Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp10493654rwr; Fri, 12 May 2023 08:50:56 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5CMTu+q0VGKRewjy4QX45lKYq4eUx8SSCusfM+a7lDOojltvx8qqloGVLHF2IYVlobdLNd X-Received: by 2002:a05:6a00:989:b0:62d:d045:392 with SMTP id u9-20020a056a00098900b0062dd0450392mr37735836pfg.32.1683906655876; Fri, 12 May 2023 08:50:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683906655; cv=none; d=google.com; s=arc-20160816; b=XN8GHXzOKYRxxnc/60vOQ0pFQI30Dhi8GjHXFoYoDtomKitgMu0DdAb+PX1KeA4tQ4 XkEPQKAqJhvceHsjLXtQQrl+F8aa2u3qY9D9cGMHPwbZbbhm1VkTunc97ApCiZKljSWW UaPcpXONigi//FxSo7RKmtdXNNk3eJrpQIhIIYj2j197eaO+ytbXHo32PWTfj7Omw1Z9 jQL1uONdQRxs2FLKMLEj3b4cmZKbvRIyQ+25BrRYk+49MC82wv3EH56x1H4Xzpbaa/sg 9cvcJdO2/v1rA9DZFLHK3W+5PLHPR9jVFKemupQcIxjeHIQVUtGT77xeMmX0fHvUuRKD Jg9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=rGClo5yQnuXbxJbb6N7eNBaPdwNH7dImKOaMeUWqjNk=; b=mAcsIB8ap5XO8dGU2ogCgCs7dLNZs0jb4cAt8vVWSqLz1NQXHw99LLNpE1IGonipbH ZkEXy5pHCjRLq84pq+cxlK7A15T4W6Lvq7DoiUE2AT75DGsnLmO+Eq5a7sgzLsrTz3pd 61ChwGMluUmr2ahLVR2C4x3WPBu2Spj8swIDfuF7AHIfJV/9NJLTxnVao3dnKkUBccS+ sc1xtjVZqvgrg5Zp901VbrJyo2JuUK/zkZBirYMjpxxVt2i9WVq111jpb1pQk89v6bTo BmBXXqtBw/rEkfjEnq0nJvp6UyOWVKpChXyAqOVUe8kEZ0NK2fyWRew1W2K2aU48Z7BE 2iWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=FdCnX2vK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y75-20020a62644e000000b00648628d3103si6658328pfb.377.2023.05.12.08.50.43; Fri, 12 May 2023 08:50:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=FdCnX2vK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241442AbjELPfW (ORCPT + 99 others); Fri, 12 May 2023 11:35:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241233AbjELPfV (ORCPT ); Fri, 12 May 2023 11:35:21 -0400 Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD88B12A; Fri, 12 May 2023 08:35:19 -0700 (PDT) Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-2ac82b07eb3so102783491fa.1; Fri, 12 May 2023 08:35:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683905718; x=1686497718; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=rGClo5yQnuXbxJbb6N7eNBaPdwNH7dImKOaMeUWqjNk=; b=FdCnX2vKGhnL1s04fulB01XMFpqR3eKKjHsID5Hvotkqlozy/VxKNNVY+Nir6yzU9t 4e7InJEIWAiXhBxP7sstdfehHk0GYKVH64GcNzVZpCvhdF69XJrjL9kKSPoWDcHpo0Cn kzAdC8b2xlooG5odHjWx+N16ywxXqLR4xi59wjp0yOX0GMLaBNinVHwcfyOyKwRYEo8E XeE7Wk3G0dudfJS/WadR4EKwnR0/GiaQJBQJ5L0PrkXfDeNNlaKx6vqgDJTBm7TDTG+1 f/j2ZZw77LkUBfuI2mj5G3K0MGwlgeyA45ESClOWs86cPViPNbX6tbDB6glaYK+LXwEU Ochg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683905718; x=1686497718; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rGClo5yQnuXbxJbb6N7eNBaPdwNH7dImKOaMeUWqjNk=; b=hPxgoYQhRHxxJYx9cDsQDpjXj6FiQh2AD9wvaJUGB4m874inCJxkwqqQRCdnmjg7rX KTD7PYho24QTczMfL3bEiVFQQn0lrJhkCQuSit0j3U7KLR6BYE4XD6o6HorS/QA8FkgY LUPjK9okbZkefM+WxArNTd/e9u4jfO9LVUFFKrD7GoHO+95IvP+sJGiLrXRSWVU2HFX0 H+LFpPqAcahZCtMSmBSVv40vHsbePmWX4W/XFG2ubEQBoGmBg1eW+uxrysxJu7xaYc/2 79lMYEeDHawJeH40Sb94kdeo75Al+w+3ZXpsAgR4sBXT/MYaF4rCql2iA7Ok4OLwphIV nrgg== X-Gm-Message-State: AC+VfDxEN0W7e5yz/PRxm4Rv/eiWoVZI1CE5033jFqM/0QgJpDUxizIc MIRdswKDSfqtRo08SWvmeq0I26MMM1Eles1WzRY= X-Received: by 2002:a05:6512:963:b0:4f2:4bc2:fc35 with SMTP id v3-20020a056512096300b004f24bc2fc35mr3993596lft.53.1683905717720; Fri, 12 May 2023 08:35:17 -0700 (PDT) MIME-Version: 1.0 References: <20230505220043.39036-1-jorge.lopez2@hp.com> <20230505220043.39036-12-jorge.lopez2@hp.com> <79db2a99-5cd7-19c0-212d-9e28869a6a18@linux.intel.com> In-Reply-To: From: Jorge Lopez Date: Fri, 12 May 2023 10:34:48 -0500 Message-ID: Subject: Re: [PATCH v12 11/13] HP BIOSCFG driver - surestart-attributes To: =?UTF-8?Q?Ilpo_J=C3=A4rvinen?= Cc: hdegoede@redhat.com, platform-driver-x86@vger.kernel.org, LKML , thomas@t-8ch.de Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 12, 2023 at 9:12=E2=80=AFAM Ilpo J=C3=A4rvinen wrote: > > On Fri, 12 May 2023, Jorge Lopez wrote: > > > On Thu, May 11, 2023 at 4:32=E2=80=AFAM Ilpo J=C3=A4rvinen > > wrote: > > > > > > On Wed, 10 May 2023, Jorge Lopez wrote: > > > > > > > On Tue, May 9, 2023 at 8:57=E2=80=AFAM Ilpo J=C3=A4rvinen > > > > wrote: > > > > > > > > > > On Fri, 5 May 2023, Jorge Lopez wrote: > > > > > > > > > > > HP BIOS Configuration driver purpose is to provide a driver sup= porting > > > > > > the latest sysfs class firmware attributes framework allowing t= he user > > > > > > to change BIOS settings and security solutions on HP Inc.=E2=80= =99s commercial > > > > > > notebooks. > > > > > > > > > > > > Many features of HP Commercial notebooks can be managed using W= indows > > > > > > Management Instrumentation (WMI). WMI is an implementation of W= eb-Based > > > > > > Enterprise Management (WBEM) that provides a standards-based in= terface > > > > > > for changing and monitoring system settings. HP BIOSCFG driver = provides > > > > > > a native Linux solution and the exposed features facilitates th= e > > > > > > migration to Linux environments. > > > > > > > > > > > > The Linux security features to be provided in hp-bioscfg driver= enables > > > > > > managing the BIOS settings and security solutions via sysfs, a = virtual > > > > > > filesystem that can be used by user-mode applications. The new > > > > > > documentation cover HP-specific firmware sysfs attributes such = Secure > > > > > > Platform Management and Sure Start. Each section provides secur= ity > > > > > > feature description and identifies sysfs directories and files = exposed > > > > > > by the driver. > > > > > > > > > > > > Many HP Commercial notebooks include a feature called Secure Pl= atform > > > > > > Management (SPM), which replaces older password-based BIOS sett= ings > > > > > > management with public key cryptography. PC secure product mana= gement > > > > > > begins when a target system is provisioned with cryptographic k= eys > > > > > > that are used to ensure the integrity of communications between= system > > > > > > management utilities and the BIOS. > > > > > > > > > > > > HP Commercial notebooks have several BIOS settings that control= its > > > > > > behaviour and capabilities, many of which are related to securi= ty. > > > > > > To prevent unauthorized changes to these settings, the system c= an > > > > > > be configured to use a cryptographic signature-based authorizat= ion > > > > > > string that the BIOS will use to verify authorization to modify= the > > > > > > setting. > > > > > > > > > > > > Linux Security components are under development and not publish= ed yet. > > > > > > The only linux component is the driver (hp bioscfg) at this tim= e. > > > > > > Other published security components are under Windows. > > > > > > > > > > > > Signed-off-by: Jorge Lopez > > > > > > > > > > > > --- > > > > > > Based on the latest platform-drivers-x86.git/for-next > > > > > > --- > > > > > > > + */ > > > > > > + if (count * LOG_ENTRY_SIZE > PAGE_SIZE) > > > > > > + return -EIO; > > > > > > + > > > > > > + /* > > > > > > + * We are guaranteed the buffer is 4KB so today all the e= vent > > > > > > + * logs will fit > > > > > > + */ > > > > > > + for (i =3D 0; i < count; i++) { > > > > > > + audit_log_buffer[0] =3D (i + 1); > > > > > > + > > > > > > + /* > > > > > > + * read audit log entry at a time. 'buf' input va= lue > > > > > > + * provides the audit log entry to be read. On > > > > > > + * input, Byte 0 =3D Audit Log entry number from > > > > > > + * beginning (1..254) > > > > > > + * Entry number 1 is the newest entry whereas the > > > > > > + * highest entry number (number of entries) is th= e > > > > > > + * oldest entry. > > > > > > + */ > > > > > > + ret =3D hp_wmi_perform_query(HPWMI_SURESTART_GET_= LOG, > > > > > > + HPWMI_SURESTART, > > > > > > + audit_log_buffer, 1, 1= 28); > > > > > > + > > > > > > + if (ret >=3D 0 && (LOG_ENTRY_SIZE * i) < PAGE_SIZ= E) { > > > > > > > > > > Can the second condition ever fail? > > > > > > > > > Only in the event BIOS data is corrupted. > > > > > > i runs from 0 to count - 1 and you prevented count * LOG_ENTRY_SIZE > > > > PAGE_SIZE above. So what does the BIOS data have to do with that? > > > > BIOS guarantees the number of audit logs * LOG_ENTRY_SIZE will be less > > than 4K (PAGE_SIZE) > > Because Linux kernel trusts no one, we are checking that BIOS does not > > report more events than it should. > > I know you're checking that. > > What I'm trying to say that even after that check, your own code does not > trust that when i < count holds (as per the for loop termination > condition), i * LOG_ENTRY_SIZE < count * LOG_ENTRY_SIZE. > > So what I'm trying to say is that this check: > && (LOG_ENTRY_SIZE * i) < PAGE_SIZE > ...is always true (and therefore unnecessary). > I partially agree. If BIOS returns a count size of 300 for the current audit log entry size of 16 bytes, then this condition is false. (299 * 16 bytes (LOG_ENTRY_SIZE) ) is greater than 4K. I am just trying to prevent conditions when BIOS could return invalid audit_log_entry_count values. If you still feel the code is unnecessary then I will proceed to remove the check. > > WMI expects the input buffer to include the current audit log number > > (audit_log_buffer[0] =3D (i + 1);) which is i+1. > > I don't see how this is relevant to what I was asking. > Just adding information how the messages were retrieved. Please ignore. > > > > > > + memcpy(buf, audit_log_buffer, LOG_ENTRY_S= IZE); > > > > > > + buf +=3D LOG_ENTRY_SIZE; > > > > > > + } else { > > > > > > + /* > > > > > > + * Encountered a failure while reading > > > > > > + * individual logs. Only a partial list o= f > > > > > > + * audit log will be returned. > > > > > > + */ > > > > > > + count =3D i + 1; > > > > > > + break; > > > > > > + } > > > > > > > > > > Reverse order, do error handling with break first. > > > > Done! > > > > > > > > > > Why not return i * LOG_ENTRY_SIZE directly (or at the end), no ne= ed to > > > > > tweak count? > > > > > > > > Done! > > > > > > > > > > > + } > > > > > > + > > > > > > + return count * LOG_ENTRY_SIZE; > > > > > > +} > > -- > i.