On Tue, May 01, 2018 at 09:48:19AM -0400, Mimi Zohar wrote:
> With an IMA policy requiring signed firmware, this patch prevents
> the sysfs fallback method of loading firmware.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> Cc: Luis R. Rodriguez <mcgrof@xxxxxxxx>
> Cc: David Howells <dhowells@xxxxxxxxxx>
> Cc: Matthew Garrett <mjg59@xxxxxxxxxx>
> ---
> security/integrity/ima/ima_main.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 754ece08e1c6..8759280dccf6 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -453,7 +453,17 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
> }
> return 0;
> }
> +
> + if (read_id == READING_FIRMWARE_FALLBACK) {
> + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
> + (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> + pr_err("Prevent firmware sysfs fallback loading.\n");
> + return -EACCES;
> + }
> + return 0;
> + }
> return 0;
> +
> }
>
Due to the lack of ability to appraise these calls, it has me wondering if having
these drivers be wrapped into a their own kconfig may make sense, ie, they use
a mechanism which IMA cannot possibly work with. Then at least some kernel
builds can exist in which we know we can count on this run time to never
happen. Thoughts?
See for instance use of CONFIG_PREVENT_FIRMWARE_BUILD.
Luis
