On Wed, Jun 06, 2018 at 08:20:17AM +0200, Ard Biesheuvel wrote:
> On 6 June 2018 at 00:37, Kees Cook wrote:
> > On Fri, Jun 1, 2018 at 12:25 PM, Luis R. Rodriguez
> > wrote:
> >> On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote:
> >>> On T
On Fri, Jun 01, 2018 at 06:39:55PM -0400, Mimi Zohar wrote:
> On Fri, 2018-06-01 at 20:21 +0200, Luis R. Rodriguez wrote:
> > On Tue, May 29, 2018 at 02:01:57PM -0400, Mimi Zohar wrote:
> > > Luis, is the security_kernel_post_read_file LSM hook in
> > > firmware_loading
On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote:
> On Tue, May 29, 2018 at 02:01:59PM -0400, Mimi Zohar wrote:
> > Some systems are memory constrained but they need to load very large
> > firmwares. The firmware subsystem allows drivers to request this
> &g
irmware already calls the security_kernel_read_file LSM hook.
> With an IMA policy requiring signed firmware, this patch prevents
> loading firmware into a pre-allocated buffer.
>
> Signed-off-by: Mimi Zohar
> Cc: Luis R. Rodriguez
> Cc: David Howells
> Cc
>
> Signed-off-by: Mimi Zohar
> Cc: Luis R. Rodriguez
> Cc: David Howells
> Cc: Matthew Garrett
> ---
> security/integrity/ima/ima_main.c | 10 +-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_main.c
>
On Tue, May 29, 2018 at 02:01:56PM -0400, Mimi Zohar wrote:
> Add an LSM hook prior to allowing firmware sysfs fallback loading.
Acked-by: Luis R. Rodriguez
> Signed-off-by: Mimi Zohar
> Cc: Luis R. Rodriguez
> Cc: David Howells
> Cc: Kees Cook
>
> Changelog
ING_KEXEC_IMAGE, READING_KEXEC_INITRAMFS,
> READING_FIRMWARE, READING_MODULE, and READING_POLICY.
>
> Changelog v3:
> - Replace the IMA specific enumeration with a generic one.
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Acked-by: Luis R
gt; security hook.
>
> This patch removes the security_kernel_module_from_file() hook and security
> call.
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Acked-by: Luis R. Rodriguez <mcg...@kernel.org>
Luis
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
red and squashed firmware patches
> - fix MAX firmware size (Kees Cook)
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Acked-by: Luis R. Rodriguez <mcg...@kernel.org>
Luis
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
On Wed, Feb 03, 2016 at 02:06:20PM -0500, Mimi Zohar wrote:
> This patch defines kernel_read_file_from_path(), a wrapper for the VFS
> common kernel_read_file().
>
> Changelog:
> - Separated from the IMA patch
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
copy_file_from_fd(). The
> same call now measures and appraises both the kexec image and initramfs.
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Acked-by: Luis R. Rodriguez <mcg...@kernel.org>
Luis
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
On Wed, Feb 03, 2016 at 02:06:23PM -0500, Mimi Zohar wrote:
> This patch defines kernel_read_file_from_fd(), a wrapper for the VFS
> common kernel_read_file().
>
> Changelog:
> - Separated from the kernel modules patch
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ib
On Wed, Feb 03, 2016 at 02:06:22PM -0500, Mimi Zohar wrote:
> The kernel_read_file security hook is called prior to reading the file
> into memory.
>
> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Acked-by: Luis R. Rodriguez <mcg..
t; > this will make the success case easier to follow.
> >
> > Reviewed-by: Josh Boyer <jwbo...@fedoraproject.org>
> > Signed-off-by: David Howells <dhowe...@redhat.com>
> > Signed-off-by: Luis R. Rodriguez <mcg...@kernel.org>
> > Signed-off-by
On Mon, Jan 25, 2016 at 06:48:12PM -0500, Mimi Zohar wrote:
> On Mon, 2016-01-25 at 21:34 +0100, Luis R. Rodriguez wrote:
> > On Mon, Jan 25, 2016 at 10:04:18AM -0500, Mimi Zohar wrote:
> > > On Mon, 2016-01-25 at 14:37 +0800, Dave Young wrote:
> > > > Hi, Mimi
&g
On Mon, Jan 25, 2016 at 10:04:18AM -0500, Mimi Zohar wrote:
> On Mon, 2016-01-25 at 14:37 +0800, Dave Young wrote:
> > Hi, Mimi
> >
> > Besides of code issues, I have several thing to be understand:
> >
> > What is the effect to kexec behavior with this patchset?
> > - without IMA enabled
On Mon, Jan 18, 2016 at 10:11:24AM -0500, Mimi Zohar wrote:
> From: Dmitry Kasatkin
>
> echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
> fs/exec.c | 21
> diff --git a/fs/exec.c b/fs/exec.c
> index 3524e5f..5731b40
On Thu, Jan 21, 2016 at 4:05 AM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> On Wed, 2016-01-20 at 15:56 -0800, Luis R. Rodriguez wrote:
>> On Wed, Jan 20, 2016 at 3:39 PM, Luis R. Rodriguez <mcg...@suse.com> wrote:
>
>> >> @@ -350,13 +321,18 @@ static i
On Thu, Jan 21, 2016 at 5:12 AM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> On Thu, 2016-01-21 at 01:03 +0100, Luis R. Rodriguez wrote:
>> On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote:
>> > This patch replaces the module copy_module_from_fd() call
On Mon, Jan 18, 2016 at 10:11:15AM -0500, Mimi Zohar wrote:
> For a while it was looked down upon to directly read files from Linux.
> These days there exists a few mechanisms in the kernel that do just this
> though to load a file into a local buffer. There are minor but important
> checks
On Mon, Jan 18, 2016 at 10:11:21AM -0500, Mimi Zohar wrote:
> diff --git a/fs/exec.c b/fs/exec.c
> index 211b81c..a5ae51e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -884,6 +884,21 @@ out:
> }
> EXPORT_SYMBOL_GPL(kernel_read_file);
>
> +int kernel_read_file_from_fd(int fd, void **buf,
On Mon, Jan 18, 2016 at 10:11:22AM -0500, Mimi Zohar wrote:
> Replace fw_read_file_contents() for reading a file with the common VFS
> kernel_read_file() function. A benefit of calling kernel_read_file()
> to read the firmware is the firmware is read only once, instead of once
> for
On Wed, Jan 20, 2016 at 3:39 PM, Luis R. Rodriguez <mcg...@suse.com> wrote:
> On Mon, Jan 18, 2016 at 10:11:22AM -0500, Mimi Zohar wrote:
>> Replace fw_read_file_contents() for reading a file with the common VFS
>> kernel_read_file() function. A benefit of calling kernel_r
On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote:
> This patch replaces the module copy_module_from_fd() call with the VFS
> common kernel_read_file_from_fd() function. Instead of reading the
> kernel module twice, once for measuring/appraising and then loading
> the kernel module, the
On Mon, Jan 18, 2016 at 10:11:24AM -0500, Mimi Zohar wrote:
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -903,6 +903,27 @@ out:
> return ret;
> }
>
> +int kernel_read_file_from_path(char *path, void **buf, loff_t *size,
> +loff_t max_size, int policy_id)
> +{
> +
ile_contents() has historically done this,
so if this generic read is going to skip that I'd like to
see why. We're unifying so I rather be more pedantic.
Provided this is addressed feel free to peg:
Reviewed-by: Luis R. Rodriguez <mcg...@suse.com>
Luis
__
Hey folks, I see recent discussions about desire for a new recent
release of kexec, one of such reasons is kexec support on EFI systems.
SUSE is also interested in this, and it'd be great if we can all synch
up on supporting the same recent release.
Thanks!
Luis
27 matches
Mail list logo