From: Kees Cook <keescook@chromium.org>
To: Matthias Kaehlcke <mka@chromium.org>
Cc: Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, dm-devel@redhat.com,
linux-raid@vger.kernel.org,
Douglas Anderson <dianders@chromium.org>,
Song Liu <song@kernel.org>
Subject: Re: [PATCH v2 2/3] LoadPin: Enable loading from trusted dm-verity devices
Date: Sat, 30 Apr 2022 23:21:54 -0700 [thread overview]
Message-ID: <202204302316.AF04961@keescook> (raw)
In-Reply-To: <20220426143059.v2.2.I01c67af41d2f6525c6d023101671d7339a9bc8b5@changeid>
On Tue, Apr 26, 2022 at 02:31:09PM -0700, Matthias Kaehlcke wrote:
> I'm still doubting what would be the best way to configure
> the list of trusted digests. The approach in v2 of writing
> a path through sysctl is flexible, but it also feels a bit
> odd. I did some experiments with passing a file descriptor
> through sysctl, but it's also odd and has its own issues.
> Passing the list through a kernel parameter seems hacky.
> A Kconfig string would work, but can be have issues when
> the same config is used for different platforms, where
> some may have trusted digests and others not.
I prefer the idea of passing an fd, since that can just use LoadPin
itself to verify the origin of the fd.
I also agree, though, that it's weird as a sysctl. Possible thoughts:
- make it a new ioctl on /dev/mapper/control (seems reasonable given
that it's specifically about dm devices).
- have LoadPin grow a securityfs node, maybe something like
/sys/kernel/security/loadpin/dm-verify and do the ioctl there (seems
reasonable given that it's specifically about LoadPin, but is perhaps
more overhead to built the securityfs).
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Matthias Kaehlcke <mka@chromium.org>
Cc: Douglas Anderson <dianders@chromium.org>,
dm-devel@redhat.com, Mike Snitzer <snitzer@kernel.org>,
linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
linux-raid@vger.kernel.org, Song Liu <song@kernel.org>,
linux-security-module@vger.kernel.org,
Alasdair Kergon <agk@redhat.com>,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [dm-devel] [PATCH v2 2/3] LoadPin: Enable loading from trusted dm-verity devices
Date: Sat, 30 Apr 2022 23:21:54 -0700 [thread overview]
Message-ID: <202204302316.AF04961@keescook> (raw)
In-Reply-To: <20220426143059.v2.2.I01c67af41d2f6525c6d023101671d7339a9bc8b5@changeid>
On Tue, Apr 26, 2022 at 02:31:09PM -0700, Matthias Kaehlcke wrote:
> I'm still doubting what would be the best way to configure
> the list of trusted digests. The approach in v2 of writing
> a path through sysctl is flexible, but it also feels a bit
> odd. I did some experiments with passing a file descriptor
> through sysctl, but it's also odd and has its own issues.
> Passing the list through a kernel parameter seems hacky.
> A Kconfig string would work, but can be have issues when
> the same config is used for different platforms, where
> some may have trusted digests and others not.
I prefer the idea of passing an fd, since that can just use LoadPin
itself to verify the origin of the fd.
I also agree, though, that it's weird as a sysctl. Possible thoughts:
- make it a new ioctl on /dev/mapper/control (seems reasonable given
that it's specifically about dm devices).
- have LoadPin grow a securityfs node, maybe something like
/sys/kernel/security/loadpin/dm-verify and do the ioctl there (seems
reasonable given that it's specifically about LoadPin, but is perhaps
more overhead to built the securityfs).
--
Kees Cook
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2022-05-01 6:22 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 21:31 [PATCH v2 0/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-26 21:31 ` [PATCH v2 1/3] dm: Add verity helpers for LoadPin Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-26 21:31 ` [PATCH v2 2/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-27 16:06 ` kernel test robot
2022-04-27 16:06 ` kernel test robot
2022-04-28 1:59 ` kernel test robot
2022-04-28 1:59 ` [dm-devel] " kernel test robot
2022-05-01 6:21 ` Kees Cook [this message]
2022-05-01 6:21 ` Kees Cook
2022-05-02 22:44 ` Matthias Kaehlcke
2022-05-02 22:44 ` [dm-devel] " Matthias Kaehlcke
2022-04-26 21:31 ` [PATCH v2 3/3] dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-28 5:32 ` [PATCH v2 0/3] LoadPin: Enable loading from trusted dm-verity devices Paul Menzel
2022-04-28 5:32 ` [dm-devel] " Paul Menzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202204302316.AF04961@keescook \
--to=keescook@chromium.org \
--cc=agk@redhat.com \
--cc=dianders@chromium.org \
--cc=dm-devel@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mka@chromium.org \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.