> which requires call specific security hooks, this interface provides a >>>>> single generic set of pre and post security hooks.  The >>>>> kernel_read_file_id enumeration permits the security hook to >>>>> differentiate between callers. >>>>> >>>>> To comply with secure and trusted boot concepts, a file cannot be >>>>> accessible to the caller until after it has been measured and/or the >>>>> integrity (hash/signature) appraised. >>>>> >>>>> In some cases, the file was previously read twice, first to measure >>>>> and/or appraise the file and then read again into a buffer for >>>>> use.  This interface reads the file into a buffer once, calls the >>>>> generic post security hook, before providing the buffer to the caller. >>>>>  (Note using firmware pre-allocated memory might be an issue.) >>>>> >>>>> Partial reading firmware will result in needing to pre-read the entire >>>>> file, most likely on the security pre hook. >>>> The entire file may be very large and not fit into a buffer. >>>> Hence one of the reasons for a partial read of the file. >>>> For security purposes, you need to change your code to limit the amount >>>> of data it reads into a buffer at one time to not consume or run out of much >>>> memory. >>> Hm? That's not how whole-file hashing works. :) >>> These hooks need to finish their hashing and policy checking before they >>> can allow the rest of the code to move forward. (That's why it's a >>> security hook.) If kernel memory utilization is the primary concern, >>> then sure, things could be rearranged to do partial read and update the >>> hash incrementally, but the entire file still needs to be locked, >>> entirely hashed by hook, then read by the caller, then unlocked and >>> released. > Exactly. > >>> So, if you want to have partial file reads work, you'll need to >>> rearchitect the way this works to avoid regressing the security coverage >>> of these operations. >> I am not familiar with how the security handling code works at all. >> Is the same security check run on files opened from user space? >> A file could be huge. >> >> If it assumes there is there is enough memory available to read the >> entire file into kernel space then the improvement below can be left as >> a memory optimization to be done in an independent (or future) patch series. > There are two security hooks - security_kernel_read_file(), > security_kernel_post_read_file - in kernel_read_file().  The first > hook is called before the file is read into a buffer, while the second > hook is called afterwards. > > For partial reads, measuring the firmware and verifying the firmware's > signature will need to be done on the security_kernel_read_file() > hook. > >>> So, probably, the code will look something like: >>> >>> >>> file = kernel_open_file_for_reading(...) >>> file = open... >>> disallow_writes(file); >>> while (processed < size-of-file) { >>> buf = read(file, size...) >>> security_file_read_partial(buf) >>> } >>> ret = security_file_read_finished(file); >>> if (ret < 0) { >>> allow_writes(file); >>> return PTR_ERR(ret); >>> } >>> return file; >>> >>> while (processed < size-of-file) { >>> buf = read(file, size...) >>> firmware_send_partial(buf); >>> } >>> >>> kernel_close_file_for_reading(file) >>> allow_writes(file); > Right, the ima_file_mmap(), ima_bprm_check(), and ima_file_check() > hooks call process_measurement() to do this.  ima_post_read_file() > passes a buffer to process_measurement() instead. > > Scott, the change should be straight forward.  The additional patch > needs to: > - define a new kernel_read_file_id enumeration, like > FIRMWARE_PARTIAL_READ. > - Currently ima_read_file() has a comment about pre-allocated firmware > buffers.  Update ima_read_file() to call process_measurement() for the > new enumeration FIRMWARE_PARTIAL_READ and update ima_post_read_file() > to return immediately. Should this be what is in ima_read_file? {     enum ima_hooks func;     u32 secid;     if (read_id != READING_FIRMWARE_PARTIAL_READ)         return 0;     if (!file) { /* should never happen */         if (ima_appraise & IMA_APPRAISE_ENFORCE)             return -EACCES;         return 0;     }     security_task_getsecid(current, &secid);     return process_measurement(file, current_cred(), secid, NULL,                    0, MAY_READ, FILE_CHECK); } > > The built-in IMA measurement policy contains a rule to measure > firmware.  The policy can be specified on the boot command line by > specifying "ima_policy=tcb".  After reading the firmware, the firmware > measurement should be in /ima/ascii_runtime_measurements. > > thanks, > > Mimi