Commit 800161bd authored Jun 29, 2017 by Mika Westerberg Committed by Greg Kroah-Hartman Jul 17, 2017

thunderbolt: Correct access permissions for active NVM contents



Firmware upgrade tools that decide which NVM image should be uploaded to
the Thunderbolt controller need to access active parts of the NVM even
if they are not run as root. The information in active NVM is not
considered security critical so we can use the default permissions set
by the NVMem framework.

Writing the NVM image is still left as root only operation.

While there mark the active NVM as read-only in the filesystem.

Reported-by: Yehezkel Bernat <yehezkel.bernat@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andreas Noever <andreas.noever@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 6463a457

drivers/thunderbolt/switch.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -281,9 +281,11 @@ static struct nvmem_device register_nvmem(struct tb_switch sw, int id,
		if (active) {
		config.name = "nvm_active";
		config.reg_read = tb_switch_nvm_read;
		config.read_only = true;
		} else {
		config.name = "nvm_non_active";
		config.reg_write = tb_switch_nvm_write;
		config.root_only = true;
		}

		config.id = id;
		@@ -292,7 +294,6 @@ static struct nvmem_device register_nvmem(struct tb_switch sw, int id,
		config.size = size;
		config.dev = &sw->dev;
		config.owner = THIS_MODULE;
		config.root_only = true;
		config.priv = sw;

		return nvmem_register(&config);