On Tue, 2018-04-24 at 17:09 +0200, Hans de Goede wrote: > Hi, > > On 23-04-18 23:11, Luis R. Rodriguez wrote: > > Hans, please see use of READING_FIRMWARE_PREALLOC_BUFFER, we'll need a new ID > > and security for this type of request so IMA can reject it if the policy is > > configured for it. > > Hmm, interesting, actually it seems like the whole existence > of READING_FIRMWARE_PREALLOC_BUFFER is a mistake, the IMA > framework really does not care if we are loading the firmware > into memory allocated by the firmware-loader code, or into > memory allocated by the device-driver requesting the firmware. > > As such the current IMA code (from v4.17-rc2) actually does > not handle READING_FIRMWARE_PREALLOC_BUFFER at all, Right, it doesn't yet address READING_FIRMWARE_PREALLOC_BUFFER, but should. Depending on whether the device requesting the firmware has access to the DMA memory, before the signature verification, will determine how IMA-appraisal addresses READING_FIRMWARE_PREALLOC_BUFFER. Mimi > here > are bits of code from: security/integrity/ima/ima_main.c: > > static int read_idmap[READING_MAX_ID] = { > [READING_FIRMWARE] = FIRMWARE_CHECK, > [READING_MODULE] = MODULE_CHECK, > [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, > [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, > [READING_POLICY] = POLICY_CHECK > }; > > int ima_post_read_file(struct file *file, void *buf, loff_t size, > ... > if (!file && read_id == READING_FIRMWARE) { > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > (ima_appraise & IMA_APPRAISE_ENFORCE)) > return -EACCES; /* INTEGRITY_UNKNOWN */ > return 0; > } > > Which show that the IMA code is not handling > READING_FIRMWARE_PREALLOC_BUFFER as it should (I believe it > should handle it the same as READING_FIRMWARE). > > Now we could fix that, but the only user of > READING_FIRMWARE_PREALLOC_BUFFER is the code which originally > introduced it: > > https://patchwork.kernel.org/patch/9162011/ > > So I believe it might be better to instead replace it > with just READING_FIRMWARE and find another way to tell > kernel_read_file() that there is a pre-allocated buffer, > perhaps the easiest way there is that *buf must be > NULL when the caller wants kernel_read_file() to > vmalloc the mem. This would of course require auditing > all callers that the buf which the pass in is initialized > to NULL. > > Either way adding a third READING_FIRMWARE_FOO to the > kernel_read_file_id enum seems like a bad idea, from > the IMA pov firmware is firmware. > > What this whole exercise has shown me though is that > I need to call security_kernel_post_read_file() when > loading EFI embedded firmware. I will add a call to > security_kernel_post_read_file() for v4 of the patch-set. > > > Please Cc Kees in future patches. > > Will do. > > Regards, > > Hans > -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html