[PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

[PATCH 0/6] firmware: kernel signature verification · Mimi Zohar <hidden> · 2018-05-01
[PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading · Mimi Zohar <hidden> · 2018-05-01
Re: [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-04
Re: [PATCH 1/6] firmware: permit LSMs and IMA to fail firmware sysfs fallback loading · Mimi Zohar <hidden> · 2018-05-04
[PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-01
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-04
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-04
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-08
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-09
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-09
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-09
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-09
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-09
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-09
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-10
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-10
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-11
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-11
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-14
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-14
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-15
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-15
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Josh Boyer <jwboyer@kernel.org> · 2018-05-15
Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware · Mimi Zohar <hidden> · 2018-05-15
[PATCH 5/6] ima: verify kernel firmware signatures when using a preallocated buffer · Mimi Zohar <hidden> · 2018-05-01
[RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer · Mimi Zohar <hidden> · 2018-05-01
Re: [RFC PATCH 6/6] ima: prevent loading firmware into a pre-allocated buffer · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-04
[PATCH 4/6] ima: coordinate with signed regulatory.db · Mimi Zohar <hidden> · 2018-05-01
[PATCH 2/6] ima: prevent sysfs fallback firmware loading · Mimi Zohar <hidden> · 2018-05-01
Re: [PATCH 2/6] ima: prevent sysfs fallback firmware loading · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-05-04

From: Mimi Zohar <hidden>
Date: 2018-05-04 00:24:26
Also in: linux-integrity, lkml

On Fri, 2018-05-04 at 00:07 +0000, Luis R. Rodriguez wrote:

On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:

quoted

Allow LSMs and IMA to differentiate between signed regulatory.db and
other firmware.

Signed-off-by: Mimi Zohar <redacted>
Cc: Luis R. Rodriguez <redacted>
Cc: David Howells <dhowells@redhat.com>
Cc: Kees Cook <redacted>
Cc: Seth Forshee <redacted>
Cc: Johannes Berg <redacted>
---
 drivers/base/firmware_loader/main.c | 5 +++++
 include/linux/fs.h                  | 1 +
 2 files changed, 6 insertions(+)

diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
index eb34089e4299..d7cdf04a8681 100644
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c

@@ -318,6 +318,11 @@ fw_get_filesystem_firmware(struct device *device, struct fw_priv *fw_priv)
 			break;
 		}
 
+#ifdef CONFIG_CFG80211_REQUIRE_SIGNED_REGDB
+		if ((strcmp(fw_priv->fw_name, "regulatory.db") == 0) ||
+		    (strcmp(fw_priv->fw_name, "regulatory.db.p7s") == 0))
+			id = READING_FIRMWARE_REGULATORY_DB;
+#endif

Whoa, no way.

There are two methods for the kernel to verify firmware signatures.
?If both are enabled, do we require both signatures or is one enough.
Assigning a different id for regdb signed firmware allows LSMs and IMA
to handle regdb files differently.

quoted

 		fw_priv->size = 0;
 		rc = kernel_read_file_from_path(path, &fw_priv->data, &size,
 						msize, id);

diff --git a/include/linux/fs.h b/include/linux/fs.h
index dc16a73c3d38..d1153c2884b9 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h

@@ -2811,6 +2811,7 @@ extern int do_pipe_flags(int *, int);
 	id(FIRMWARE, firmware)		\
 	id(FIRMWARE_PREALLOC_BUFFER, firmware)	\
 	id(FIRMWARE_FALLBACK, firmware)	\
+	id(FIRMWARE_REGULATORY_DB, firmware)	\

Why could IMA not appriase these files? They are part of the standard path.

The subsequent patch attempts to verify the IMA-appraisal signature,
but on failure it falls back to allowing regdb signatures. ?For
systems that only want to load firmware based on IMA-appraisal, then
regdb wouldn't be enabled.

Mimi

quoted

 	id(MODULE, kernel-module)		\
 	id(KEXEC_IMAGE, kexec-image)		\
 	id(KEXEC_INITRAMFS, kexec-initramfs)	\
-- 
2.7.5

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help