| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1591400895.4615.45.camel@linux.ibm.com>
Date: Fri, 05 Jun 2020 19:48:15 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Scott Branden <scott.branden@...adcom.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
David Brown <david.brown@...aro.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Shuah Khan <shuah@...nel.org>, bjorn.andersson@...aro.org,
Shuah Khan <skhan@...uxfoundation.org>,
Arnd Bergmann <arnd@...db.de>
Cc: "Rafael J . Wysocki" <rafael@...nel.org>,
linux-kernel@...r.kernel.org, linux-arm-msm@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
BCM Kernel Feedback <bcm-kernel-feedback-list@...adcom.com>,
Olof Johansson <olof@...om.net>,
Andrew Morton <akpm@...ux-foundation.org>,
Dan Carpenter <dan.carpenter@...cle.com>,
Colin Ian King <colin.king@...onical.com>,
Kees Cook <keescook@...omium.org>,
Takashi Iwai <tiwai@...e.de>, linux-kselftest@...r.kernel.org,
Andy Gross <agross@...nel.org>,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH v6 8/8] ima: add FIRMWARE_PARTIAL_READ support
On Fri, 2020-06-05 at 16:31 -0700, Scott Branden wrote:
> Hi Mimi,
>
> On 2020-06-05 4:19 p.m., Mimi Zohar wrote:
> > Hi Scott,
> >
> > On Fri, 2020-06-05 at 15:59 -0700, Scott Branden wrote:
> >> @@ -648,6 +667,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
> >> enum ima_hooks func;
> >> u32 secid;
> >>
> >> + if (!file && read_id == READING_FIRMWARE_PARTIAL_READ)
> >> + return 0;
> > The file should be measured on the pre security hook, not here on the
> > post security hook. Here, whether "file" is defined or not, is
> > irrelevant. The test should just check "read_id".
> OK, will remove the !file from here.
thanks!
> >
> > Have you tested measuring the firmware by booting a system with
> > "ima_policy=tcb" specified on the boot command line and compared the
> > measurement entry in the IMA measurement list with the file hash (eg.
> > sha1sum, sha256sum)?
> Yes, I enabled IMA in my kernel and added ima_policy=tsb to the boot
> command line,
>
> Here are the entries from
> /sys/kernel/security/ima/ascii_runtime_measurements of the files I am
> accessing.
> Please let me know if I am doing anything incorrectly.
>
> 10 4612bce355b2dbc45ecd95e17001636be8832c7f ima-ng
> sha1:fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2
> /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin
> 10 4c0eb0fc30eb7ac3a30a27f05c1d2a8d28d6a9ec ima-ng
> sha1:b16d343dd63352d10309690c71b110762a9444c3
> /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsn
>
> The sha1 sum matches:
> root@...ericx86-64:/sys/kernel/security/ima# sha1sum
> /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin
> fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2
> /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin
>
> root@...ericx86-64:/sys/kernel/security/ima# sha1sum
> /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin
> b16d343dd63352d10309690c71b110762a9444c3
> /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin
Looks good!
(FYI, a larger hash algorithm can be specified in the Kconfig or
"ima_hash=" on the boot command line.)
Mimi
Powered by blists - more mailing lists