Re: [PATCH v5 1/7] fs: introduce kernel_pread_file* support
From: Mimi Zohar
Date: Wed May 13 2020 - 19:00:49 EST
On Wed, 2020-05-13 at 15:48 -0700, Scott Branden wrote:
>
> On 2020-05-13 3:12 p.m., Mimi Zohar wrote:
> > On Wed, 2020-05-13 at 21:28 +0000, Luis Chamberlain wrote:
> >> On Wed, May 13, 2020 at 05:20:14PM -0400, Mimi Zohar wrote:
> >>> On Wed, 2020-05-13 at 12:41 -0700, Scott Branden wrote:
> >>>> On 2020-05-13 12:39 p.m., Mimi Zohar wrote:
> >>>>> On Wed, 2020-05-13 at 12:18 -0700, Scott Branden wrote:
> >>>>>> On 2020-05-13 12:03 p.m., Mimi Zohar wrote:
> >>>>>>> On Wed, 2020-05-13 at 11:53 -0700, Scott Branden wrote:
> >>>>>> Even if the kernel successfully verified the firmware file signature it
> >>>>>> would just be wasting its time. The kernel in these use cases is not always
> >>>>>> trusted. The device needs to authenticate the firmware image itself.
> >>>>> There are also environments where the kernel is trusted and limits the
> >>>>> firmware being provided to the device to one which they signed.
> >>>>>
> >>>>>>> The device firmware is being downloaded piecemeal from somewhere and
> >>>>>>> won't be measured?
> >>>>>> It doesn't need to be measured for current driver needs.
> >>>>> Sure the device doesn't need the kernel measuring the firmware, but
> >>>>> hardened environments do measure firmware.
> >>>>>
> >>>>>> If someone has such need the infrastructure could be added to the kernel
> >>>>>> at a later date. Existing functionality is not broken in any way by
> >>>>>> this patch series.
> >>>>> Wow! ÂYou're saying that your patch set takes precedence over the
> >>>>> existing expectations and can break them.
> >>>> Huh? I said existing functionality is NOT broken by this patch series.
> >>> Assuming a system is configured to measure and appraise firmware
> >>> (rules below), with this change the firmware file will not be properly
> >>> measured and will fail signature verification.
> So no existing functionality has been broken.
> >>>
> >>> Sample IMA policy rules:
> >>> measure func=FIRMWARE_CHECK
> >>> appraise func=FIRMWARE_CHECK appraise_type=imasig
> >> Would a pre and post lsm hook for pread do it?
> > IMA currently measures and verifies the firmware file signature on the
> > post hook. ÂThe file is read once into a buffer. ÂWith this change,
> > IMA would need to be on the pre hook, to read the entire file,
> > calculating the file hash and verifying the file signature. ÂBasically
> > the firmware would be read once for IMA and again for the device.
> The entire file may not fit into available memory to measure and
> verify. Hence the reason for a partial read.
Previously, IMA pre-read the file in page size chunks in order to
calculate the file hash. ÂTo avoid reading the file twice, the file is
now read into a buffer.
>
> Is there some way we could add a flag when calling the
> request_firmware_into_buf to indicate it is ok that the data requested
> does not need to be measured?
The decision as to what needs to be measured is a policy decision left
up to the system owner, which they express by loading an IMA policy.
Mimi