On Wed, Jul 29, 2020 at 02:10:18PM -0400, Mimi Zohar wrote:
> Actually, the partial firmware read should be calling
> security_kernel_read_file().
Yup, it does[1], and when "whole_file" is true, it will call
security_kernel_post_read_file() with the buffer contents at the end.
> The sysfs firmware fallback is calling security_kernel_load_data().
Correct[2]; it has no file associated with it (same as the EFI platform
source).
> Which firmware is calling security_kernel_post_load_data()?
sysfs and platform both call it[2], matched with their
security_kernel_load_data() calls.
-Kees
[1] v4 patch 14: "fs/kernel_file_read: Add "offset" arg for partial reads"
https://lore.kernel.org/lkml/20200729175845.1745471-1-keescook@xxxxxxxxxxxx/T/#iZ2e.:..:20200729175845.1745471-15-keescook::40chromium.org:0fs:kernel_read_file.c
[2] v4 patch 10: "firmware_loader: Use security_post_load_data()"
https://lore.kernel.org/lkml/20200729175845.1745471-1-keescook@xxxxxxxxxxxx/T/#iZ2e.:..:20200729175845.1745471-11-keescook::40chromium.org:0drivers:base:firmware_loader:fallback.c
--
Kees Cook
