Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp956802ybg; Mon, 27 Jul 2020 04:17:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZs3s2EsFgQGGh14mck0DbRRa1HtY+c2dZeQcgLJ/RvIOtG/TjZWIBn+nP7xE5VrmzQOjl X-Received: by 2002:a17:906:1f8e:: with SMTP id t14mr14403034ejr.336.1595848620557; Mon, 27 Jul 2020 04:17:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595848620; cv=none; d=google.com; s=arc-20160816; b=zFjrtG5aBaUUsdoCY56I0X472xMLhYCt9lw9lRwXSBp6nHxJooC981kRRQi+Z6I+om C/upYjV7eXMasgMljMuN03AN1A66GmGC8Bv4vriM9PJV76Cuz20srDX1bVA70vEiB8sa xAynuMZmeUBAJT36Nz+izUrV1CIEda8rzJtVdqYhY2o8DYhVHYWCvyLYrlWhN8XTBA6R SQkzrsofLgAWXDZqGmH74+2L+V/fZgQ0UFtgCmWjx0j46kjHRBG80n5hEAjTo0gJ+jGM X47euUbX7Z2HEfQ+kbrwolHpmP6Li4rjbkL3PsHp8NF4fB2SJQzbM64f4SBzZh3+xY7/ fxdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=vc/4DYfCy79BjwZWwhCpR+rGCugEsbAtLwBmFe9+td0=; b=Dlf2N11TEmOnmCdt3vRCxNMcNuL9TbB40X4GPL9BYBMpxEvnCOSrmkR3LNWGvxSw6C S/2ZAfh3cdfy6bax43njGdorZczVtvUzVuY5gSGOPihUJF1YX7dyqfxAuyU23Kso8NQr +rDC3AnIlMH8PEqe/E6WVI8DsF4o2hzxXUe7A3883J8Fi4J9eRdt9dnwFXveLzZJTJrP A3K0l55Ga6eKFibMbWbfFrMvsGEvZ8xpPvS6pHSaWfqr+UmYwdGRx7GmQDXItTOinuHo YiFCdX25H6mww49B2KnRnT+X5bRjY1XCwdNPUWYkYtwItkvHi+KG468iBb+nsKGNrrpp ACQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GCy8ebTi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cw11si441906ejb.6.2020.07.27.04.16.36; Mon, 27 Jul 2020 04:17:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GCy8ebTi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727079AbgG0LQd (ORCPT + 99 others); Mon, 27 Jul 2020 07:16:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:39484 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726269AbgG0LQc (ORCPT ); Mon, 27 Jul 2020 07:16:32 -0400 Received: from localhost.localdomain (pool-96-246-152-186.nycmny.fios.verizon.net [96.246.152.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1682420663; Mon, 27 Jul 2020 11:16:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595848592; bh=huU9FrrRSkbKfoK/WI/8ojDrsG1FAaBqigpZCvBwXX8=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=GCy8ebTiS11gvztCsOHteRvKuVdxOKytVP0wMGyEh5vdqaOd8NK9tESxZvfTF+Lmi 0QPQrPJQGjkiOMAFKl2spUTQyH5dnXdz77bGmfSaKVc5xwfqC4HaetSeihngkfD/bf El2EDPh+zLuWgzunDco7HVeJJH+fXwkaQUY2+Cko= Message-ID: <1595848589.4841.78.camel@kernel.org> Subject: Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support From: Mimi Zohar To: Kees Cook , Greg Kroah-Hartman Cc: Scott Branden , Luis Chamberlain , Jessica Yu , SeongJae Park , KP Singh , linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Date: Mon, 27 Jul 2020 07:16:29 -0400 In-Reply-To: <20200724213640.389191-1-keescook@chromium.org> References: <20200724213640.389191-1-keescook@chromium.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote: > v3: > - add reviews/acks > - add "IMA: Add support for file reads without contents" patch > - trim CC list, in case that's why vger ignored v2 > v2: [missing from lkml archives! (CC list too long?) repeating changes here] > - fix issues in firmware test suite > - add firmware partial read patches > - various bug fixes/cleanups > v1: https://lore.kernel.org/lkml/20200717174309.1164575-1-keescook@chromium.org/ > > Hi, > > Here's my tree for adding partial read support in kernel_read_file(), > which fixes a number of issues along the way. It's got Scott's firmware > and IMA patches ported and everything tests cleanly for me (even with > CONFIG_IMA_APPRAISE=y). Thanks, Kees.  Other than my comments on the new security_kernel_post_load_data() hook, the patch set is really nice. In addition to compiling with CONFIG_IMA_APPRAISE enabled, have you booted the kernel with the ima_policy=tcb?  The tcb policy will add measurements to the IMA measurement list and extend the TPM with the file or buffer data digest.  Are you seeing the firmware measurements, in particular the partial read measurement? thanks, Mimi