Re: [PATCH 0/1] crypto: ccp: use file mode for sev ioctl permissions

[Nathaniel McCallum <npmccallum@redhat.com>]

On Fri, Mar 6, 2020 at 12:20 PM Connor Kuehl <ckuehl@redhat.com> wrote:
>
> Some background:
>
> My team is working on a project that interacts very closely with
> SEV so we have a layer of code that wraps around the SEV ioctl calls.
> We have an automated test suite that ends up testing these ioctls
> on our test machine.
>
> We are in the process of adding this test machine as a dedicated test
> runner in our continuous integration process. Any time someone opens a
> pull request against our project, this test runner automatically checks
> that code out and executes the tests.
>
> Right now, the SEV ioctls that affect the state of the platform require
> CAP_SYS_ADMIN to run. This is not a capability we can give to an
> automated test runner, because it means that anyone who would like to
> contribute to the project would be able to run any code they want (for
> good or evil) as CAP_SYS_ADMIN on our machine.
>
> This patch replaces the check for CAP_SYS_ADMIN with a check that can
> still be easily controlled by an administrator with the file permissions
> ACL. This way access to the device can still be controlled, but without
> also assigning such broad system privileges at the same time.
>
> Connor Kuehl (1):
>   crypto: ccp: use file mode for sev ioctl permissions
>
>  drivers/crypto/ccp/sev-dev.c | 33 +++++++++++++++++----------------
>  1 file changed, 17 insertions(+), 16 deletions(-)
>
> --
> 2.24.1
>

One additional note is that this permission structure is more flexible
for general SEV usage anyway, and isn't special-case for our usage.
Currently, the SEV admin commands are mostly limited to public key
certificate management. I would imagine that it would be desirable to
have a sev-admin account which can automate the certificate management
without having CAP_SYS_ADMIN for the rest of the system. So we believe
this patch has broader applicability than just our corner case.