From: Matthias Kaehlcke <mka@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, dm-devel@redhat.com,
linux-raid@vger.kernel.org,
Douglas Anderson <dianders@chromium.org>,
Song Liu <song@kernel.org>
Subject: Re: [PATCH v2 2/3] LoadPin: Enable loading from trusted dm-verity devices
Date: Mon, 2 May 2022 15:44:56 -0700 [thread overview]
Message-ID: <YnBe6K72iKSDSqk9@google.com> (raw)
In-Reply-To: <202204302316.AF04961@keescook>
On Sat, Apr 30, 2022 at 11:21:54PM -0700, Kees Cook wrote:
> On Tue, Apr 26, 2022 at 02:31:09PM -0700, Matthias Kaehlcke wrote:
> > I'm still doubting what would be the best way to configure
> > the list of trusted digests. The approach in v2 of writing
> > a path through sysctl is flexible, but it also feels a bit
> > odd. I did some experiments with passing a file descriptor
> > through sysctl, but it's also odd and has its own issues.
> > Passing the list through a kernel parameter seems hacky.
> > A Kconfig string would work, but can be have issues when
> > the same config is used for different platforms, where
> > some may have trusted digests and others not.
>
> I prefer the idea of passing an fd, since that can just use LoadPin
> itself to verify the origin of the fd.
>
> I also agree, though, that it's weird as a sysctl. Possible thoughts:
>
> - make it a new ioctl on /dev/mapper/control (seems reasonable given
> that it's specifically about dm devices).
> - have LoadPin grow a securityfs node, maybe something like
> /sys/kernel/security/loadpin/dm-verify and do the ioctl there (seems
> reasonable given that it's specifically about LoadPin, but is perhaps
> more overhead to built the securityfs).
Thanks for your feedback!
Agreed that an ioctl is preferable over a sysctl interface. I wasn't aware
of securityfs and prefer it over a /dev/mapper/control ioctl. Ultimately
the list of digests is meaningful to LoadPin, not (directly) to the device
mapper / verity. I'm not sure how well this feature of integrating LoadPin
with verity will be by the verity maintainers in the first place, it's
probably best to limit the LoadPin specific stuff in verity to a minimum.
I experimented a bit with the securityfs option, building it doesn't seem
too much of an overhead. If loadpin.c ends up too cluttered with the
verity and securityfs stuff I could try to outsource some of it to (a)
dedicated file(s).
WARNING: multiple messages have this Message-ID (diff)
From: Matthias Kaehlcke <mka@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Douglas Anderson <dianders@chromium.org>,
dm-devel@redhat.com, Mike Snitzer <snitzer@kernel.org>,
linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
linux-raid@vger.kernel.org, Song Liu <song@kernel.org>,
linux-security-module@vger.kernel.org,
Alasdair Kergon <agk@redhat.com>,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [dm-devel] [PATCH v2 2/3] LoadPin: Enable loading from trusted dm-verity devices
Date: Mon, 2 May 2022 15:44:56 -0700 [thread overview]
Message-ID: <YnBe6K72iKSDSqk9@google.com> (raw)
In-Reply-To: <202204302316.AF04961@keescook>
On Sat, Apr 30, 2022 at 11:21:54PM -0700, Kees Cook wrote:
> On Tue, Apr 26, 2022 at 02:31:09PM -0700, Matthias Kaehlcke wrote:
> > I'm still doubting what would be the best way to configure
> > the list of trusted digests. The approach in v2 of writing
> > a path through sysctl is flexible, but it also feels a bit
> > odd. I did some experiments with passing a file descriptor
> > through sysctl, but it's also odd and has its own issues.
> > Passing the list through a kernel parameter seems hacky.
> > A Kconfig string would work, but can be have issues when
> > the same config is used for different platforms, where
> > some may have trusted digests and others not.
>
> I prefer the idea of passing an fd, since that can just use LoadPin
> itself to verify the origin of the fd.
>
> I also agree, though, that it's weird as a sysctl. Possible thoughts:
>
> - make it a new ioctl on /dev/mapper/control (seems reasonable given
> that it's specifically about dm devices).
> - have LoadPin grow a securityfs node, maybe something like
> /sys/kernel/security/loadpin/dm-verify and do the ioctl there (seems
> reasonable given that it's specifically about LoadPin, but is perhaps
> more overhead to built the securityfs).
Thanks for your feedback!
Agreed that an ioctl is preferable over a sysctl interface. I wasn't aware
of securityfs and prefer it over a /dev/mapper/control ioctl. Ultimately
the list of digests is meaningful to LoadPin, not (directly) to the device
mapper / verity. I'm not sure how well this feature of integrating LoadPin
with verity will be by the verity maintainers in the first place, it's
probably best to limit the LoadPin specific stuff in verity to a minimum.
I experimented a bit with the securityfs option, building it doesn't seem
too much of an overhead. If loadpin.c ends up too cluttered with the
verity and securityfs stuff I could try to outsource some of it to (a)
dedicated file(s).
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2022-05-02 22:45 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 21:31 [PATCH v2 0/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-26 21:31 ` [PATCH v2 1/3] dm: Add verity helpers for LoadPin Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-26 21:31 ` [PATCH v2 2/3] LoadPin: Enable loading from trusted dm-verity devices Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-27 16:06 ` kernel test robot
2022-04-27 16:06 ` kernel test robot
2022-04-28 1:59 ` kernel test robot
2022-04-28 1:59 ` [dm-devel] " kernel test robot
2022-05-01 6:21 ` Kees Cook
2022-05-01 6:21 ` [dm-devel] " Kees Cook
2022-05-02 22:44 ` Matthias Kaehlcke [this message]
2022-05-02 22:44 ` Matthias Kaehlcke
2022-04-26 21:31 ` [PATCH v2 3/3] dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation Matthias Kaehlcke
2022-04-26 21:31 ` [dm-devel] " Matthias Kaehlcke
2022-04-28 5:32 ` [PATCH v2 0/3] LoadPin: Enable loading from trusted dm-verity devices Paul Menzel
2022-04-28 5:32 ` [dm-devel] " Paul Menzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YnBe6K72iKSDSqk9@google.com \
--to=mka@chromium.org \
--cc=agk@redhat.com \
--cc=dianders@chromium.org \
--cc=dm-devel@redhat.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.