29 Feb, 2016
1 commit
-
When we now use the new kernel_read_file_from_path() we
are reporting a failure when we iterate over all the paths
possible for firmware. Before using kernel_read_file_from_path()
we only reported a failure once we confirmed a file existed
with filp_open() but failed with fw_read_file_contents().With kernel_read_file_from_path() both are done for us and
we obviously are now reporting too much information given that
some optional paths will always fail and clutter the logs.fw_get_filesystem_firmware() already has a check for failure
and uses an internal flag, FW_OPT_NO_WARN, but this does not
let us capture other unxpected errors. This enables that
as changed by Neil via commit:"firmware: Be a bit more verbose about direct firmware loading failure"
Reported-by: Heiner Kallweit
Cc: Neil Horman
Cc: Heiner Kallweit
Cc: Mimi Zohar
Cc: Kees Cook
Signed-off-by: Luis R. Rodriguez
Acked-by: Kees Cook
Acked-by: Ming Lei
Signed-off-by: James Morris
26 Feb, 2016
2 commits
-
drivers/char/tpm/tpm_tis.c:838: warning: ‘tpm_tis_resume’ defined but
not usedReported-by: James Morris
Fixes: 00194826e6be ("tpm_tis: Clean up the force=1 module parameter")
Signed-off-by: Jarkko Sakkinen
cc: stable@vger.kernel.org
22 Feb, 2016
1 commit
21 Feb, 2016
12 commits
-
Require the IMA policy to be signed when additional rules can be added.
v1:
- initialize the policy flag
- include IMA_APPRAISE_POLICY in the policy flagSigned-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Add support for measuring and appraising the IMA policy itself.
Changelog v4:
- use braces on both if/else branches, even if single line on one of the
branches - Dmitry
- Use the id mapping - DmitrySigned-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
We currently cannot do appraisal or signature vetting of IMA policies
since we currently can only load IMA policies by writing the contents
of the policy directly in, as follows:cat policy-file > /ima/policy
If we provide the kernel the path to the IMA policy so it can load
the policy itself it'd be able to later appraise or vet the file
signature if it has one. This patch adds support to load the IMA
policy with a given path as follows:echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
Changelog v4+:
- moved kernel_read_file_from_path() error messages to callers
v3:
- moved kernel_read_file_from_path() to a separate patch
v2:
- after re-ordering the patches, replace calling integrity_kernel_read()
to read the file with kernel_read_file_from_path() (Mimi)
- Patch description re-written by Luis R. RodriguezSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Add IMA policy support for measuring/appraising the kexec image and
initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
KEXEC_INITRAMFS_CHECK are defined.Example policy rules:
measure func=KEXEC_KERNEL_CHECK
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
measure func=KEXEC_INITRAMFS_CHECK
appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasigMoving the enumeration to the vfs layer simplified the patches, allowing
the IMA changes, for the most part, to be separated from the other
changes. Unfortunately, passing either a kernel_read_file_id or a
ima_hooks enumeration within IMA is messy.Option 1: duplicate kernel_read_file enumeration in ima_hooks
enum kernel_read_file_id {
...
READING_KEXEC_IMAGE,
READING_KEXEC_INITRAMFS,
READING_MAX_IDenum ima_hooks {
...
KEXEC_KERNEL_CHECK
KEXEC_INITRAMFS_CHECKOption 2: define ima_hooks as extension of kernel_read_file
eg: enum ima_hooks {
FILE_CHECK = READING_MAX_ID,
MMAP_CHECK,In order to pass both kernel_read_file_id and ima_hooks values, we
would need to specify a struct containing a union.struct caller_id {
union {
enum ima_hooks func_id;
enum kernel_read_file_id read_id;
};
};Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id,
perhaps changing the enumeration name.For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in the ima_hooks.
Changelog v4:
- replaced switch statement with a kernel_read_file_id to an ima_hooks
id mapping array - Dmitry
- renamed ima_hook tokens KEXEC_CHECK and INITRAMFS_CHECK to
KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK respectively - Dave YoungSigned-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin
Cc: Dave Young -
Replace copy_file_from_fd() with kernel_read_file_from_fd().
Two new identifiers named READING_KEXEC_IMAGE and READING_KEXEC_INITRAMFS
are defined for measuring, appraising or auditing the kexec image and
initramfs.Changelog v3:
- return -EBADF, not -ENOEXEC
- identifier change
- split patch, moving copy_file_from_fd() to a separate patch
- split patch, moving IMA changes to a separate patch
v0:
- use kstat file size type loff_t, not size_t
- Calculate the file hash from the in memory buffer - Dave YoungSigned-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Cc: Eric Biederman
Acked-by: Dave Young -
Each time a file is read by the kernel, the file should be re-measured and
the file signature re-appraised, based on policy. As there is no need to
preserve the status information, this patch replaces the firmware and
module specific cache status with a generic one named read_file.This change simplifies adding support for other files read by the kernel.
Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Replace copy_module_from_fd() with kernel_read_file_from_fd().
Although none of the upstreamed LSMs define a kernel_module_from_file
hook, IMA is called, based on policy, to prevent unsigned kernel modules
from being loaded by the original kernel module syscall and to
measure/appraise signed kernel modules.The security function security_kernel_module_from_file() was called prior
to reading a kernel module. Preventing unsigned kernel modules from being
loaded by the original kernel module syscall remains on the pre-read
kernel_read_file() security hook. Instead of reading the kernel module
twice, once for measuring/appraising and again for loading the kernel
module, the signature validation is moved to the kernel_post_read_file()
security hook.This patch removes the security_kernel_module_from_file() hook and security
call.Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Cc: Rusty Russell -
This patch defines kernel_read_file_from_fd(), a wrapper for the VFS
common kernel_read_file().Changelog:
- Separated from the kernel modules patch
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Cc: Al ViroSigned-off-by: Mimi Zohar
-
The kernel_read_file security hook is called prior to reading the file
into memory.Changelog v4+:
- export security_kernel_read_file()Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Acked-by: Casey Schaufler -
Replace the fw_read_file_contents with kernel_file_read_from_path().
Although none of the upstreamed LSMs define a kernel_fw_from_file hook,
IMA is called by the security function to prevent unsigned firmware from
being loaded and to measure/appraise signed firmware, based on policy.Instead of reading the firmware twice, once for measuring/appraising the
firmware and again for reading the firmware contents into memory, the
kernel_post_read_file() security hook calculates the file hash based on
the in memory file buffer. The firmware is read once.This patch removes the LSM kernel_fw_from_file() hook and security call.
Changelog v4+:
- revert dropped buf->size assignment - reported by Sergey Senozhatsky
v3:
- remove kernel_fw_from_file hook
- use kernel_file_read_from_path() - requested by Luis
v2:
- reordered and squashed firmware patches
- fix MAX firmware size (Kees Cook)Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez -
This patch defines kernel_read_file_from_path(), a wrapper for the VFS
common kernel_read_file().Changelog:
- revert error msg regression - reported by Sergey Senozhatsky
- Separated from the IMA patchSigned-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Cc: Al Viro -
This patch defines a new IMA hook ima_post_read_file() for measuring
and appraising files read by the kernel. The caller loads the file into
memory before calling this function, which calculates the hash followed by
the normal IMA policy based processing.Changelog v5:
- fail ima_post_read_file() if either file or buf is NULL
v3:
- rename ima_hash_and_process_file() to ima_post_read_file()v1:
- split patchSigned-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
20 Feb, 2016
5 commits
-
Wrong call order.
Reported-by: Jason Gunthorpe
Fixes: 74d6b3ceaa17
Signed-off-by: Jarkko Sakkinen
cc: stable@vger.kernel.org -
In all cases use dev_name() for the mapped resources. This is both
for sake of consistency and also with some platforms resource name
given by ACPI object seems to return garbage.Signed-off-by: Jarkko Sakkinen
Fixes: 1bd047be37d9 ("tpm_crb: Use devm_ioremap_resource") -
The commit 0cc698af36ff ("vTPM: support little endian guests") copied
the event, but without the event data, did an endian conversion on the
size and tried to output the event data from the copied version, which
has only have one byte of the data, resulting in garbage event data.[jarkko.sakkinen@linux.intel.com: fixed minor coding style issues and
renamed the local variable tempPtr as temp_ptr now that there is an
excuse to do this.]Signed-off-by: Harald Hoyer
Fixes: 0cc698af36ff ("vTPM: support little endian guests")
Reviewed-by: Jarkko Sakkinen
cc: stable@vger.kernel.org -
Call put_device() and return error code if devm_add_action() fails.
Signed-off-by: Jarkko Sakkinen
Reported-by: Jason Gunthorpe
Fixes: 8e0ee3c9faed ("tpm: fix the cleanup of struct tpm_chip") -
It's better to set the continueSession attribute for the unseal
operation so that the session object is not removed as a side-effect
when the operation is successful. Since a user process created the
session, it should be also decide when the session is destroyed.Signed-off-by: Jarkko Sakkinen
Fixes: 5beb0c435b ("keys, trusted: seal with a TPM2 authorization policy")
19 Feb, 2016
10 commits
-
Setting up ahash has some overhead. Only use ahash to calculate the
hash of a buffer, if the buffer is larger than ima_ahash_minsize.Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin -
This patch provides convenient buffer hash calculation function.
Changelog v3:
- fix while hash calculation - Dmitry
v1:
- rewrite to support loff_t sized buffers - Mimi
(based on Fenguang Wu's testing)Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
To differentiate between the kernel_read_file() callers, this patch
defines a new enumeration named kernel_read_file_id and includes the
caller identifier as an argument.Subsequent patches define READING_KEXEC_IMAGE, READING_KEXEC_INITRAMFS,
READING_FIRMWARE, READING_MODULE, and READING_POLICY.Changelog v3:
- Replace the IMA specific enumeration with a generic one.Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Cc: Al Viro -
For a while it was looked down upon to directly read files from Linux.
These days there exists a few mechanisms in the kernel that do just
this though to load a file into a local buffer. There are minor but
important checks differences on each. This patch set is the first
attempt at resolving some of these differences.This patch introduces a common function for reading files from the kernel
with the corresponding security post-read hook and function.Changelog v4+:
- export security_kernel_post_read_file() - Fengguang Wu
v3:
- additional bounds checking - Luis
v2:
- To simplify patch review, re-ordered patchesSigned-off-by: Mimi Zohar
Reviewed-by: Luis R. Rodriguez
Acked-by: Kees Cook
Cc: Al Viro -
This makes the error and success paths more readable while trying to
load firmware from the filesystem.Signed-off-by: Kees Cook
Cc: Josh Boyer
Cc: David Howells
Acked-by: Luis R. Rodriguez
Signed-off-by: Mimi Zohar -
This will be re-used later through a new extensible interface.
Reviewed-by: Josh Boyer
Signed-off-by: Luis R. Rodriguez
Signed-off-by: Mimi Zohar
Acked-by: Kees Cook -
Simplify a few of the *generic* shared dev_warn() and dev_dbg()
print messages for three reasons:0) Historically firmware_class code was added to help
get device driver firmware binaries but these days
request_firmware*() helpers are being repurposed for
general *system data* needed by the kernel.1) This will also help generalize shared code as much as possible
later in the future in consideration for a new extensible firmware
API which will enable to separate usermode helper code out as much
as possible.2) Kees Cook pointed out the the prints already have the device
associated as dev_*() helpers are used, that should help identify
the user and case in which the helpers are used. That should provide
enough context and simplifies the messages further.v4: generalize debug/warn messages even further as suggested by
Kees Cook.Cc: Rusty Russell
Cc: Andrew Morton
Cc: Greg Kroah-Hartman
Cc: David Howells
Cc: Kees Cook
Cc: Casey Schaufler
Cc: Ming Lei
Cc: Takashi Iwai
Cc: Vojtěch Pavlík
Cc: Kyle McMartin
Cc: Matthew Garrett
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Luis R. Rodriguez
Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Signed-off-by: Greg Kroah-Hartman -
Cleanup the function arguments by using "ima_hooks" enumerator as needed.
Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Define and call a function to display the "ima_hooks" rules.
Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Instead of passing pointers to pointers to ima_collect_measurent() to
read and return the 'security.ima' xattr value, this patch moves the
functionality to the calling process_measurement() to directly read
the xattr and pass only the hash algo to the ima_collect_measurement().Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
17 Feb, 2016
1 commit
-
Before this commit, removing the access property of
a file, aka, the extended attribute security.SMACK64
was not effictive until the cache had been cleaned.This patch fixes that problem.
Signed-off-by: José Bollo
Acked-by: Casey Schaufler
12 Feb, 2016
1 commit
-
Prior to the 4.2 kernel there no no harm in providing
a security module hook that does nothing, as the default
hook would get called if the module did not supply one.
With the list based infrastructure an empty hook adds
overhead. This patch removes the three Smack hooks that
don't actually do anything.Signed-off-by: Casey Schaufler
10 Feb, 2016
7 commits
-
If the initialization fails before tpm_chip_register(), put_device()
will be not called, which causes release callback not to be called.
This patch fixes the issue by adding put_device() to devres list of
the parent device.Fixes: 313d21eeab ("tpm: device class for tpm")
Signed-off-by: Jarkko Sakkinen
cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe -
Fixed the rollback and gave more self-documenting names for the
functions.Fixes: d972b0523f ("tpm: fix call order in tpm-chip.c")
Signed-off-by: Jarkko Sakkinen
cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe -
To support the force mode in tpm_tis we need to use resource locking
in tpm_crb as well, via devm_ioremap_resource.The light restructuring better aligns crb and tis and makes it easier
to see the that new changes make sense.The control area and its associated buffers do not always fall in the
range of the iomem resource given by the ACPI object. This patch fixes
the issue by mapping the buffers if this is the case.[jarkko.sakkinen@linux.intel.com: squashed update described in the
last paragraph.]Signed-off-by: Jason Gunthorpe
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Acked-by: Peter Huewe
Signed-off-by: Jarkko Sakkinen -
ioread32 and readl are defined to read from PCI style memory, ie little
endian and return the result in host order. On platforms where a
swap is required ioread32/readl do the swap internally (eg see ppc).Signed-off-by: Jason Gunthorpe
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
The TPM core has long assumed that every device has a driver attached,
however the force path was attaching the TPM core outside of a driver
context. This isn't generally reliable as the user could detatch the
driver using sysfs or something, but commit b8b2c7d845d5 ("base/platform:
assert that dev_pm_domain callbacks are called unconditionally")
forced the issue by leaving the driver pointer NULL if there is
no probe.Rework the TPM setup to create a platform device with resources and
then allow the driver core to naturally bind and probe it through the
normal mechanisms. All this structure is needed anyhow to enable TPM
for OF environments.Finally, since the entire flow is changing convert the init/exit to use
the modern ifdef-less coding style when possibleReported-by: "Wilck, Martin"
Signed-off-by: Jason Gunthorpe
Tested-by: Wilck, Martin
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
This does a request_resource under the covers which means tis holds a
lock on the memory range it is using so other drivers cannot grab it.
When doing probing it is important to ensure that other drivers are
not using the same range before tis starts touching it.To do this flow the actual struct resource from the device right
through to devm_ioremap_resource. This ensures all the proper resource
meta-data is carried down.Signed-off-by: Jason Gunthorpe
Tested-by: Wilck, Martin
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
If the ACPI tables do not declare a memory resource for the TPM2
then do not just fall back to the x86 default base address.Also be stricter when checking the ancillary TPM2 ACPI data and error
out if any of this data is wrong rather than blindly assuming TPM1.Fixes: 399235dc6e95 ("tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0")
Signed-off-by: Jason Gunthorpe
Tested-by: Wilck, Martin
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Acked-by: Peter Huewe