Re: [PATCH] firmware: export x86_64 platform flash bios region via sysfs

From: Hans-Gert Dahmen
Date: Fri Jun 25 2021 - 09:54:43 EST

Next message: Ricardo Ribalda: "Re: [PATCH v10 21/21] media: uvcvideo: Return -EACCES to inactive controls"
Previous message: kernel test robot: "[rcu:dev.2021.06.22a] BUILD SUCCESS 14bf352718c90d9097b36bdab8a5d7c1ffcdd802"
In reply to: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: [PATCH] firmware: export x86_64 platform flash bios region via sysfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

this is the first time I am working on the Linux kernel, so please excuse that I overlooked some things.

On 22.06.21 22:02, Greg KH wrote:

On Tue, Jun 22, 2021 at 04:23:34PM +0200, Hans-Gert Dahmen wrote:

Make the 16MiB long memory-mapped BIOS region of the platform SPI flash
on X86_64 system available via /sys/kernel/firmware/flash_mmap/bios_region
for pen-testing, security analysis and malware detection on kernels
which restrict module loading and/or access to /dev/mem.

It will be used by the open source Converged Security Suite.
https://github.com/9elements/converged-security-suite

Signed-off-by: Hans-Gert Dahmen <hans-gert.dahmen@xxxxxxx>
---
drivers/firmware/Kconfig | 9 ++++
drivers/firmware/Makefile | 1 +
drivers/firmware/x86_64_flash_mmap.c | 65 ++++++++++++++++++++++++++++
3 files changed, 75 insertions(+)
create mode 100644 drivers/firmware/x86_64_flash_mmap.c

diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
index db0ea2d2d75a..bd77ca2b4fa6 100644
--- a/drivers/firmware/Kconfig
+++ b/drivers/firmware/Kconfig
@@ -296,6 +296,15 @@ config TURRIS_MOX_RWTM
other manufacturing data and also utilize the Entropy Bit Generator
for hardware random number generation.
+config X86_64_FLASH_MMAP
+ tristate "Export platform flash memory-mapped BIOS region"
+ depends on X86_64
+ help
+ Export the memory-mapped BIOS region of the platform SPI flash as
+ a read-only sysfs binary attribute on X86_64 systems. The first 16MiB
+ will be accessible via /sys/kernel/firmware/flash_mmap/bios_region
+ for security and malware analysis for example.

Module name information here?

Can this be auto-loaded based on hardware-specific values somewhere?
Otherwise it just looks like if this module loads, it will "always
work"?

And why would you want to map the bios into userspace?

What bios, UEFI?

And you need a Documentation/ABI/ update for new sysfs files.

The core use-case is security analysis and detecting BIOS/UEFI malware. It is going to be used by the open-source Converged Security Suite developed by Facebook, Google and 9elements security. The CSS dissects UEFI binaries and checks it for common vulnerabilities.

The current state is that there are some drivers to access the SPI flash bit they are in a questionable state and often don't work. Using this memory mapped region works most of the time without requiring a real hardware driver and significantly lowers the barrier to asses UEFI security of systems deployed in the wild.

In another mail I have shown that this can safely be done on Intel systems so I will make this module load on Intel systems for now and also fix the documentation.

+
source "drivers/firmware/broadcom/Kconfig"
source "drivers/firmware/google/Kconfig"
source "drivers/firmware/efi/Kconfig"
diff --git a/drivers/firmware/Makefile b/drivers/firmware/Makefile
index 5e013b6a3692..eb7483c5a2ac 100644
--- a/drivers/firmware/Makefile
+++ b/drivers/firmware/Makefile
@@ -21,6 +21,7 @@ obj-$(CONFIG_QCOM_SCM) += qcom_scm.o qcom_scm-smc.o qcom_scm-legacy.o
obj-$(CONFIG_TI_SCI_PROTOCOL) += ti_sci.o
obj-$(CONFIG_TRUSTED_FOUNDATIONS) += trusted_foundations.o
obj-$(CONFIG_TURRIS_MOX_RWTM) += turris-mox-rwtm.o
+obj-$(CONFIG_X86_64_FLASH_MMAP) += x86_64_flash_mmap.o
obj-y += arm_scmi/
obj-y += broadcom/
diff --git a/drivers/firmware/x86_64_flash_mmap.c b/drivers/firmware/x86_64_flash_mmap.c
new file mode 100644
index 000000000000..f9d871a8b516
--- /dev/null
+++ b/drivers/firmware/x86_64_flash_mmap.c
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Export the memory-mapped BIOS region of the platform SPI flash as
+ * a read-only sysfs binary attribute on X86_64 systems.
+ *
+ * Copyright © 2021 immune GmbH
+ */
+
+#include <linux/version.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/io.h>
+#include <linux/sysfs.h>
+#include <linux/kobject.h>
+
+#define FLASH_REGION_START 0xFF000000ULL
+#define FLASH_REGION_SIZE 0x1000000ULL

Where do these values come from?

I have listed the relevant Intel datasheets in another mail in this thread.

+#define FLASH_REGION_MASK (FLASH_REGION_SIZE - 1)
+
+struct kobject *kobj_ref;

Only 1? Not per-hardware-device?

Yes, there is only one BIOS/UEFI that is configured to actively boot the system. This method is not suitable to access shadow flash chips or other wild things that mainboard manufacturers did in the past.

+
+static ssize_t bios_region_read(struct file *file, struct kobject *kobj,
+ struct bin_attribute *bin_attr, char *buffer,
+ loff_t offset, size_t count)
+{
+ resource_size_t pa = FLASH_REGION_START + (offset & FLASH_REGION_MASK);
+ void __iomem *va = ioremap(pa, PAGE_SIZE);

Why PAGE_SIZE?

Please correct me if I'm wrong: the documentation is sparse and from what I could see in the sources it appears that binary attributes pass a page sized buffer around. I was assuming that the offset parameter would be page aligned.

+
+ memcpy_fromio(buffer, va, PAGE_SIZE);
+ iounmap(va);
+
+ return min(count, PAGE_SIZE);
+}
+
+BIN_ATTR_RO(bios_region, FLASH_REGION_SIZE);
+
+static int __init flash_mmap_init(void)
+{
+ int ret = 0;
+
+ kobj_ref = kobject_create_and_add("flash_mmap", firmware_kobj);
+ ret = sysfs_create_bin_file(kobj_ref, &bin_attr_bios_region);

You just raced with userspace and lost :(

I have taken inspiration from other modules. The documentation doesn't say a lot. Could somebody point me to a proper example somewhere in the source?

Please make a sysfs attribute part of a default "group" for a kobject.
But as you are using a "raw" kobject here, that feels really wrong to
me. Isn't this some sort of platform device really? Why not go that
way, why tie this to the firmware subsystem?

What this module provides read access to is the firmware. I am new to Linux kernel development and found it quite hard to decide where to put this. Suggestions are welcome.

+ if (ret) {
+ pr_err("sysfs_create_bin_file failed\n");
+ goto error;
+ }
+
+ return ret;

So this just "always works"? That feels VERY dangerous.

Will change that.

As this is a x86 thing, you should also cc: the x86 maintainers.

Will do.

thanks,

greg k-h

Hans-Gert Dahmen

Next message: Ricardo Ribalda: "Re: [PATCH v10 21/21] media: uvcvideo: Return -EACCES to inactive controls"
Previous message: kernel test robot: "[rcu:dev.2021.06.22a] BUILD SUCCESS 14bf352718c90d9097b36bdab8a5d7c1ffcdd802"
In reply to: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: [PATCH] firmware: export x86_64 platform flash bios region via sysfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]