Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer)

On Wed, Jun 06, 2018 at 08:20:17AM +0200, Ard Biesheuvel wrote: > On 6 June 2018 at 00:37, Kees Cook wrote: > > On Fri, Jun 1, 2018 at 12:25 PM, Luis R. Rodriguez > > wrote: > >> On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote: > >>> On T

Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback)

On Fri, Jun 01, 2018 at 06:39:55PM -0400, Mimi Zohar wrote: > On Fri, 2018-06-01 at 20:21 +0200, Luis R. Rodriguez wrote: > > On Tue, May 29, 2018 at 02:01:57PM -0400, Mimi Zohar wrote: > > > Luis, is the security_kernel_post_read_file LSM hook in > > > firmware_loading

Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer)

On Fri, Jun 01, 2018 at 09:15:45PM +0200, Luis R. Rodriguez wrote: > On Tue, May 29, 2018 at 02:01:59PM -0400, Mimi Zohar wrote: > > Some systems are memory constrained but they need to load very large > > firmwares. The firmware subsystem allows drivers to request this > &g

Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer)

irmware already calls the security_kernel_read_file LSM hook. > With an IMA policy requiring signed firmware, this patch prevents > loading firmware into a pre-allocated buffer. > > Signed-off-by: Mimi Zohar > Cc: Luis R. Rodriguez > Cc: David Howells > Cc

Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback)

> > Signed-off-by: Mimi Zohar > Cc: Luis R. Rodriguez > Cc: David Howells > Cc: Matthew Garrett > --- > security/integrity/ima/ima_main.c | 10 +- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_main.c >

Re: [PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback

On Tue, May 29, 2018 at 02:01:56PM -0400, Mimi Zohar wrote: > Add an LSM hook prior to allowing firmware sysfs fallback loading. Acked-by: Luis R. Rodriguez > Signed-off-by: Mimi Zohar > Cc: Luis R. Rodriguez > Cc: David Howells > Cc: Kees Cook > > Changelog

Re: [PATCH v3 08/22] vfs: define kernel_read_file_id enumeration

ING_KEXEC_IMAGE, READING_KEXEC_INITRAMFS, > READING_FIRMWARE, READING_MODULE, and READING_POLICY. > > Changelog v3: > - Replace the IMA specific enumeration with a generic one. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Luis R

Re: [PATCH v3 16/22] module: replace copy_module_from_fd with kernel version

gt; security hook. > > This patch removes the security_kernel_module_from_file() hook and security > call. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Luis R. Rodriguez <mcg...@kernel.org> Luis ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version

red and squashed firmware patches > - fix MAX firmware size (Kees Cook) > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Luis R. Rodriguez <mcg...@kernel.org> Luis ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v3 12/22] vfs: define kernel_read_file_from_path

On Wed, Feb 03, 2016 at 02:06:20PM -0500, Mimi Zohar wrote: > This patch defines kernel_read_file_from_path(), a wrapper for the VFS > common kernel_read_file(). > > Changelog: > - Separated from the IMA patch > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>

Re: [PATCH v3 18/22] kexec: replace call to copy_file_from_fd() with kernel version

copy_file_from_fd(). The > same call now measures and appraises both the kexec image and initramfs. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Luis R. Rodriguez <mcg...@kernel.org> Luis ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v3 15/22] vfs: define kernel_copy_file_from_fd()

On Wed, Feb 03, 2016 at 02:06:23PM -0500, Mimi Zohar wrote: > This patch defines kernel_read_file_from_fd(), a wrapper for the VFS > common kernel_read_file(). > > Changelog: > - Separated from the kernel modules patch > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ib

Re: [PATCH v3 14/22] security: define kernel_read_file hook

On Wed, Feb 03, 2016 at 02:06:22PM -0500, Mimi Zohar wrote: > The kernel_read_file security hook is called prior to reading the file > into memory. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Luis R. Rodriguez <mcg..

Re: [PATCH v3 06/22] firmware: fold successful fw read early

t; > this will make the success case easier to follow. > > > > Reviewed-by: Josh Boyer <jwbo...@fedoraproject.org> > > Signed-off-by: David Howells <dhowe...@redhat.com> > > Signed-off-by: Luis R. Rodriguez <mcg...@kernel.org> > > Signed-off-by

Re: [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version

On Mon, Jan 25, 2016 at 06:48:12PM -0500, Mimi Zohar wrote: > On Mon, 2016-01-25 at 21:34 +0100, Luis R. Rodriguez wrote: > > On Mon, Jan 25, 2016 at 10:04:18AM -0500, Mimi Zohar wrote: > > > On Mon, 2016-01-25 at 14:37 +0800, Dave Young wrote: > > > > Hi, Mimi &g

Re: [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version

On Mon, Jan 25, 2016 at 10:04:18AM -0500, Mimi Zohar wrote: > On Mon, 2016-01-25 at 14:37 +0800, Dave Young wrote: > > Hi, Mimi > > > > Besides of code issues, I have several thing to be understand: > > > > What is the effect to kexec behavior with this patchset? > > - without IMA enabled

Re: [RFC PATCH v2 09/11] ima: load policy using path

On Mon, Jan 18, 2016 at 10:11:24AM -0500, Mimi Zohar wrote: > From: Dmitry Kasatkin > > echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy > fs/exec.c | 21 > diff --git a/fs/exec.c b/fs/exec.c > index 3524e5f..5731b40

Re: [RFC PATCH v2 07/11] firmware: replace call to fw_read_file_contents() with kernel version

On Thu, Jan 21, 2016 at 4:05 AM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > On Wed, 2016-01-20 at 15:56 -0800, Luis R. Rodriguez wrote: >> On Wed, Jan 20, 2016 at 3:39 PM, Luis R. Rodriguez <mcg...@suse.com> wrote: > >> >> @@ -350,13 +321,18 @@ static i

Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version

On Thu, Jan 21, 2016 at 5:12 AM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > On Thu, 2016-01-21 at 01:03 +0100, Luis R. Rodriguez wrote: >> On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote: >> > This patch replaces the module copy_module_from_fd() call

Re: [RFC PATCH v2 00/11] vfss: support for a common kernel file loader

On Mon, Jan 18, 2016 at 10:11:15AM -0500, Mimi Zohar wrote: > For a while it was looked down upon to directly read files from Linux. > These days there exists a few mechanisms in the kernel that do just this > though to load a file into a local buffer. There are minor but important > checks

Re: [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version

On Mon, Jan 18, 2016 at 10:11:21AM -0500, Mimi Zohar wrote: > diff --git a/fs/exec.c b/fs/exec.c > index 211b81c..a5ae51e 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -884,6 +884,21 @@ out: > } > EXPORT_SYMBOL_GPL(kernel_read_file); > > +int kernel_read_file_from_fd(int fd, void **buf,

Re: [RFC PATCH v2 07/11] firmware: replace call to fw_read_file_contents() with kernel version

On Mon, Jan 18, 2016 at 10:11:22AM -0500, Mimi Zohar wrote: > Replace fw_read_file_contents() for reading a file with the common VFS > kernel_read_file() function. A benefit of calling kernel_read_file() > to read the firmware is the firmware is read only once, instead of once > for

Re: [RFC PATCH v2 07/11] firmware: replace call to fw_read_file_contents() with kernel version

On Wed, Jan 20, 2016 at 3:39 PM, Luis R. Rodriguez <mcg...@suse.com> wrote: > On Mon, Jan 18, 2016 at 10:11:22AM -0500, Mimi Zohar wrote: >> Replace fw_read_file_contents() for reading a file with the common VFS >> kernel_read_file() function. A benefit of calling kernel_r

Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version

On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote: > This patch replaces the module copy_module_from_fd() call with the VFS > common kernel_read_file_from_fd() function. Instead of reading the > kernel module twice, once for measuring/appraising and then loading > the kernel module, the

Re: [RFC PATCH v2 09/11] ima: load policy using path

On Mon, Jan 18, 2016 at 10:11:24AM -0500, Mimi Zohar wrote: > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -903,6 +903,27 @@ out: > return ret; > } > > +int kernel_read_file_from_path(char *path, void **buf, loff_t *size, > +loff_t max_size, int policy_id) > +{ > +

Re: [RFC PATCH v2 02/11] vfs: define a generic function to read a file from the kernel

ile_contents() has historically done this, so if this generic read is going to skip that I'd like to see why. We're unifying so I rather be more pedantic. Provided this is addressed feel free to peg: Reviewed-by: Luis R. Rodriguez <mcg...@suse.com> Luis __

Next kexec release

Hey folks, I see recent discussions about desire for a new recent release of kexec, one of such reasons is kexec support on EFI systems. SUSE is also interested in this, and it'd be great if we can all synch up on supporting the same recent release. Thanks! Luis