Re: [PATCH v4 0/4] stackleak: Support Clang stack depth tracking

to parameter > 'p' here > 56 | static inline unsigned long *end_of_stack(struct task_struct *p) > | ^ Proposed fix: https://lore.kernel.org/lkml/20250726210641.work.114-k...@kernel.org/ Thanks for the reports! :) -Kees -- Kees Cook

Re: [PATCH v4 0/4] stackleak: Support Clang stack depth tracking

de/linux/sched/task_stack.h:56:63: note: passing argument to parameter > 'p' here > 56 | static inline unsigned long *end_of_stack(struct task_struct *p) > | ^ > > when building ARCH=loongarch allmodconfig, which does not support > CONFIG_THREAD_INFO_IN_TASK it seems. Oh, eek. Yeah, I'll need to make an explicit dependency I guess? ("How did this ever work?") Thanks again! -- Kees Cook

[PATCH v4 3/4] init.h: Disable sanitizer coverage for __init and __head

e/kernel/kcov.c?h=v6.14#n179 [1] Acked-by: Marco Elver Signed-off-by: Kees Cook --- Cc: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: Cc: "H. Peter Anvin" Cc: Ard Biesheuvel Cc: "Kirill A.

[PATCH v4 2/4] x86: Handle KCOV __init vs inline mismatches

tripped over this before with GCC and the solution has usually been to just use __always_inline and move on. For x86 this means forcing several functions to be inline with __always_inline. Signed-off-by: Kees Cook --- Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc:

[PATCH v4 1/4] arm64: Handle KCOV __init vs inline mismatches

as usually been to just use __always_inline and move on. For arm64 this requires forcing one ACPI function to be inlined with __always_inline. Signed-off-by: Kees Cook --- Cc: Will Deacon Cc: Ard Biesheuvel Cc: Catalin Marinas Cc: Jonathan Cameron Cc: Gavin Shan Cc: "Russell King (Oracle

[PATCH v4 4/4] kstack_erase: Support Clang stack depth tracking

Wire up CONFIG_KSTACK_ERASE to Clang 21's new stack depth tracking callback[1] option. Link: https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth [1] Signed-off-by: Kees Cook --- Cc: Arnd Bergmann Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: Marco

[PATCH v4 0/4] stackleak: Support Clang stack depth tracking

://lore.kernel.org/lkml/20250507180852.work.231-k...@kernel.org/ Hi, These are the remaining changes needed to support Clang stack depth tracking for kstack_erase (nee stackleak). Thanks! -Kees Kees Cook (4): arm64: Handle KCOV __init vs inline mismatches x86: Handle KCOV __init vs inline

Re: [PATCH v4] x86/kexec: fix potential cmem->ranges out of bounds

On Mon, May 19, 2025 at 09:22:30AM +0800, Baoquan He wrote: > On 05/16/25 at 04:20pm, Kees Cook wrote: > > On Fri, May 16, 2025 at 11:35:12AM +0800, Baoquan He wrote: > > > On 05/11/25 at 10:19am, Coiby Xu wrote: > > > > On Fri, May 09, 2025 at 06:35:18PM -0700, And

Re: [PATCH v4] x86/kexec: fix potential cmem->ranges out of bounds

t it can be back > ported to stable kernel? I went back through the thread and the referenced threads and I can't find any details on the USBAN splat. Can that please get reproduced in a commit log? That would help understand if it's a false positive or not. Also, referencing the commit would be good. I assume this is discussing commit 15fcedd43a08 ("kexec: Annotate struct crash_mem with __counted_by")? > In the case exposed during reviewing this patch, the code UBSAN warned > is not risky. Given that this makes things work correctly with newer compilers, I would say it should be backported to whatever -stable kernels have the "counted_by" annotation. (Hence the request to add a "Fixes" line so that it will happen automatically.) -Kees -- Kees Cook

Re: [PATCH] elf: add remaining SHF_ flag macros

org/kees/c/b0db1ed17645 Take care, -- Kees Cook

Re: [PATCH v5 0/6] elf: Define note name macros

/git.kernel.org/kees/c/0de47f28ec84 [5/6] s390/crash: Use note name macros https://git.kernel.org/kees/c/d4a760fb77fd [6/6] crash: Remove KEXEC_CORE_NOTE_NAME https://git.kernel.org/kees/c/7e620b56d958 Take care, -- Kees Cook

Re: [PATCH v2 1/5] elf: Define note name macros

n of NN_type, NT_type doesn't feel robust if we have a programmatic mapping: only the "type" is needed to determine both, so why supply both? -Kees [1] https://refspecs.linuxfoundation.org/elf/elf.pdf [2] https://lore.kernel.org/lkml/z3vubtiqvnrvv...@e133380.arm.com/ -- Kees Cook

Re: [PATCH v3 00/11] sysctl: treewide: constify ctl_table argument of sysctl handlers

On Sun, May 12, 2024 at 09:32:40PM +0200, Joel Granados wrote: > On Sat, May 11, 2024 at 11:51:18AM +0200, Thomas Weißschuh wrote: > > Hi Kees, > > > > On 2024-05-08 10:11:35+, Kees Cook wrote: > > > On Wed, Apr 24, 2024 at 08:12:34PM -0700, Jakub Kicinski wrot

Re: [PATCH v3 00/11] sysctl: treewide: constify ctl_table argument of sysctl handlers

patches 1-10 go via their respective subsystems, and once all of those are in Linus's tree, send patch 11 as a stand-alone PR. (From patch 11, it looks like the seccomp read/write function changes could be split out? I'll do that now...) -Kees -- Kees Cook ___

Re: [PATCH v2] vmcore: replace strncpy with strscpy_pad

> Link: > https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings > [1] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Signed-off-by: Justin Stitt Looks good; thanks! Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] vmcore: replace strncpy with strtomem

__u32 n_type; /* NT_VMCOREDD */ > - __u8 name[8]; /* LINUX\0\0\0 */ > - __u8 dump_name[VMCOREDD_MAX_NAME_BYTES]; /* Device dump's name */ > + __u8 name[8] __nonstring; /* LINUX\0\0\0 */ > + __u8 dump_name[VMCOREDD_MAX_NAME_BYTES] __nonstring; /* Device dump's > name */ > }; Unfortunately since this is UAPI, we can't sanely use __nonstring here. :( -- Kees Cook

Re: [PATCH 05/10] seccomp: Remove the now superfluous sentinel elements from ctl_table array

e of the kernel and run time > memory bloat by ~64 bytes per sentinel (further information Link : > https://lore.kernel.org/all/zo5yx5jfoggi%2f...@bombadil.infradead.org/) > > Remove sentinel element from seccomp_sysctl_table. > > Signed-off-by: Joel Granados Acked-by: Kees Cook -- Kees Cook

Re: [PATCH] kexec: Annotate struct crash_mem with __counted_by

On Fri, 22 Sep 2023 10:52:24 -0700, Kees Cook wrote: > Prepare for the coming implementation by GCC and Clang of the __counted_by > attribute. Flexible array members annotated with __counted_by can have > their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS >

Re: [PATCH] kexec: Annotate struct crash_mem with __counted_by

On Sat, Sep 23, 2023 at 08:46:47AM +0800, Baoquan He wrote: > On 09/22/23 at 10:52am, Kees Cook wrote: > > Prepare for the coming implementation by GCC and Clang of the __counted_by > > attribute. Flexible array members annotated with __counted_by can have > > their accesses

[PATCH] kexec: Annotate struct crash_mem with __counted_by

functions). As found with Coccinelle[1], add __counted_by for struct crash_mem. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Eric Biederman Cc: kexec@lists.infradead.org Signed-off-by: Kees Cook --- include/linux/crash_core.h | 2 +- 1 file changed

Re: [PATCH v2 0/5] Introduce new wrappers to copy user-arrays

On September 11, 2023 6:55:32 PM PDT, Dave Airlie wrote: >On Tue, 12 Sept 2023 at 11:27, Kees Cook wrote: >> >> On September 8, 2023 12:59:39 PM PDT, Philipp Stanner >> wrote: >> >Hi! >> > >> >David Airlie suggested that we could implem

Re: [PATCH v2 0/5] Introduce new wrappers to copy user-arrays

gt; drivers/gpu/drm/drm_lease.c | 4 +-- > drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 +-- > include/linux/string.h | 40 + > kernel/kexec.c | 2 +- > kernel/watch_queue.c

Re: [PATCH] coredump, vmcore: Set p_align to 4 for PT_NOTE

ould be more appropriate to set the correct alignment so that tools > do not have to rely on guesswork. FreeBSD coredumps set p_align to 4 as > well. > > [...] Applied to for-next/execve, thanks! [1/1] coredump, vmcore: Set p_align to 4 for PT_NOTE https://git.kernel.org/kees/

Re: [PATCH] coredump, vmcore: Set p_align to 4 for PT_NOTE

64-bit processes to avoid the other special case? (And do we need to make some changes to make sure we are actually aligned?) -Kees -- Kees Cook ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH] kexec: move KEXEC_SIG_FORCE from arch/x86 to arch

longer folded under KEXEC_SIG in menuconfig, which makes it harder to find. I would prefer seeing KEXEC_SIG (and KEXEC_SIG_FORCE) moved out of the per-arch Kconfig files into a common location, and then arch Kconfig can add something like: select ARCH_SUPPORTS_KEXEC > config K

Re: [PATCH v1 1/1] kernel.h: Split out panic and oops helpers

b folder to use new header. > Though for time being include new header back to kernel.h to avoid twisted > indirected includes for existing users. > > Signed-off-by: Andy Shevchenko I like it! Do you have a multi-arch CI to do allmodconfig builds to double-check this? Acked-by: Kees

Re: [PATCH v2 01/18] test_firmware: Test platform fw loading on non-EFI systems

On Wed, Jul 29, 2020 at 12:48:06AM +, Luis Chamberlain wrote: > On Wed, Jul 22, 2020 at 12:30:03PM -0700, Kees Cook wrote: > > On non-EFI systems, it wasn't possible to test the platform firmware > > loader because it will have never set "checked_fw" during __ini

Re: [PATCH RFC 2/2] lkdtm: Add heap spraying test

rash dump. The scope of LKDTM has shifted a bit, and I'm fine with tests that don't cause crashes as long as they're part of testing system-wide defenses, etc. It's easier to collect similar tests together (even if they don't break the system). -- Kees Cook

Re: [PATCH v2 15/18] fs/kernel_file_read: Add "offset" arg for partial reads

kay). What does this return on your test system: echo $(cat /sys/kernel/security/lsm) (I wonder if I have IMA configured differently...) Mimi, have you had a chance to test these changes? -- Kees Cook ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v2 15/18] fs/kernel_file_read: Add "offset" arg for partial reads

On Thu, Jul 23, 2020 at 10:41:07PM -0700, Scott Branden wrote: > > > On 2020-07-23 12:15 p.m., Kees Cook wrote: > > On Wed, Jul 22, 2020 at 03:29:26PM -0700, Scott Branden wrote: > > > These changes don't pass the kernel-selftest for partial reads I added > &

Re: [PATCH v2 15/18] fs/kernel_file_read: Add "offset" arg for partial reads

On Fri, Jul 24, 2020 at 11:23:37AM -0700, Kees Cook wrote: > On Thu, Jul 23, 2020 at 10:41:07PM -0700, Scott Branden wrote: > > > > > > On 2020-07-23 12:15 p.m., Kees Cook wrote: > > > On Wed, Jul 22, 2020 at 03:29:26PM -0700, Scott Branden wrote: > > >

Re: [PATCH v2 15/18] fs/kernel_file_read: Add "offset" arg for partial reads

reproduce this now too... -- Kees Cook ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v2 15/18] fs/kernel_file_read: Add "offset" arg for partial reads

. calling process_measurement() with a valid "file" and NULL "buf" is handled correctly -- I misunderstood these changes). I will send a corrected patch. -Kees [1] https://lore.kernel.org/lkml/20200706232309.12010-10-scott.bran...@broadcom.com/ -- Kees Cook

[PATCH v2 17/18] firmware: Add request_partial_firmware_into_buf()

From: Scott Branden Add request_partial_firmware_into_buf() to allow for portions of a firmware file to be read into a buffer. This is needed when large firmware must be loaded in portions from a file on memory constrained systems. Signed-off-by: Scott Branden Co-developed-by: Kees Cook

[PATCH v2 11/18] LSM: Introduce kernel_post_load_data() hook

ata loads (e.g. init_module(2) and firmware userspace helper), which will happen in subsequent patches. Additionally prepare IMA to start processing these cases. Signed-off-by: Kees Cook --- drivers/base/firmware_loader/fallback.c | 2 +- .../base/firmware_loader/fallback_platform.c

[PATCH v2 07/18] fs/kernel_read_file: Split into separate source file

These routines are used in places outside of exec(2), so in preparation for refactoring them, move them into a separate source file, fs/kernel_read_file.c. Acked-by: Scott Branden Signed-off-by: Kees Cook --- fs/Makefile | 3 +- fs/exec.c | 132

[PATCH v2 03/18] firmware_loader: EFI firmware loader must handle pre-allocated buffer

firm ware_request_platform()") Cc: sta...@vger.kernel.org Acked-by: Scott Branden Signed-off-by: Kees Cook --- To aid in backporting, this change is made before moving kernel_read_file() to separate header/source files. --- drivers/base/firmware_loader/fallback_platform.c | 5 - 1 file

[PATCH v2 06/18] fs/kernel_read_file: Split into separate include file

Scott Branden Reviewed-by: Christoph Hellwig Acked-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20200706232309.12010-2-scott.bran...@broadcom.com Signed-off-by: Kees Cook --- drivers/base/firmware_loader/main.c | 1 + fs/exec.c | 1 + include/linux

[PATCH v2 04/18] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum

into a pre-allocated buffer") Fixes: fd90bc559bfb ("ima: based on policy verify firmware signatures (pre-allocated buffer)") Fixes: 4f0496d8ffa3 ("ima: based on policy warn about loading firmware (pre-allocated buffer)") Cc: sta...@vger.kernel.org Acked-by: Scott Branden Signed-off-b

[PATCH v2 14/18] LSM: Add "contents" flag to kernel_read_file hook

eject such cases). Adjust all existing LSMs to retain existing behavior. Signed-off-by: Kees Cook --- fs/kernel_read_file.c | 2 +- include/linux/ima.h | 6 -- include/linux/lsm_hook_defs.h | 2 +- include/linux/lsm_hooks.h | 3 +++ include/linux/

[PATCH v2 15/18] fs/kernel_file_read: Add "offset" arg for partial reads

e, the LSM hooks can report whether a full file has been read or not so that the contents can be reasoned about. Signed-off-by: Kees Cook --- drivers/base/firmware_loader/main.c | 2 +- fs/kernel_read_file.c | 78 - include/linux/kernel_read_file.h

[PATCH v2 10/18] fs/kernel_read_file: Add file_size output argument

In preparation for adding partial read support, add an optional output argument to kernel_read_file*() that reports the file size so callers can reason more easily about their reading progress. Signed-off-by: Kees Cook --- drivers/base/firmware_loader/main.c | 1 + fs/kernel_read_file.c

[PATCH v2 16/18] firmware: Store opt_flags in fw_priv

Instead of passing opt_flags around so much, store it in the private structure so it can be examined by internals without needing to add more arguments to functions. Co-developed-by: Scott Branden Signed-off-by: Scott Branden Signed-off-by: Kees Cook --- drivers/base/firmware_loader

[PATCH v2 12/18] firmware_loader: Use security_post_load_data()

, 0, NULL); Signed-off-by: Kees Cook --- drivers/base/firmware_loader/fallback.c | 8 .../base/firmware_loader/fallback_platform.c | 7 ++- security/integrity/ima/ima_main.c | 20 +-- 3 files changed, 20 insertions(+), 15 deletions

[PATCH v2 09/18] fs/kernel_read_file: Switch buffer size arg to size_t

o longer be negative (and was never called with a negative value). Adjust callers to use it as a "maximum size" when *buf is NULL. Signed-off-by: Kees Cook --- fs/kernel_read_file.c| 34 +++- include/linux/kernel_read_file.h | 8 securit

[PATCH v2 18/18] test_firmware: Test partial read support

offset into file to request Also update firmware selftests to use the new partial read test API. Signed-off-by: Scott Branden Co-developed-by: Kees Cook Signed-off-by: Kees Cook --- This merges Scott's two test patches into one and I refactored the selftests to not be batched, test the no

[PATCH v2 13/18] module: Call security_kernel_post_load_data()

Now that there is an API for checking loaded contents for modules loaded without a file, call into the LSM hooks. Signed-off-by: Kees Cook --- kernel/module.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index d56cb34d9a2f

[PATCH v2 02/18] selftest/firmware: Add selftest timeout in settings

The firmware tests would always time out for me. Add a correct timeout, including details on how the value was reached. Additionally allow the test harness to skip comments in settings files and report how long a given timeout was. Signed-off-by: Kees Cook --- tools/testing/selftests/firmware

[PATCH v2 00/18] Introduce partial kernel_read_file() support

along the way. It's now got Scott's firmware patches ported and everything tests clean for me. I think the intention is for this to go via Greg's tree since Scott's driver code will depend on it? Thanks, and let me know what you think, -Kees Kees Cook (15): test_firmware:

[PATCH v2 01/18] test_firmware: Test platform fw loading on non-EFI systems

orcement of the symbol visibility. Fixes: 548193cba2a7 ("test_firmware: add support for firmware_request_platform") Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/firmware/efi/embedded-firmware.c | 21 - drivers/firmware/efi/embedded-firmware.h | 19 +++

[PATCH v2 05/18] fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum

ng. Fixes: e4c2c0ff00ec ("firmware: Add new platform fallback mechanism and firmware_request_platform()") Cc: sta...@vger.kernel.org Acked-by: Scott Branden Signed-off-by: Kees Cook --- To aid in backporting, this change is made before moving kernel_read_file() to separate head

[PATCH v2 08/18] fs/kernel_read_file: Remove redundant size argument

In preparation for refactoring kernel_read_file*(), remove the redundant "size" argument which is not needed: it can be included in the return code, with callers adjusted. (VFS reads already cannot be larger than INT_MAX.) Signed-off-by: Kees Cook --- drivers/base/firmware_loader/m

Re: [PATCH 06/13] fs/kernel_read_file: Remove redundant size argument

On Tue, Jul 21, 2020 at 02:43:07PM -0700, Scott Branden wrote: > On 2020-07-17 10:43 a.m., Kees Cook wrote: > > In preparation for refactoring kernel_read_file*(), remove the redundant > > "size" argument which is not needed: it can be included in the return > > co

Re: [PATCH 00/13] Introduce partial kernel_read_file() support

k fine after this series, but I wanted to really exercise the corners that the firmware suite pokes at). -- Kees Cook ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 06/13] fs/kernel_read_file: Remove redundant size argument

On Fri, Jul 17, 2020 at 12:04:18PM -0700, Scott Branden wrote: > On 2020-07-17 10:43 a.m., Kees Cook wrote: > > In preparation for refactoring kernel_read_file*(), remove the redundant > > "size" argument which is not needed: it can be included in the return > > I d

[PATCH 03/13] fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum

ng. Fixes: e4c2c0ff00ec ("firmware: Add new platform fallback mechanism and firmware_request_platform()") Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook --- To aid in backporting, this change is made before moving kernel_read_file() to separate header/source files. --- dr

[PATCH 08/13] fs/kernel_read_file: Add file_size output argument

In preparation for adding partial read support, add an optional output argument to kernel_read_file*() that reports the file size so callers can reason more easily about their reading progress. Signed-off-by: Kees Cook --- drivers/base/firmware_loader/main.c | 1 + fs/kernel_read_file.c

[PATCH 13/13] fs/kernel_file_read: Add "offset" arg for partial reads

e, the LSM hooks can report whether a full file has been read or not so that the contents can be reasoned about. Signed-off-by: Kees Cook --- drivers/base/firmware_loader/main.c | 2 +- fs/kernel_read_file.c | 78 - include/linux/kernel_read_file.h

[PATCH 09/13] LSM: Introduce kernel_post_load_data() hook

ata loads (e.g. init_module(2) and firmware userspace helper), which will happen in subsequent patches. Additionally prepare IMA to start processing these cases. Signed-off-by: Kees Cook --- drivers/base/firmware_loader/fallback.c | 2 +- .../base/firmware_loader/fallback_platform.c

[PATCH 12/13] LSM: Add "contents" flag to kernel_read_file hook

eject such cases). Adjust all existing LSMs to retain existing behavior. Signed-off-by: Kees Cook --- fs/kernel_read_file.c | 2 +- include/linux/ima.h | 6 -- include/linux/lsm_hook_defs.h | 2 +- include/linux/lsm_hooks.h | 3 +++ include/linux/

[PATCH 04/13] fs/kernel_read_file: Split into separate include file

Scott Branden Reviewed-by: Christoph Hellwig Acked-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20200706232309.12010-2-scott.bran...@broadcom.com Signed-off-by: Kees Cook --- drivers/base/firmware_loader/main.c | 1 + fs/exec.c | 1 + include/linux

[PATCH 07/13] fs/kernel_read_file: Switch buffer size arg to size_t

o longer be negative (and was never called with a negative value). Adjust callers to use it as a "maximum size" when *buf is NULL. Signed-off-by: Kees Cook --- fs/kernel_read_file.c| 34 +++- include/linux/kernel_read_file.h | 8 securit

[PATCH 05/13] fs/kernel_read_file: Split into separate source file

These routines are used in places outside of exec(2), so in preparation for refactoring them, move them into a separate source file, fs/kernel_read_file.c. Signed-off-by: Kees Cook --- fs/Makefile | 3 +- fs/exec.c | 132 fs

[PATCH 10/13] firmware_loader: Use security_post_load_data()

, 0, NULL); Signed-off-by: Kees Cook --- drivers/base/firmware_loader/fallback.c | 8 .../base/firmware_loader/fallback_platform.c | 7 ++- security/integrity/ima/ima_main.c | 20 +-- 3 files changed, 20 insertions(+), 15 deletions

[PATCH 11/13] module: Call security_kernel_post_load_data()

Now that there is an API for checking loaded contents for modules loaded without a file, call into the LSM hooks. Cc: Jessica Yu Signed-off-by: Kees Cook --- kernel/module.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kernel/module.c b/kernel/module.c

[PATCH 02/13] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum

into a pre-allocated buffer") Fixes: fd90bc559bfb ("ima: based on policy verify firmware signatures (pre-allocated buffer)") Fixes: 4f0496d8ffa3 ("ima: based on policy warn about loading firmware (pre-allocated buffer)") Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook

[PATCH 01/13] firmware_loader: EFI firmware loader must handle pre-allocated buffer

firm ware_request_platform()") Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook --- To aid in backporting, this change is made before moving kernel_read_file() to separate header/source files. --- drivers/base/firmware_loader/fallback_platform.c | 5 - 1 file changed, 4 insertions(+),

[PATCH 06/13] fs/kernel_read_file: Remove redundant size argument

In preparation for refactoring kernel_read_file*(), remove the redundant "size" argument which is not needed: it can be included in the return code, with callers adjusted. (VFS reads already cannot be larger than INT_MAX.) Signed-off-by: Kees Cook --- drivers/base/firmware_loader/m

[PATCH 00/13] Introduce partial kernel_read_file() support

backported without the header file relocation. I'll keep poking at the firmware tests... -Kees [1] https://lore.kernel.org/lkml/202007161415.10D015477@keescook/ Kees Cook (12): firmware_loader: EFI firmware loader must handle pre-allocated buffer fs/kernel_read_file: Remove FIRMWARE_

Re: [PATCH][next] kexec_file: Use array_size() helper in memcpy()

elle and, audited and fixed > manually. > > Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83 > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook -- Kees Cook ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH] kexec: dump kmessage before machine_kexec

lled 4 ms) > <5>[ 70.921642] CPU7: shutdown > <6>[ 70.922650] psci: CPU7 killed (polled 0 ms) > > Signed-off-by: Pavel Tatashin Reviewed-by: Kees Cook -- Kees Cook ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 0/3] fs: reduce export usage of kerne_read*() calls

) file = open... disallow_writes(file); while (processed < size-of-file) { buf = read(file, size...) security_file_read_partial(buf) } ret = security_file_read_finished(file); if (ret < 0) { all

Re: [PATCH 0/3] fs: reduce export usage of kerne_read*() calls

eads the file into a buffer once, calls the > generic post security hook, before providing the buffer to the caller. >  (Note using firmware pre-allocated memory might be an issue.) > > Partial reading firmware will result in needing to pre-read the entire > file, most likely on the secur

Re: [PATCH v3] kernel: add panic_on_taint

> as a mean for assuring a security policy (in paranoid mode) > case where no single taint is allowed for the running system. > > Suggested-by: Qian Cai > Signed-off-by: Rafael Aquini Reviewed-by: Kees Cook -- Kees Cook ___ kexec m

Re: [RFC 21/43] x86/KASLR: PKRAM: support physical kaslr

s where the check for a "reserved" memory area should live. For example, this is how both mem_avoid_memmap() and the setup_data memory areas are handled. Is there a reason mem_avoid_overlap() can't be used here? -- Kees Cook __

Re: [RFC PATCH 09/11] kallsyms: hide layout and expose seed

On Thu, Feb 27, 2020 at 10:42:53AM +0800, Baoquan He wrote: > On 02/06/20 at 09:51am, Kristen Carlson Accardi wrote: > > On Thu, 2020-02-06 at 04:32 -0800, Kees Cook wrote: > > > > In the past, making kallsyms entirely unreadable seemed to break > > > weird >

Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down

the previous patch > and to return -EPERM if the kernel is locked down for consistency with > other lockdowns. Modified by Matthew Garrett to remove the IMA > integration, which will be replaced by integrating with the IMA > architecture policy patches.] > > Signed-off-by: Jiri Bo

Re: [PATCH V34 07/29] Copy secure_boot flag in boot params across kexec reboot

xec reboot. > > Signed-off-by: Dave Young Reviewed-by: Kees Cook -Kees > Signed-off-by: David Howells > Signed-off-by: Matthew Garrett > cc: kexec@lists.infradead.org > --- > arch/x86/kernel/kexec-bzimage64.c | 1 + > 1 file changed, 1 insertion(+) > > diff --

Re: [PATCH V34 06/29] kexec_load: Disable at runtime if the kernel is locked down

this situation. > > This does not affect kexec_file_load() syscall which can check for a > signature on the image to be booted. > > Signed-off-by: David Howells Reviewed-by: Kees Cook -Kees > Signed-off-by: Matthew Garrett > Acked-by: Dave Young > cc: kexec@lis

Re: [PATCH v2] x86_64, vmcoreinfo: Append 'page_offset_base' to vmcoreinfo

On Tue, Nov 27, 2018 at 3:29 PM, Baoquan He wrote: > On 11/27/18 at 02:16pm, Kees Cook wrote: >> Why is KERNELOFFSET= not sufficient? >> >> See commit b6085a865762 ("x86, kaslr: export offset in VMCOREINFO ELF notes") >> >> +

Re: [PATCH v2] x86_64, vmcoreinfo: Append 'page_offset_base' to vmcoreinfo

nfo(void) >> VMCOREINFO_SYMBOL(init_top_pgt); >> vmcoreinfo_append_str("NUMBER(pgtable_l5_enabled)=%d\n", >> pgtable_l5_enabled()); >> +#ifdef CONFIG_RANDOMIZE_BASE >> + VMCOREINFO_NUMBER(page_offset_base); >> +#endif >> >> #ifdef CONFIG_NUMA &

Re: [PATCH v6 8/8] ima: based on policy warn about loading firmware (pre-allocated buffer)

ned-off-by: Mimi Zohar > Cc: Luis R. Rodriguez > Cc: Stephen Boyd > Cc: Bjorn Andersson > Cc: Ard Biesheuvel I can't decide if it's worth adding the link (maybe using the lkml.kernel.org url[1]) directly in the code or not. Either way: Reviewed-by: Kees Cook -K

Re: [PATCH v6 7/8] module: replace the existing LSM hook in init_module

ok and makes the corresponding changes > in SELinux, LoadPin, and IMA. > > Signed-off-by: Mimi Zohar > Cc: Jeff Vander Stoep > Cc: Casey Schaufler > Cc: Kees Cook > Acked-by: Jessica Yu > Acked-by: Paul Moore Acked-by: Kees Cook Thanks!

Re: [PATCH v6 6/8] ima: add build time policy

which verifies kernel modules, > firmware, kexec image, and/or the IMA policy signatures. This build time > policy is automatically enabled at runtime and persists after loading a > custom policy. > > Signed-off-by: Mimi Zohar Reviewed-by: Kees Cook -Kees

Re: [PATCH v6 5/8] ima: based on policy require signed firmware (sysfs fallback)

On Fri, Jul 13, 2018 at 11:06 AM, Mimi Zohar wrote: > With an IMA policy requiring signed firmware, this patch prevents > the sysfs fallback method of loading firmware. > > Signed-off-by: Mimi Zohar > Cc: Luis R. Rodriguez > Cc: Matthew Garrett Reviewed-by: Kees Cook -K

Re: [PATCH v6 4/8] firmware: add call to LSM hook before firmware sysfs fallback

On Fri, Jul 13, 2018 at 11:05 AM, Mimi Zohar wrote: > Add an LSM hook prior to allowing firmware sysfs fallback loading. > > Signed-off-by: Mimi Zohar > Acked-by: Luis R. Rodriguez Reviewed-by: Kees Cook -Kees -- Kees Cook Pi

Re: [PATCH v6 3/8] ima: based on policy require signed kexec kernel images

On Fri, Jul 13, 2018 at 11:05 AM, Mimi Zohar wrote: > The original kexec_load syscall can not verify file signatures, nor can > the kexec image be measured. Based on policy, deny the kexec_load > syscall. > > Signed-off-by: Mimi Zohar > Cc: Eric Biederman > Cc: Kees Coo

Re: [PATCH v6 2/8] kexec: add call to LSM hook in original kexec_load syscall

the original kexec_load syscall. > > Signed-off-by: Mimi Zohar > Cc: Eric Biederman > Cc: Kees Cook > Acked-by: Serge Hallyn Acked-by: Kees Cook -Kees -- Kees Cook Pixel Security ___ kexec mailing list kexec@lists.infradead.org http://

Re: [PATCH v6 1/8] security: define new LSM hook named security_kernel_load_data

ed-off-by: Mimi Zohar > Cc: Eric Biederman > Cc: Luis R. Rodriguez > Cc: Kees Cook > Cc: Casey Schaufler > Acked-by: Serge Hallyn Acked-by: Kees Cook -Kees -- Kees Cook Pixel Security ___ kexec mailing list kexec@lists.infradead.

Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer)

or virt_to_page() may be able to. I don't see a PAGEFLAG for DMA, but I do see ZONE_DMA for page_zone()... So maybe something like struct page *page; page = virt_to_page(address); if (!page) fail closed... if (page_zone(page) == ZONE_DMA) handle dma case... else non-dma But I've CCed Laura and Rik, who I always lean on when I have these kinds of page questions... -Kees -- Kees Cook Pixel Security ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module

On Tue, Jun 5, 2018 at 2:35 PM, Mimi Zohar wrote: > On Tue, 2018-06-05 at 12:45 -0700, Kees Cook wrote: > >> And if you must have a separate enum, please change this to fail >> closed instead of open (and mark the fall-through): >> >> int rc = -EPERM; >> >

Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module

gt; LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), > LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), > LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), > -- > 2.7.5 > -- Kees Cook Pixel Security ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

On Tue, Jun 5, 2018 at 6:25 AM, Serge E. Hallyn wrote: > Quoting Kees Cook (keesc...@chromium.org): >> On Mon, Jun 4, 2018 at 9:09 PM, Serge E. Hallyn wrote: >> > Personally I agree with Eric and prefer a new hook. I don't feel strongly >> > enough about it to k

Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

t a file descriptor"? -Kees -- Kees Cook Pixel Security ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

hook callsites), 5, 6 & 7 (IMA coverage and policy). 1 and 8 seem needless to me. If the objection is that isn't use on non-file objects, sure, rename it. But I don't see a _logical_ difference between the proposed and existing callsites. enum kernel_read_file_id covers the "type" already -Kees -- Kees Cook Pixel Security ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

[PATCH v2] kexec_file: Adjust declaration of kexec_purgatory

, which did not like the memcmp() of a "0 byte" array. This drops the __weak and uses an extern instead, since both users define kexec_purgatory. Cc: Daniel Micay Signed-off-by: Kees Cook --- v2: use extern instead of __weak void *; ebiederm --- kernel/kexec_file.c | 7 -

Re: [PATCH] kexec_file: Adjust type of kexec_purgatory

On Tue, May 9, 2017 at 5:15 PM, Eric W. Biederman wrote: > Kees Cook writes: >> kernel/kexec_file.c:33:13: warning: array ‘kexec_purgatory’ assumed to >> have one element >> char __weak kexec_purgatory[]; >> ^~~ > > Nor does "void

Re: [PATCH] kexec_file: Adjust type of kexec_purgatory

On Tue, May 9, 2017 at 4:13 PM, Daniel Micay wrote: > On Tue, 2017-05-09 at 16:06 -0700, Kees Cook wrote: >> Defining kexec_purgatory as a zero-length char array upsets compile >> time size checking. Since this is entirely runtime sized, switch >> this to void *. This

[PATCH] kexec_file: Adjust type of kexec_purgatory

niel Micay Signed-off-by: Kees Cook --- kernel/kexec_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b118735fea9d..bc86f85f1329 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -30,7 +30,7 @@ * Declare these symbo

Re: [PATCH] /proc/kcore: Update physical address for kcore ram and text

+ phdr->p_paddr = (elf_addr_t)-1; >> phdr->p_filesz = phdr->p_memsz = m->size; >> phdr->p_align = PAGE_SIZE; >> } >> Well, CONFIG_PROC_KCORE is a generalized root KASLR exposure (though there are lots of such exposures). Why is the actual p

  1   2   >