| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 May 2020 18:12:04 -0400
From: Mimi Zohar <zohar@...nel.org>
To: Luis Chamberlain <mcgrof@...nel.org>
Cc: Scott Branden <scott.branden@...adcom.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
David Brown <david.brown@...aro.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Shuah Khan <shuah@...nel.org>, bjorn.andersson@...aro.org,
Shuah Khan <skhan@...uxfoundation.org>,
Arnd Bergmann <arnd@...db.de>,
"Rafael J . Wysocki" <rafael@...nel.org>,
linux-kernel@...r.kernel.org, linux-arm-msm@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
BCM Kernel Feedback <bcm-kernel-feedback-list@...adcom.com>,
Olof Johansson <olof@...om.net>,
Andrew Morton <akpm@...ux-foundation.org>,
Dan Carpenter <dan.carpenter@...cle.com>,
Colin Ian King <colin.king@...onical.com>,
Kees Cook <keescook@...omium.org>,
Takashi Iwai <tiwai@...e.de>, linux-kselftest@...r.kernel.org,
Andy Gross <agross@...nel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
linux-integrity <linux-integrity@...r.kernel.org>
Subject: Re: [PATCH v5 1/7] fs: introduce kernel_pread_file* support
On Wed, 2020-05-13 at 21:28 +0000, Luis Chamberlain wrote:
> On Wed, May 13, 2020 at 05:20:14PM -0400, Mimi Zohar wrote:
> > On Wed, 2020-05-13 at 12:41 -0700, Scott Branden wrote:
> > >
> > > On 2020-05-13 12:39 p.m., Mimi Zohar wrote:
> > > > On Wed, 2020-05-13 at 12:18 -0700, Scott Branden wrote:
> > > >> On 2020-05-13 12:03 p.m., Mimi Zohar wrote:
> > > >>> On Wed, 2020-05-13 at 11:53 -0700, Scott Branden wrote:
> > > >> Even if the kernel successfully verified the firmware file signature it
> > > >> would just be wasting its time. The kernel in these use cases is not always
> > > >> trusted. The device needs to authenticate the firmware image itself.
> > > > There are also environments where the kernel is trusted and limits the
> > > > firmware being provided to the device to one which they signed.
> > > >
> > > >>> The device firmware is being downloaded piecemeal from somewhere and
> > > >>> won't be measured?
> > > >> It doesn't need to be measured for current driver needs.
> > > > Sure the device doesn't need the kernel measuring the firmware, but
> > > > hardened environments do measure firmware.
> > > >
> > > >> If someone has such need the infrastructure could be added to the kernel
> > > >> at a later date. Existing functionality is not broken in any way by
> > > >> this patch series.
> > > > Wow! You're saying that your patch set takes precedence over the
> > > > existing expectations and can break them.
> > > Huh? I said existing functionality is NOT broken by this patch series.
> >
> > Assuming a system is configured to measure and appraise firmware
> > (rules below), with this change the firmware file will not be properly
> > measured and will fail signature verification.
> >
> > Sample IMA policy rules:
> > measure func=FIRMWARE_CHECK
> > appraise func=FIRMWARE_CHECK appraise_type=imasig
>
> Would a pre and post lsm hook for pread do it?
IMA currently measures and verifies the firmware file signature on the
post hook. The file is read once into a buffer. With this change,
IMA would need to be on the pre hook, to read the entire file,
calculating the file hash and verifying the file signature. Basically
the firmware would be read once for IMA and again for the device.
Mimi
Powered by blists - more mailing lists