thunderbolt: Correct access permissions for active NVM contents
authorMika Westerberg <mika.westerberg@linux.intel.com>
Thu, 29 Jun 2017 11:19:50 +0000 (14:19 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 17 Jul 2017 13:55:08 +0000 (15:55 +0200)
Firmware upgrade tools that decide which NVM image should be uploaded to
the Thunderbolt controller need to access active parts of the NVM even
if they are not run as root. The information in active NVM is not
considered security critical so we can use the default permissions set
by the NVMem framework.

Writing the NVM image is still left as root only operation.

While there mark the active NVM as read-only in the filesystem.

Reported-by: Yehezkel Bernat <yehezkel.bernat@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andreas Noever <andreas.noever@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/thunderbolt/switch.c

index ab3e8f410444498c49d0c43c86c93d12fc016cbf..40219a7063099674f1e7144cfb32d5753138f7ce 100644 (file)
@@ -281,9 +281,11 @@ static struct nvmem_device *register_nvmem(struct tb_switch *sw, int id,
        if (active) {
                config.name = "nvm_active";
                config.reg_read = tb_switch_nvm_read;
+               config.read_only = true;
        } else {
                config.name = "nvm_non_active";
                config.reg_write = tb_switch_nvm_write;
+               config.root_only = true;
        }
 
        config.id = id;
@@ -292,7 +294,6 @@ static struct nvmem_device *register_nvmem(struct tb_switch *sw, int id,
        config.size = size;
        config.dev = &sw->dev;
        config.owner = THIS_MODULE;
-       config.root_only = true;
        config.priv = sw;
 
        return nvmem_register(&config);