From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8292C433E1 for ; Thu, 27 Aug 2020 20:15:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 76F9D20786 for ; Thu, 27 Aug 2020 20:15:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726858AbgH0UPl (ORCPT ); Thu, 27 Aug 2020 16:15:41 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:55794 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726120AbgH0UPl (ORCPT ); Thu, 27 Aug 2020 16:15:41 -0400 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id A24DB205CD; Thu, 27 Aug 2020 22:15:39 +0200 (CEST) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh8EXsGmGSph; Thu, 27 Aug 2020 22:15:39 +0200 (CEST) Received: from cas-essen-01.secunet.de (201.40.53.10.in-addr.arpa [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 3C02D205B4; Thu, 27 Aug 2020 22:15:39 +0200 (CEST) Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 27 Aug 2020 22:15:39 +0200 Received: from moon.secunet.de (172.18.26.122) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 27 Aug 2020 22:15:38 +0200 Date: Thu, 27 Aug 2020 22:15:36 +0200 From: Antony Antony To: Antony Antony CC: David Miller , , , , , Subject: Re: [PATCH ipsec-next v3] xfrm: add /proc/sys/core/net/xfrm_redact_secret Message-ID: <20200827201536.GB11789@moon.secunet.de> Reply-To: References: <20200728154342.GA31835@moon.secunet.de> <20200820183549.GA823@moon.secunet.de> <20200820.154222.114300229292925699.davem@davemloft.net> <20200824060038.GA24035@moon.secunet.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20200824060038.GA24035@moon.secunet.de> Organization: secunet User-Agent: Mutt/1.10.1 (2018-07-13) X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi David, On Mon, Aug 24, 2020 at 08:00:38 +0200, Antony Antony wrote: > On Thu, Aug 20, 2020 at 15:42:22 -0700, David Miller wrote: > > From: Antony Antony > > Date: Thu, 20 Aug 2020 20:35:49 +0200 > > > > > Redacting secret is a FIPS 140-2 requirement. > > > > Why not control this via the kernel lockdown mode rather than making > > an ad-hoc API for this? > > Let me try to use kernel lockdown mode. thanks for the idea. > > From a quick googling I guess it would be part of "lockdown= confidentiality". > I wonder if kernel lockdown would allow disabling just this one feature independent of other lockdowns. I looked at kernel lockdown mode code and documentation. I am thinking xfrm_redact is probably not a kernel lockdown mode feature. There is no kernel lockdown setting per net namespace. During an initial discussions of xfrm_redact we thought per namespace would be useful in some use cases. If there is a way to set lockdown per net namespace it would be better than /proc/sys/core/net/xfrm_redact_secret.