Re: [PATCH v1 5/7] ima: measure and appraise firmware (improvement)

Sat, 19 Dec 2015 20:46:14 -0800 

On Thu, 2015-12-17 at 22:06 +0100, Luis R. Rodriguez wrote:
> On Tue, Dec 08, 2015 at 01:01:22PM -0500, Mimi Zohar wrote:
> > diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
> > index 8524450..dcd902f 100644
> > --- a/drivers/base/firmware_class.c
> > +++ b/drivers/base/firmware_class.c
> > @@ -29,6 +29,7 @@
> >  #include <linux/syscore_ops.h>
> >  #include <linux/reboot.h>
> >  #include <linux/security.h>
> > +#include <linux/ima.h>
> >  
> >  #include <generated/utsrelease.h>
> >  
> > @@ -305,11 +306,17 @@ static int fw_read_file_contents(struct file *file, 
> > struct firmware_buf *fw_buf)
> >     buf = vmalloc(size);
> >     if (!buf)
> >             return -ENOMEM;
> > -   rc = kernel_read(file, 0, buf, size);
> > -   if (rc != size) {
> > -           if (rc > 0)
> > -                   rc = -EIO;
> > +
> > +   rc = ima_read_and_process_file(file, FIRMWARE_CHECK, buf, size);
> > +   if (rc == -EIO)
> >             goto fail;
> > +   else if (rc != -EOPNOTSUPP) {
> > +           rc = kernel_read(file, 0, buf, size);
> > +           if (rc != size) {
> > +                   if (rc > 0)
> > +                           rc = -EIO;
> > +                   goto fail;
> > +           }
> >     }
> >     rc = security_kernel_fw_from_file(file, buf, size);
> >     if (rc)
> 
> This is one way, the other way is to generalize the kernel-read from path
> routine. I have some changes which help generalize this routine a bit so
> help on review there would be appreciated. 

Sure.  Where are the patches?

> I'm personally indifferent
> as to needing or not *now* a generic kernel read routine that is shared
> for this purpose *but* since this patch set *also* seems to be adding
> yet-another file reading I'm more inclined to wish for that to be addressed
> now instead.
> 
> Please let me know if this logic is fair.

Commit e3c4abb - "integrity: define a new function
integrity_read_file()" defined a method of reading a file from the
kernel.  It's used to load an x509 key onto the IMA keyring for systems
without an initramfs.   Dmitry's patch, included in this patch set,
calls this function to load the IMA policy as well.  So this patch set
isn't defining a new function for reading a file from the kernel.  It's
using an existing one.

FYI, sound/sound_firmware.c: do_mod_firmware_load() also reads a file.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to