[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1526568530-9144-10-git-send-email-zohar@linux.vnet.ibm.com>
Date: Thu, 17 May 2018 10:48:50 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: linux-integrity@...r.kernel.org
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>,
"Luis R . Rodriguez" <mcgrof@...nel.org>,
Eric Biederman <ebiederm@...ssion.com>,
kexec@...ts.infradead.org, Andres Rodriguez <andresx7@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
"Luis R . Rodriguez" <mcgrof@...e.com>,
Kees Cook <keescook@...omium.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
Stephen Boyd <stephen.boyd@...aro.org>
Subject: [PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer)
Question: can the device access the pre-allocated buffer at any time?
By allowing devices to request firmware be loaded directly into a
pre-allocated buffer, will this allow the device access to the firmware
before the kernel has verified the firmware signature?
Is it dependent on the type of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcgrof@...e.com>
Cc: David Howells <dhowells@...hat.com>
Cc: Kees Cook <keescook@...omium.org>
Cc: Serge E. Hallyn <serge@...lyn.com>
Cc: Stephen Boyd <stephen.boyd@...aro.org>
---
security/integrity/ima/ima_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 29d1a929af5c..6224468845e6 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -452,6 +452,15 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
return 0;
}
+ if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) {
+ if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+ pr_err("Prevent device from accessing firmware prior to verifying the firmware signature.\n");
+ return -EACCES;
+ }
+ return 0;
+ }
+
if (read_id == READING_FIRMWARE_FALLBACK_SYSFS) {
if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
--
2.7.5
Powered by blists - more mailing lists