Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-15 Thread Mimi Zohar
On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote: > One aspect that was always a concern to some is whether the firmware files > were modified directly to have the signature attached to them. That may > run afoul of the "no modification" license that most blobs are shipped > under. Does IMA

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-15 Thread Josh Boyer
On Mon, May 14, 2018 at 11:27 PM Luis R. Rodriguez wrote: > On Mon, May 14, 2018 at 10:02:31PM -0400, Mimi Zohar wrote: > > On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote: > > > > - CONFIG_IMA_APPRAISE is not fine enough grained. > > > > > > > > The

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-14 Thread Luis R. Rodriguez
On Mon, May 14, 2018 at 10:02:31PM -0400, Mimi Zohar wrote: > On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote: > > > - CONFIG_IMA_APPRAISE is not fine enough grained. > > > > > > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option.  Similar > > > Kconfig options will require

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-14 Thread Mimi Zohar
On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote: [...] > > At runtime, in the case > > that regdb is enabled and a custom policy requires IMA-appraisal > > firmware signature verification, then both signature verification > > methods will verify the signatures.  If either fails, then

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-14 Thread Luis R. Rodriguez
On Mon, May 14, 2018 at 08:58:12AM -0400, Mimi Zohar wrote: > On Fri, 2018-05-11 at 21:52 +, Luis R. Rodriguez wrote: > > diff --git a/drivers/base/firmware_loader/main.c > > b/drivers/base/firmware_loader/main.c > > index eb34089e4299..d7cdf04a8681 100644 > > ---

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-14 Thread Mimi Zohar
On Fri, 2018-05-11 at 21:52 +, Luis R. Rodriguez wrote: > On Fri, May 11, 2018 at 01:00:26AM -0400, Mimi Zohar wrote: > > On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote: > > > On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote: > > > > On Wed, 2018-05-09 at 23:48 +,

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-11 Thread Luis R. Rodriguez
On Fri, May 11, 2018 at 01:00:26AM -0400, Mimi Zohar wrote: > On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote: > > On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote: > > > On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote: > > > > On Wed, May 09, 2018 at 06:06:57PM

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-10 Thread Mimi Zohar
On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote: > On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote: > > On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote: > > > On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote: > > > > > > > > Yes, writing regdb as a

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-10 Thread Luis R. Rodriguez
On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote: > On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote: > > On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote: > > > > > > Yes, writing regdb as a micro/mini LSM sounds reasonable.  The LSM > > > > > would differentiate

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-09 Thread Mimi Zohar
On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote: > On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote: > > On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote: > > > > > > OK, its still not clear to what it will do. If it does not touch the > > > firmware > > > loader

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-09 Thread Luis R. Rodriguez
On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote: > On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote: > > > > OK, its still not clear to what it will do. If it does not touch the > > firmware > > loader code, and it just sets and configures IMA to do file signature > >

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-09 Thread Mimi Zohar
On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote: > On Wed, May 09, 2018 at 03:57:18PM -0400, Mimi Zohar wrote: > > On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote: > > > > > > > > If both are enabled, do we require both signatures or is one enough. > > > > > > > > > > Good

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-09 Thread Luis R. Rodriguez
On Wed, May 09, 2018 at 03:57:18PM -0400, Mimi Zohar wrote: > On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote: > > > > > > If both are enabled, do we require both signatures or is one enough. > > > > > > > > Good question. Considering it as a stacked LSM (although not implemented > >

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-09 Thread Mimi Zohar
On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote: > > > > If both are enabled, do we require both signatures or is one enough. > > > > > > Good question. Considering it as a stacked LSM (although not implemented > > > as one), I'd say its up to who enabled the Kconfig entries. If IMA

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-09 Thread Luis R. Rodriguez
On Wed, May 09, 2018 at 07:30:28AM -0400, Mimi Zohar wrote: > On Tue, 2018-05-08 at 17:34 +, Luis R. Rodriguez wrote: > > On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote: > > > On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote: > > > > On Tue, May 01, 2018 at 09:48:20AM

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-09 Thread Mimi Zohar
On Tue, 2018-05-08 at 17:34 +, Luis R. Rodriguez wrote: > On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote: > > On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote: > > > On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote: > > > > Allow LSMs and IMA to differentiate

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-08 Thread Luis R. Rodriguez
On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote: > On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote: > > On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote: > > > Allow LSMs and IMA to differentiate between signed regulatory.db and > > > other firmware. > > > > > >

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-03 Thread Mimi Zohar
On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote: > On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote: > > Allow LSMs and IMA to differentiate between signed regulatory.db and > > other firmware. > > > > Signed-off-by: Mimi Zohar > > Cc: Luis R.

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-03 Thread Luis R. Rodriguez
On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote: > Allow LSMs and IMA to differentiate between signed regulatory.db and > other firmware. > > Signed-off-by: Mimi Zohar > Cc: Luis R. Rodriguez > Cc: David Howells > Cc:

[PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

2018-05-01 Thread Mimi Zohar
Allow LSMs and IMA to differentiate between signed regulatory.db and other firmware. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Seth Forshee