Re: [PATCH v5 1/7] fs: introduce kernel_pread_file* support

From: Scott Branden
Date: Wed May 13 2020 - 18:48:19 EST




On 2020-05-13 3:12 p.m., Mimi Zohar wrote:
On Wed, 2020-05-13 at 21:28 +0000, Luis Chamberlain wrote:
On Wed, May 13, 2020 at 05:20:14PM -0400, Mimi Zohar wrote:
On Wed, 2020-05-13 at 12:41 -0700, Scott Branden wrote:
On 2020-05-13 12:39 p.m., Mimi Zohar wrote:
On Wed, 2020-05-13 at 12:18 -0700, Scott Branden wrote:
On 2020-05-13 12:03 p.m., Mimi Zohar wrote:
On Wed, 2020-05-13 at 11:53 -0700, Scott Branden wrote:
Even if the kernel successfully verified the firmware file signature it
would just be wasting its time. The kernel in these use cases is not always
trusted. The device needs to authenticate the firmware image itself.
There are also environments where the kernel is trusted and limits the
firmware being provided to the device to one which they signed.

The device firmware is being downloaded piecemeal from somewhere and
won't be measured?
It doesn't need to be measured for current driver needs.
Sure the device doesn't need the kernel measuring the firmware, but
hardened environments do measure firmware.

If someone has such need the infrastructure could be added to the kernel
at a later date. Existing functionality is not broken in any way by
this patch series.
Wow! ÂYou're saying that your patch set takes precedence over the
existing expectations and can break them.
Huh? I said existing functionality is NOT broken by this patch series.
Assuming a system is configured to measure and appraise firmware
(rules below), with this change the firmware file will not be properly
measured and will fail signature verification.
So no existing functionality has been broken.

Sample IMA policy rules:
measure func=FIRMWARE_CHECK
appraise func=FIRMWARE_CHECK appraise_type=imasig
Would a pre and post lsm hook for pread do it?
IMA currently measures and verifies the firmware file signature on the
post hook. ÂThe file is read once into a buffer. ÂWith this change,
IMA would need to be on the pre hook, to read the entire file,
calculating the file hash and verifying the file signature. ÂBasically
the firmware would be read once for IMA and again for the device.
The entire file may not fit into available memory to measure and verify. Hence the reason for a partial read.

Is there some way we could add a flag when calling the request_firmware_into_buf to indicate it is ok that the data requested does not need to be measured?
Mimi