On Wed, Jul 29, 2020 at 02:10:18PM -0400, Mimi Zohar wrote:
Actually, the partial firmware read should be calling security_kernel_read_file().
Yup, it does[1], and when "whole_file" is true, it will call security_kernel_post_read_file() with the buffer contents at the end.
The sysfs firmware fallback is calling security_kernel_load_data().
Correct[2]; it has no file associated with it (same as the EFI platform source).
Which firmware is calling security_kernel_post_load_data()?
sysfs and platform both call it[2], matched with their security_kernel_load_data() calls.
-Kees
[1] v4 patch 14: "fs/kernel_file_read: Add "offset" arg for partial reads" https://lore.kernel.org/lkml/20200729175845.1745471-1-keescook@chromium.org/... [2] v4 patch 10: "firmware_loader: Use security_post_load_data()" https://lore.kernel.org/lkml/20200729175845.1745471-1-keescook@chromium.org/...