[PATCH 0/4] powerpc/pseries: expose firmware security variables via filesystem

[PATCH 0/4] powerpc/pseries: expose firmware security variables via filesystem

[Nayna Jain]

PowerVM provides an isolated Platform KeyStore (PKS)[1] storage allocation
for each logical partition (LPAR) with individually managed access controls
to store sensitive information securely. The Linux kernel can access this
storage by interfacing with the hypervisor using a new set of hypervisor
calls.
 
The PowerVM guest secure boot feature intends to use PKS for the purpose of
storing public keys. Secure boot requires public keys in order to verify
GRUB and the boot kernel. To allow authenticated manipulation of keys, PKS
supports variables to store key authorities namely, PK and KEK. Other
variables are used to store code signing keys, db and grubdb. It also
supports deny lists to disallow booting GRUB or kernels even if they are
signed with valid keys. This is done via deny list databases stored in dbx
and sbat variables. These variables are stored in PKS and are managed and
controlled by firmware.

The purpose of this patchset is to add the userspace interface to manage
these variables.

Currently, OpenPOWER exposes variables via sysfs, while EFI platforms have
used sysfs and then moved to their own efivarfs filesystem. The recent
coco feature uses securityfs to expose secrets to TEEs. All of these
environments are different both syntactically and semantically.

securityfs is meant for Linux security subsystems to expose policies, logs,
and other information and it does not interact with firmware for managing
these variables. However, there are various firmware security features that
expose their variables for user management via pseudo filesystems as
discussed above. There is currently no single place to expose these
variables. Different platforms use sysfs, platform-specific filesystems
such as efivars, or securityfs as they have found appropriate. This has
resulted in interfaces scattered around the tree. The multiple interfac
 problem can be addressed by providing a single pseudo filesystem for all
platforms to expose their variables for firmware security features. Doing
so simplifies the interface for users of these platforms.

This patchset introduces a new firmware security pseudo filesystem,
fwsecurityfs. Any platform can expose the variables that are required by
firmware security features via this interface. It provides a common place
for exposing variables managed by firmware while still allowing platforms
to implement their own underlying semantics.

This design consists of two parts:

1. Firmware security filesystem (fwsecurityfs) that provides platforms
   with APIs to create their own underlying directory and file structure.
   It should be mounted on a new well-known mountpoint,
   /sys/firmware/security.
2. Platform-specific layer for these variables that implements underlying
   semantics. Platforms can expose their variables as files allowing
   read/write/add/delete operations by defining their own inode and file
   functions.

This patchset adds:
1. An update to the PLPKS driver to support the signed update H_CALL for
   authenticated variables used in guest secure boot.
2. A firmware security filesystem named fwsecurityfs.
3. An interface to expose secure variables stored in the LPAR's PKS via
   fwsecurityfs.
 
Note: This patchset is not intended to modify existing interfaces already
used by OpenPOWER or EFI but rather to ensure that new similar interfaces
have a common base going forward.

The first patch related to PLPKS driver is dependent on bugfixes posted
as part of patchset[4].

Changelog:

First non-RFC version after RFC versions[2,3].
Feedback from non-RFC version are included to update fwsecurityfs.
 * PLPKS driver patch had been upstreamed separately. In this set, Patch 1
 updates existing driver to include signed update support.
 * Fix fwsecurityfs to also pin the file system, refactor and cleanup. The
 consideration of namespacing has been done and is concluded that currently
 no firmware object or entity is handled by namespacing. The purpose of
 fwsecurityfs is to expose firmware space which is similar to exposing
 space in TPM. And TPM is also not currently namespaced. If containers have
 to make use of some such space in the future, it would have to be some
 software space. With that, this currently only considers the host using the
 firmware space.
 * Fix secvars support for powerpc. It supports policy handling within the
 kernel, supports UCS2 naming and cleanups.
 * Read-only PLPKS configuration is exposed.
 * secvars directory is now moved within a new parent directory plpks.
 * Patch is now no more an RFC version.

[1] https://community.ibm.com/community/user/power/blogs/chris-engel1/2020/11/20/powervm-introduces-the-platform-keystore
[2] RFC v2: https://lore.kernel.org/linuxppc-dev/20220622215648.96723-1-nayna@linux.ibm.com/ 
[3] RFC v1: https://lore.kernel.org/linuxppc-dev/20220122005637.28199-1-nayna@linux.ibm.com/
[4] https://lore.kernel.org/linuxppc-dev/20221106205839.600442-1-nayna@linux.ibm.com/T/#t

Nayna Jain (4):
  powerpc/pseries: Add new functions to PLPKS driver
  fs: define a firmware security filesystem named fwsecurityfs
  powerpc/pseries: initialize fwsecurityfs with plpks arch-specific
    structure
  powerpc/pseries: expose authenticated variables stored in LPAR PKS

 arch/powerpc/include/asm/hvcall.h             |   3 +-
 arch/powerpc/platforms/pseries/Kconfig        |  20 +
 arch/powerpc/platforms/pseries/Makefile       |   2 +
 .../platforms/pseries/fwsecurityfs_arch.c     | 124 ++++++
 arch/powerpc/platforms/pseries/plpks.c        | 112 +++++-
 arch/powerpc/platforms/pseries/plpks.h        |  38 ++
 arch/powerpc/platforms/pseries/secvars.c      | 365 ++++++++++++++++++
 fs/Kconfig                                    |   1 +
 fs/Makefile                                   |   1 +
 fs/fwsecurityfs/Kconfig                       |  14 +
 fs/fwsecurityfs/Makefile                      |  10 +
 fs/fwsecurityfs/super.c                       | 263 +++++++++++++
 include/linux/fwsecurityfs.h                  |  33 ++
 include/uapi/linux/magic.h                    |   1 +
 14 files changed, 981 insertions(+), 6 deletions(-)
 create mode 100644 arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
 create mode 100644 arch/powerpc/platforms/pseries/secvars.c
 create mode 100644 fs/fwsecurityfs/Kconfig
 create mode 100644 fs/fwsecurityfs/Makefile
 create mode 100644 fs/fwsecurityfs/super.c
 create mode 100644 include/linux/fwsecurityfs.h

-- 
2.31.1

[PATCH 1/4] powerpc/pseries: Add new functions to PLPKS driver

[Nayna Jain]

PowerVM stores authenticated variables in the PowerVM LPAR Platform
KeyStore(PLPKS).

Add signed update H_CALL to PLPKS driver to support authenticated
variables. Additionally, expose config values outside the PLPKS
driver.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 arch/powerpc/include/asm/hvcall.h      |   3 +-
 arch/powerpc/platforms/pseries/plpks.c | 112 +++++++++++++++++++++++--
 arch/powerpc/platforms/pseries/plpks.h |  35 ++++++++
 3 files changed, 144 insertions(+), 6 deletions(-)

diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index 95fd7f9485d5..33b26c0cb69b 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -336,7 +336,8 @@
 #define H_SCM_FLUSH		0x44C
 #define H_GET_ENERGY_SCALE_INFO	0x450
 #define H_WATCHDOG		0x45C
-#define MAX_HCALL_OPCODE	H_WATCHDOG
+#define H_PKS_SIGNED_UPDATE	0x454
+#define MAX_HCALL_OPCODE	H_PKS_SIGNED_UPDATE
 
 /* Scope args for H_SCM_UNBIND_ALL */
 #define H_UNBIND_SCOPE_ALL (0x1)
diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c
index 4edd1585e245..d0fa7b55a900 100644
--- a/arch/powerpc/platforms/pseries/plpks.c
+++ b/arch/powerpc/platforms/pseries/plpks.c
@@ -40,6 +40,10 @@ static u16 ospasswordlength;
 // Retrieved with H_PKS_GET_CONFIG
 static u16 maxpwsize;
 static u16 maxobjsize;
+static s16 maxobjlabelsize;
+static u32 totalsize;
+static u32 usedspace;
+static u8 version;
 
 struct plpks_auth {
 	u8 version;
@@ -87,6 +91,12 @@ static int pseries_status_to_err(int rc)
 		err = -ENOENT;
 		break;
 	case H_BUSY:
+	case H_LONG_BUSY_ORDER_1_MSEC:
+	case H_LONG_BUSY_ORDER_10_MSEC:
+	case H_LONG_BUSY_ORDER_100_MSEC:
+	case H_LONG_BUSY_ORDER_1_SEC:
+	case H_LONG_BUSY_ORDER_10_SEC:
+	case H_LONG_BUSY_ORDER_100_SEC:
 		err = -EBUSY;
 		break;
 	case H_AUTHORITY:
@@ -187,14 +197,17 @@ static struct label *construct_label(char *component, u8 varos, u8 *name,
 				     u16 namelen)
 {
 	struct label *label;
-	size_t slen;
+	size_t slen = 0;
 
 	if (!name || namelen > MAX_NAME_SIZE)
 		return ERR_PTR(-EINVAL);
 
-	slen = strlen(component);
-	if (component && slen > sizeof(label->attr.prefix))
-		return ERR_PTR(-EINVAL);
+	/* Support NULL component for signed updates */
+	if (component) {
+		slen = strlen(component);
+		if (slen > sizeof(label->attr.prefix))
+			return ERR_PTR(-EINVAL);
+	}
 
 	label = kzalloc(sizeof(*label), GFP_KERNEL);
 	if (!label)
@@ -240,10 +253,51 @@ static int _plpks_get_config(void)
 
 	maxpwsize = be16_to_cpu(config.maxpwsize);
 	maxobjsize = be16_to_cpu(config.maxobjsize);
+	maxobjlabelsize = be16_to_cpu(config.maxobjlabelsize) -
+			  MAX_LABEL_ATTR_SIZE;
+	maxobjlabelsize = maxobjlabelsize < 0 ? 0 : maxobjlabelsize;
+	totalsize = be32_to_cpu(config.totalsize);
+	usedspace = be32_to_cpu(config.usedspace);
 
 	return 0;
 }
 
+u8 plpks_get_version(void)
+{
+	return version;
+}
+
+u16 plpks_get_maxobjectsize(void)
+{
+	return maxobjsize;
+}
+
+u16 plpks_get_maxobjectlabelsize(void)
+{
+	return maxobjlabelsize;
+}
+
+u32 plpks_get_totalsize(void)
+{
+	return totalsize;
+}
+
+u32 plpks_get_usedspace(void)
+{
+	return usedspace;
+}
+
+bool plpks_is_available(void)
+{
+	int rc;
+
+	rc = _plpks_get_config();
+	if (rc)
+		return false;
+
+	return true;
+}
+
 static int plpks_confirm_object_flushed(struct label *label,
 					struct plpks_auth *auth)
 {
@@ -277,6 +331,54 @@ static int plpks_confirm_object_flushed(struct label *label,
 	return rc;
 }
 
+int plpks_signed_update_var(struct plpks_var var, u64 flags)
+{
+	unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0};
+	int rc;
+	struct label *label;
+	struct plpks_auth *auth;
+	u64 continuetoken = 0;
+
+	if (!var.data || var.datalen <= 0 || var.namelen > MAX_NAME_SIZE)
+		return -EINVAL;
+
+	if (!(var.policy & SIGNEDUPDATE))
+		return -EINVAL;
+
+	auth = construct_auth(PKS_OS_OWNER);
+	if (IS_ERR(auth))
+		return PTR_ERR(auth);
+
+	label = construct_label(var.component, var.os, var.name, var.namelen);
+	if (IS_ERR(label)) {
+		rc = PTR_ERR(label);
+		goto out;
+	}
+
+	do {
+		rc = plpar_hcall9(H_PKS_SIGNED_UPDATE, retbuf,
+				  virt_to_phys(auth), virt_to_phys(label),
+				  label->size, var.policy, flags,
+				  virt_to_phys(var.data), var.datalen,
+				  continuetoken);
+
+		continuetoken = retbuf[0];
+		rc = pseries_status_to_err(rc);
+	} while (rc == -EBUSY);
+
+	if (!rc) {
+		rc = plpks_confirm_object_flushed(label, auth);
+		rc = pseries_status_to_err(rc);
+	}
+
+	kfree(label);
+out:
+	kfree(auth);
+
+	return rc;
+}
+EXPORT_SYMBOL(plpks_signed_update_var);
+
 int plpks_write_var(struct plpks_var var)
 {
 	unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
@@ -323,7 +425,7 @@ int plpks_remove_var(char *component, u8 varos, struct plpks_var_name vname)
 	struct label *label;
 	int rc;
 
-	if (!component || vname.namelen > MAX_NAME_SIZE)
+	if (vname.namelen > MAX_NAME_SIZE)
 		return -EINVAL;
 
 	auth = construct_auth(PKS_OS_OWNER);
diff --git a/arch/powerpc/platforms/pseries/plpks.h b/arch/powerpc/platforms/pseries/plpks.h
index 275ccd86bfb5..fb483658549f 100644
--- a/arch/powerpc/platforms/pseries/plpks.h
+++ b/arch/powerpc/platforms/pseries/plpks.h
@@ -40,6 +40,11 @@ struct plpks_var_name_list {
 	struct plpks_var_name varlist[];
 };
 
+/**
+ * Updates the authenticated variable. It expects NULL as the component.
+ */
+int plpks_signed_update_var(struct plpks_var var, u64 flags);
+
 /**
  * Writes the specified var and its data to PKS.
  * Any caller of PKS driver should present a valid component type for
@@ -68,4 +73,34 @@ int plpks_read_fw_var(struct plpks_var *var);
  */
 int plpks_read_bootloader_var(struct plpks_var *var);
 
+/**
+ * Returns if PKS is available on this LPAR.
+ */
+bool plpks_is_available(void);
+
+/**
+ * Returns version of the Platform KeyStore.
+ */
+u8 plpks_get_version(void);
+
+/**
+ * Returns maximum object size supported by Platform KeyStore.
+ */
+u16 plpks_get_maxobjectsize(void);
+
+/**
+ * Returns maximum object label size supported by Platform KeyStore.
+ */
+u16 plpks_get_maxobjectlabelsize(void);
+
+/**
+ * Returns total size of the configured Platform KeyStore.
+ */
+u32 plpks_get_totalsize(void);
+
+/**
+ * Returns used space from the total size of the Platform KeyStore.
+ */
+u32 plpks_get_usedspace(void);
+
 #endif
-- 
2.31.1

[PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna Jain]

securityfs is meant for Linux security subsystems to expose policies/logs
or any other information. However, there are various firmware security
features which expose their variables for user management via the kernel.
There is currently no single place to expose these variables. Different
platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
interface as they find it appropriate. Thus, there is a gap in kernel
interfaces to expose variables for security features.

Define a firmware security filesystem (fwsecurityfs) to be used by
security features enabled by the firmware. These variables are platform
specific. This filesystem provides platforms a way to implement their
 own underlying semantics by defining own inode and file operations.

Similar to securityfs, the firmware security filesystem is recommended
to be exposed on a well known mount point /sys/firmware/security.
Platforms can define their own directory or file structure under this path.

Example:

# mount -t fwsecurityfs fwsecurityfs /sys/firmware/security

# cd /sys/firmware/security/

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 fs/Kconfig                   |   1 +
 fs/Makefile                  |   1 +
 fs/fwsecurityfs/Kconfig      |  14 ++
 fs/fwsecurityfs/Makefile     |  10 ++
 fs/fwsecurityfs/super.c      | 263 +++++++++++++++++++++++++++++++++++
 include/linux/fwsecurityfs.h |  29 ++++
 include/uapi/linux/magic.h   |   1 +
 7 files changed, 319 insertions(+)
 create mode 100644 fs/fwsecurityfs/Kconfig
 create mode 100644 fs/fwsecurityfs/Makefile
 create mode 100644 fs/fwsecurityfs/super.c
 create mode 100644 include/linux/fwsecurityfs.h

diff --git a/fs/Kconfig b/fs/Kconfig
index 2685a4d0d353..2a24f1c779dd 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -275,6 +275,7 @@ config ARCH_HAS_GIGANTIC_PAGE
 
 source "fs/configfs/Kconfig"
 source "fs/efivarfs/Kconfig"
+source "fs/fwsecurityfs/Kconfig"
 
 endmenu
 
diff --git a/fs/Makefile b/fs/Makefile
index 4dea17840761..b945019a9bbe 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -134,6 +134,7 @@ obj-$(CONFIG_F2FS_FS)		+= f2fs/
 obj-$(CONFIG_CEPH_FS)		+= ceph/
 obj-$(CONFIG_PSTORE)		+= pstore/
 obj-$(CONFIG_EFIVAR_FS)		+= efivarfs/
+obj-$(CONFIG_FWSECURITYFS)		+= fwsecurityfs/
 obj-$(CONFIG_EROFS_FS)		+= erofs/
 obj-$(CONFIG_VBOXSF_FS)		+= vboxsf/
 obj-$(CONFIG_ZONEFS_FS)		+= zonefs/
diff --git a/fs/fwsecurityfs/Kconfig b/fs/fwsecurityfs/Kconfig
new file mode 100644
index 000000000000..1dc2ee831eda
--- /dev/null
+++ b/fs/fwsecurityfs/Kconfig
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022 IBM Corporation
+# Author: Nayna Jain <nayna@linux.ibm.com>
+#
+
+config FWSECURITYFS
+	bool "Enable the fwsecurityfs filesystem"
+	help
+	  This will build fwsecurityfs filesystem which should be mounted
+	  on /sys/firmware/security. This filesystem can be used by
+	  platform to expose firmware-managed variables.
+
+	  If you are unsure how to answer this question, answer N.
diff --git a/fs/fwsecurityfs/Makefile b/fs/fwsecurityfs/Makefile
new file mode 100644
index 000000000000..5c7b76228ebb
--- /dev/null
+++ b/fs/fwsecurityfs/Makefile
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022 IBM Corporation
+# Author: Nayna Jain <nayna@linux.ibm.com>
+#
+# Makefile for the firmware security filesystem
+
+obj-$(CONFIG_FWSECURITYFS)		+= fwsecurityfs.o
+
+fwsecurityfs-objs			:= super.o
diff --git a/fs/fwsecurityfs/super.c b/fs/fwsecurityfs/super.c
new file mode 100644
index 000000000000..99ca4da4ab63
--- /dev/null
+++ b/fs/fwsecurityfs/super.c
@@ -0,0 +1,263 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ */
+
+#include <linux/fs.h>
+#include <linux/fs_context.h>
+#include <linux/pagemap.h>
+#include <linux/init.h>
+#include <linux/namei.h>
+#include <linux/magic.h>
+#include <linux/fwsecurityfs.h>
+
+static struct super_block *fwsecsb;
+static struct vfsmount *mount;
+static int mount_count;
+static bool fwsecurityfs_initialized;
+
+static void fwsecurityfs_free_inode(struct inode *inode)
+{
+	free_inode_nonrcu(inode);
+}
+
+static const struct super_operations fwsecurityfs_super_operations = {
+	.statfs = simple_statfs,
+	.free_inode = fwsecurityfs_free_inode,
+};
+
+static int fwsecurityfs_fill_super(struct super_block *sb,
+				   struct fs_context *fc)
+{
+	static const struct tree_descr files[] = {{""}};
+	int rc;
+
+	rc = simple_fill_super(sb, FWSECURITYFS_MAGIC, files);
+	if (rc)
+		return rc;
+
+	sb->s_op = &fwsecurityfs_super_operations;
+
+	fwsecsb = sb;
+
+	rc = arch_fwsecurityfs_init();
+
+	if (!rc)
+		fwsecurityfs_initialized = true;
+
+	return rc;
+}
+
+static int fwsecurityfs_get_tree(struct fs_context *fc)
+{
+	return get_tree_single(fc, fwsecurityfs_fill_super);
+}
+
+static const struct fs_context_operations fwsecurityfs_context_ops = {
+	.get_tree	= fwsecurityfs_get_tree,
+};
+
+static int fwsecurityfs_init_fs_context(struct fs_context *fc)
+{
+	fc->ops = &fwsecurityfs_context_ops;
+
+	return 0;
+}
+
+static void fwsecurityfs_kill_sb(struct super_block *sb)
+{
+	kill_litter_super(sb);
+
+	fwsecurityfs_initialized = false;
+}
+
+static struct file_system_type fs_type = {
+	.owner =	THIS_MODULE,
+	.name =		"fwsecurityfs",
+	.init_fs_context = fwsecurityfs_init_fs_context,
+	.kill_sb =	fwsecurityfs_kill_sb,
+};
+
+static struct dentry *fwsecurityfs_create_dentry(const char *name, umode_t mode,
+						 u16 filesize,
+						 struct dentry *parent,
+						 struct dentry *dentry, void *data,
+						 const struct file_operations *fops,
+						 const struct inode_operations *iops)
+{
+	struct inode *inode;
+	int rc;
+	struct inode *dir;
+	struct dentry *ldentry = dentry;
+
+	/* Calling simple_pin_fs() while initial mount in progress results in recursive
+	 * call to mount.
+	 */
+	if (fwsecurityfs_initialized) {
+		rc = simple_pin_fs(&fs_type, &mount, &mount_count);
+		if (rc)
+			return ERR_PTR(rc);
+	}
+
+	dir = d_inode(parent);
+
+	/* For userspace created files, lock is already taken. */
+	if (!dentry)
+		inode_lock(dir);
+
+	if (!dentry) {
+		ldentry = lookup_one_len(name, parent, strlen(name));
+		if (IS_ERR(ldentry))
+			goto out;
+
+		if (d_really_is_positive(ldentry)) {
+			rc = -EEXIST;
+			goto out1;
+		}
+	}
+
+	inode = new_inode(dir->i_sb);
+	if (!inode) {
+		rc = -ENOMEM;
+		goto out1;
+	}
+
+	inode->i_ino = get_next_ino();
+	inode->i_mode = mode;
+	inode->i_atime = current_time(inode);
+	inode->i_mtime = current_time(inode);
+	inode->i_ctime = current_time(inode);
+	inode->i_private = data;
+
+	if (S_ISDIR(mode)) {
+		inode->i_op = iops ? iops : &simple_dir_inode_operations;
+		inode->i_fop = &simple_dir_operations;
+		inc_nlink(inode);
+		inc_nlink(dir);
+	} else {
+		inode->i_fop = fops ? fops : &simple_dir_operations;
+	}
+
+	if (S_ISREG(mode)) {
+		inode_lock(inode);
+		i_size_write(inode, filesize);
+		inode_unlock(inode);
+	}
+	d_instantiate(ldentry, inode);
+
+	/* dget() here is required for userspace created files. */
+	if (dentry)
+		dget(ldentry);
+
+	if (!dentry)
+		inode_unlock(dir);
+
+	return ldentry;
+
+out1:
+	ldentry = ERR_PTR(rc);
+
+out:
+	if (fwsecurityfs_initialized)
+		simple_release_fs(&mount, &mount_count);
+
+	if (!dentry)
+		inode_unlock(dir);
+
+	return ldentry;
+}
+
+struct dentry *fwsecurityfs_create_file(const char *name, umode_t mode,
+					u16 filesize, struct dentry *parent,
+					struct dentry *dentry, void *data,
+					const struct file_operations *fops)
+{
+	if (!parent)
+		return ERR_PTR(-EINVAL);
+
+	return fwsecurityfs_create_dentry(name, mode, filesize, parent,
+					  dentry, data, fops, NULL);
+}
+EXPORT_SYMBOL_GPL(fwsecurityfs_create_file);
+
+struct dentry *fwsecurityfs_create_dir(const char *name, umode_t mode,
+				       struct dentry *parent,
+				       const struct inode_operations *iops)
+{
+	if (!parent) {
+		if (!fwsecsb)
+			return ERR_PTR(-EIO);
+		parent = fwsecsb->s_root;
+	}
+
+	return fwsecurityfs_create_dentry(name, mode, 0, parent, NULL, NULL,
+					  NULL, iops);
+}
+EXPORT_SYMBOL_GPL(fwsecurityfs_create_dir);
+
+static int fwsecurityfs_remove_dentry(struct dentry *dentry)
+{
+	struct inode *dir;
+
+	if (!dentry || IS_ERR(dentry))
+		return -EINVAL;
+
+	dir = d_inode(dentry->d_parent);
+	inode_lock(dir);
+	if (simple_positive(dentry)) {
+		dget(dentry);
+		if (d_is_dir(dentry))
+			simple_rmdir(dir, dentry);
+		else
+			simple_unlink(dir, dentry);
+		d_delete(dentry);
+		dput(dentry);
+	}
+	inode_unlock(dir);
+
+	/* Once fwsecurityfs_initialized is set to true, calling this for
+	 * removing files created during initial mount might result in
+	 * imbalance of simple_pin_fs() and simple_release_fs() calls.
+	 */
+	if (fwsecurityfs_initialized)
+		simple_release_fs(&mount, &mount_count);
+
+	return 0;
+}
+
+int fwsecurityfs_remove_dir(struct dentry *dentry)
+{
+	if (!d_is_dir(dentry))
+		return -EPERM;
+
+	return fwsecurityfs_remove_dentry(dentry);
+}
+EXPORT_SYMBOL_GPL(fwsecurityfs_remove_dir);
+
+int fwsecurityfs_remove_file(struct dentry *dentry)
+{
+	return fwsecurityfs_remove_dentry(dentry);
+};
+EXPORT_SYMBOL_GPL(fwsecurityfs_remove_file);
+
+static int __init fwsecurityfs_init(void)
+{
+	int rc;
+
+	rc = sysfs_create_mount_point(firmware_kobj, "security");
+	if (rc)
+		return rc;
+
+	rc = register_filesystem(&fs_type);
+	if (rc) {
+		sysfs_remove_mount_point(firmware_kobj, "security");
+		return rc;
+	}
+
+	return 0;
+}
+core_initcall(fwsecurityfs_init);
+MODULE_DESCRIPTION("Firmware Security Filesystem");
+MODULE_AUTHOR("Nayna Jain");
+MODULE_LICENSE("GPL");
diff --git a/include/linux/fwsecurityfs.h b/include/linux/fwsecurityfs.h
new file mode 100644
index 000000000000..ed8f328f3133
--- /dev/null
+++ b/include/linux/fwsecurityfs.h
@@ -0,0 +1,29 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ */
+
+#ifndef _FWSECURITYFS_H_
+#define _FWSECURITYFS_H_
+
+#include <linux/ctype.h>
+#include <linux/fs.h>
+
+struct dentry *fwsecurityfs_create_file(const char *name, umode_t mode,
+					u16 filesize, struct dentry *parent,
+					struct dentry *dentry, void *data,
+					const struct file_operations *fops);
+
+int fwsecurityfs_remove_file(struct dentry *dentry);
+struct dentry *fwsecurityfs_create_dir(const char *name, umode_t mode,
+				       struct dentry *parent,
+				       const struct inode_operations *iops);
+int fwsecurityfs_remove_dir(struct dentry *dentry);
+
+static int arch_fwsecurityfs_init(void)
+{
+	return 0;
+}
+
+#endif /* _FWSECURITYFS_H_ */
diff --git a/include/uapi/linux/magic.h b/include/uapi/linux/magic.h
index 6325d1d0e90f..553a5fdfabce 100644
--- a/include/uapi/linux/magic.h
+++ b/include/uapi/linux/magic.h
@@ -53,6 +53,7 @@
 #define QNX4_SUPER_MAGIC	0x002f		/* qnx4 fs detection */
 #define QNX6_SUPER_MAGIC	0x68191122	/* qnx6 fs detection */
 #define AFS_FS_MAGIC		0x6B414653
+#define FWSECURITYFS_MAGIC         0x5345434e      /* "SECM" */
 
 
 #define REISERFS_SUPER_MAGIC	0x52654973	/* used by gcc */
-- 
2.31.1

[PATCH 3/4] powerpc/pseries: initialize fwsecurityfs with plpks arch-specific structure

[Nayna Jain]

PowerVM PLPKS variables are exposed via fwsecurityfs.

Initialize fwsecurityfs arch-specific structure with plpks configuration.

Eg:

[root@ltcfleet35-lp1 config]# pwd
/sys/firmware/security/plpks/config
[root@ltcfleet35-lp1 config]# ls -ltrh
total 0
-r--r--r-- 1 root root 1 Sep 28 15:01 version
-r--r--r-- 1 root root 4 Sep 28 15:01 used_space
-r--r--r-- 1 root root 4 Sep 28 15:01 total_size
-r--r--r-- 1 root root 2 Sep 28 15:01 max_object_size
-r--r--r-- 1 root root 2 Sep 28 15:01 max_object_label_size

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 arch/powerpc/platforms/pseries/Kconfig        |  10 ++
 arch/powerpc/platforms/pseries/Makefile       |   1 +
 .../platforms/pseries/fwsecurityfs_arch.c     | 116 ++++++++++++++++++
 include/linux/fwsecurityfs.h                  |   4 +
 4 files changed, 131 insertions(+)
 create mode 100644 arch/powerpc/platforms/pseries/fwsecurityfs_arch.c

diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
index a3b4d99567cb..5fb45e601982 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -162,6 +162,16 @@ config PSERIES_PLPKS
 
 	  If unsure, select N.
 
+config PSERIES_FWSECURITYFS_ARCH
+	select FWSECURITYFS
+	bool "Support fwsecurityfs for pseries"
+	help
+	  Enable fwsecurityfs arch specific code. This would initialize
+	  the firmware security filesystem with initial platform specific
+	  structure.
+
+	  If you are unsure how to use it, say N.
+
 config PAPR_SCM
 	depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
 	tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 92310202bdd7..2903cff26258 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -28,6 +28,7 @@ obj-$(CONFIG_PPC_SPLPAR)	+= vphn.o
 obj-$(CONFIG_PPC_SVM)		+= svm.o
 obj-$(CONFIG_FA_DUMP)		+= rtas-fadump.o
 obj-$(CONFIG_PSERIES_PLPKS) += plpks.o
+obj-$(CONFIG_PSERIES_FWSECURITYFS_ARCH) += fwsecurityfs_arch.o
 
 obj-$(CONFIG_SUSPEND)		+= suspend.o
 obj-$(CONFIG_PPC_VAS)		+= vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
new file mode 100644
index 000000000000..b43bd3cf7889
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
@@ -0,0 +1,116 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Initialize fwsecurityfs with POWER LPAR Platform KeyStore (PLPKS)
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ *
+ */
+
+#include <linux/fwsecurityfs.h>
+#include "plpks.h"
+
+static struct dentry *plpks_dir;
+
+static ssize_t plpks_config_file_read(struct file *file, char __user *userbuf,
+				      size_t count, loff_t *ppos)
+{
+	u8 out[4];
+	u32 outlen;
+	size_t size;
+	char *name;
+	u32 data;
+
+	name = file_dentry(file)->d_iname;
+
+	if (strcmp(name, "max_object_size") == 0) {
+		outlen = sizeof(u16);
+		data = plpks_get_maxobjectsize();
+	} else if (strcmp(name, "max_object_label_size") == 0) {
+		outlen = sizeof(u16);
+		data = plpks_get_maxobjectlabelsize();
+	} else if (strcmp(name, "total_size") == 0) {
+		outlen = sizeof(u32);
+		data = plpks_get_totalsize();
+	} else if (strcmp(name, "used_space") == 0) {
+		outlen = sizeof(u32);
+		data = plpks_get_usedspace();
+	} else if (strcmp(name, "version") == 0) {
+		outlen = sizeof(u8);
+		data = plpks_get_version();
+	} else {
+		return -EINVAL;
+	}
+
+	memcpy(out, &data, outlen);
+
+	size = simple_read_from_buffer(userbuf, count, ppos, out, outlen);
+
+	return size;
+}
+
+static const struct file_operations plpks_config_file_operations = {
+	.open   = simple_open,
+	.read   = plpks_config_file_read,
+	.llseek = no_llseek,
+};
+
+static int create_plpks_dir(void)
+{
+	struct dentry *config_dir;
+	struct dentry *fdentry;
+
+	if (!IS_ENABLED(CONFIG_PSERIES_PLPKS) || !plpks_is_available()) {
+		pr_warn("Platform KeyStore is not available on this LPAR\n");
+		return 0;
+	}
+
+	plpks_dir = fwsecurityfs_create_dir("plpks", S_IFDIR | 0755, NULL,
+					    NULL);
+	if (IS_ERR(plpks_dir)) {
+		pr_err("Unable to create PLPKS dir: %ld\n", PTR_ERR(plpks_dir));
+		return PTR_ERR(plpks_dir);
+	}
+
+	config_dir = fwsecurityfs_create_dir("config", S_IFDIR | 0755, plpks_dir, NULL);
+	if (IS_ERR(config_dir)) {
+		pr_err("Unable to create config dir: %ld\n", PTR_ERR(config_dir));
+		return PTR_ERR(config_dir);
+	}
+
+	fdentry = fwsecurityfs_create_file("max_object_size", S_IFREG | 0444,
+					   sizeof(u16), config_dir, NULL, NULL,
+					   &plpks_config_file_operations);
+	if (IS_ERR(fdentry))
+		pr_err("Could not create max object size %ld\n", PTR_ERR(fdentry));
+
+	fdentry = fwsecurityfs_create_file("max_object_label_size", S_IFREG | 0444,
+					   sizeof(u16), config_dir, NULL, NULL,
+					   &plpks_config_file_operations);
+	if (IS_ERR(fdentry))
+		pr_err("Could not create max object label size %ld\n", PTR_ERR(fdentry));
+
+	fdentry = fwsecurityfs_create_file("total_size", S_IFREG | 0444,
+					   sizeof(u32), config_dir, NULL, NULL,
+					   &plpks_config_file_operations);
+	if (IS_ERR(fdentry))
+		pr_err("Could not create total size %ld\n", PTR_ERR(fdentry));
+
+	fdentry = fwsecurityfs_create_file("used_space", S_IFREG | 0444,
+					   sizeof(u32), config_dir, NULL, NULL,
+					   &plpks_config_file_operations);
+	if (IS_ERR(fdentry))
+		pr_err("Could not create used space %ld\n", PTR_ERR(fdentry));
+
+	fdentry = fwsecurityfs_create_file("version", S_IFREG | 0444,
+					   sizeof(u8), config_dir, NULL, NULL,
+					   &plpks_config_file_operations);
+	if (IS_ERR(fdentry))
+		pr_err("Could not create version %ld\n", PTR_ERR(fdentry));
+
+	return 0;
+}
+
+int arch_fwsecurityfs_init(void)
+{
+	return create_plpks_dir();
+}
diff --git a/include/linux/fwsecurityfs.h b/include/linux/fwsecurityfs.h
index ed8f328f3133..38fcb3cb374e 100644
--- a/include/linux/fwsecurityfs.h
+++ b/include/linux/fwsecurityfs.h
@@ -21,9 +21,13 @@ struct dentry *fwsecurityfs_create_dir(const char *name, umode_t mode,
 				       const struct inode_operations *iops);
 int fwsecurityfs_remove_dir(struct dentry *dentry);
 
+#ifdef CONFIG_PSERIES_FWSECURITYFS_ARCH
+int arch_fwsecurityfs_init(void);
+#else
 static int arch_fwsecurityfs_init(void)
 {
 	return 0;
 }
+#endif
 
 #endif /* _FWSECURITYFS_H_ */
-- 
2.31.1

[PATCH 4/4] powerpc/pseries: expose authenticated variables stored in LPAR PKS

[Nayna Jain]

PowerVM Guest Secure boot feature need to expose firmware managed
secure variables for user management. These variables store keys for
grub/kernel verification and also corresponding denied list.

Expose these variables to the userpace via fwsecurityfs.

Example:

$ pwd
/sys/firmware/security/plpks/secvars

$ ls -ltrh
total 0
-rw-r--r-- 1 root root 831 Sep 12 18:34 PK
-rw-r--r-- 1 root root 831 Sep 12 18:34 KEK
-rw-r--r-- 1 root root 831 Sep 12 18:34 db

$ hexdump -C db
00000000  00 00 00 08 a1 59 c0 a5  e4 94 a7 4a 87 b5 ab 15  |.....Y.....J....|
00000010  5c 2b f0 72 3f 03 00 00  00 00 00 00 23 03 00 00  |\+.r?.......#...|
00000020  ca 18 1d 1c 01 7d eb 11  9a 71 08 94 ef 31 fb e4  |.....}...q...1..|
00000030  30 82 03 0f 30 82 01 f7  a0 03 02 01 02 02 14 22  |0...0.........."|
00000040  ab 18 2f d5 aa dd c5 ba  98 27 60 26 f1 63 89 54  |../......'`&.c.T|
00000050  4c 52 d9 30 0d 06 09 2a  86 48 86 f7 0d 01 01 0b  |LR.0...*.H......|
00000060  05 00 30 17 31 15 30 13  06 03 55 04 03 0c 0c 72  |..0.1.0...U....r|
...

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 arch/powerpc/platforms/pseries/Kconfig        |  10 +
 arch/powerpc/platforms/pseries/Makefile       |   1 +
 .../platforms/pseries/fwsecurityfs_arch.c     |   8 +
 arch/powerpc/platforms/pseries/plpks.h        |   3 +
 arch/powerpc/platforms/pseries/secvars.c      | 365 ++++++++++++++++++
 5 files changed, 387 insertions(+)
 create mode 100644 arch/powerpc/platforms/pseries/secvars.c

diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
index 5fb45e601982..41c17f60dfe9 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -172,6 +172,16 @@ config PSERIES_FWSECURITYFS_ARCH
 
 	  If you are unsure how to use it, say N.
 
+config PSERIES_PLPKS_SECVARS
+       depends on PSERIES_PLPKS
+       select PSERIES_FWSECURITYFS_ARCH
+       tristate "Support for secvars"
+       help
+         This interface exposes authenticated variables stored in the LPAR
+         Platform KeyStore using fwsecurityfs interface.
+
+         If you are unsure how to use it, say N.
+
 config PAPR_SCM
 	depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
 	tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 2903cff26258..6833f6b02798 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM)		+= svm.o
 obj-$(CONFIG_FA_DUMP)		+= rtas-fadump.o
 obj-$(CONFIG_PSERIES_PLPKS) += plpks.o
 obj-$(CONFIG_PSERIES_FWSECURITYFS_ARCH) += fwsecurityfs_arch.o
+obj-$(CONFIG_PSERIES_PLPKS_SECVARS) += secvars.o
 
 obj-$(CONFIG_SUSPEND)		+= suspend.o
 obj-$(CONFIG_PPC_VAS)		+= vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
index b43bd3cf7889..1cc651ad6434 100644
--- a/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
+++ b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
@@ -58,6 +58,7 @@ static int create_plpks_dir(void)
 {
 	struct dentry *config_dir;
 	struct dentry *fdentry;
+	int rc;
 
 	if (!IS_ENABLED(CONFIG_PSERIES_PLPKS) || !plpks_is_available()) {
 		pr_warn("Platform KeyStore is not available on this LPAR\n");
@@ -107,6 +108,13 @@ static int create_plpks_dir(void)
 	if (IS_ERR(fdentry))
 		pr_err("Could not create version %ld\n", PTR_ERR(fdentry));
 
+	if (IS_ENABLED(CONFIG_PSERIES_PLPKS_SECVARS)) {
+		rc = plpks_secvars_init(plpks_dir);
+		if (rc)
+			pr_err("Secure Variables initialization failed with error %d\n", rc);
+		return rc;
+	}
+
 	return 0;
 }
 
diff --git a/arch/powerpc/platforms/pseries/plpks.h b/arch/powerpc/platforms/pseries/plpks.h
index fb483658549f..2d572fe4b522 100644
--- a/arch/powerpc/platforms/pseries/plpks.h
+++ b/arch/powerpc/platforms/pseries/plpks.h
@@ -11,6 +11,7 @@
 
 #include <linux/types.h>
 #include <linux/list.h>
+#include <linux/dcache.h>
 
 #define OSSECBOOTAUDIT 0x40000000
 #define OSSECBOOTENFORCE 0x20000000
@@ -103,4 +104,6 @@ u32 plpks_get_totalsize(void);
  */
 u32 plpks_get_usedspace(void);
 
+int plpks_secvars_init(struct dentry *parent);
+
 #endif
diff --git a/arch/powerpc/platforms/pseries/secvars.c b/arch/powerpc/platforms/pseries/secvars.c
new file mode 100644
index 000000000000..3d5a251d0571
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/secvars.c
@@ -0,0 +1,365 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Expose secure(authenticated) variables for user key management.
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ *
+ */
+
+#include <linux/fwsecurityfs.h>
+#include "plpks.h"
+
+static struct dentry *secvar_dir;
+
+static const char * const names[] = {
+	"PK",
+	"KEK",
+	"db",
+	"dbx",
+	"grubdb",
+	"sbat",
+	"moduledb",
+	"trustedcadb",
+	NULL
+};
+
+static u16 get_ucs2name(const char *name, uint8_t **ucs2_name)
+{
+	int i = 0;
+	int j = 0;
+	int namelen = 0;
+
+	namelen = strlen(name) * 2;
+
+	*ucs2_name = kzalloc(namelen, GFP_KERNEL);
+	if (!*ucs2_name)
+		return 0;
+
+	while (name[i]) {
+		(*ucs2_name)[j++] = name[i];
+		(*ucs2_name)[j++] = '\0';
+		pr_debug("ucs2name is %c\n", (*ucs2_name)[j - 2]);
+		i++;
+	}
+
+	return namelen;
+}
+
+static int validate_name(const char *name)
+{
+	int i = 0;
+
+	while (names[i]) {
+		if ((strcmp(name, names[i]) == 0))
+			return 0;
+		i++;
+	}
+	pr_err("Invalid name, allowed ones are (PK,KEK,db,dbx,grubdb,sbat,moduledb,trustedcadb)\n");
+
+	return -EINVAL;
+}
+
+static u32 get_policy(const char *name)
+{
+	if ((strcmp(name, "db") == 0) ||
+	    (strcmp(name, "dbx") == 0) ||
+	    (strcmp(name, "grubdb") == 0) ||
+	    (strcmp(name, "sbat") == 0))
+		return (WORLDREADABLE | SIGNEDUPDATE);
+	else
+		return SIGNEDUPDATE;
+}
+
+static ssize_t plpks_secvar_file_write(struct file *file,
+				       const char __user *userbuf,
+				       size_t count, loff_t *ppos)
+{
+	struct plpks_var var;
+	void *data;
+	u16 ucs2_namelen;
+	u8 *ucs2_name = NULL;
+	u64 flags;
+	ssize_t rc;
+	bool exist = true;
+	u16 datasize = count;
+	struct inode *inode = file->f_mapping->host;
+
+	if (count <= sizeof(flags))
+		return -EINVAL;
+
+	ucs2_namelen = get_ucs2name(file_dentry(file)->d_iname, &ucs2_name);
+	if (ucs2_namelen == 0)
+		return -ENOMEM;
+
+	rc = copy_from_user(&flags, userbuf, sizeof(flags));
+	if (rc)
+		return -EFAULT;
+
+	datasize = count - sizeof(flags);
+
+	data = memdup_user(userbuf + sizeof(flags), datasize);
+	if (IS_ERR(data))
+		return PTR_ERR(data);
+
+	var.component = NULL;
+	var.name = ucs2_name;
+	var.namelen = ucs2_namelen;
+	var.os = PLPKS_VAR_LINUX;
+	var.datalen = 0;
+	var.data = NULL;
+
+	/* If PKS variable doesn't exist, it implies first time creation */
+	rc = plpks_read_os_var(&var);
+	if (rc) {
+		if (rc == -ENOENT) {
+			exist = false;
+		} else {
+			pr_err("Reading variable %s failed with error %ld\n",
+			       file_dentry(file)->d_iname, rc);
+			goto out;
+		}
+	}
+
+	var.datalen = datasize;
+	var.data = data;
+	var.policy = get_policy(file_dentry(file)->d_iname);
+	rc = plpks_signed_update_var(var, flags);
+	if (rc) {
+		pr_err("Update of the variable %s failed with error %ld\n",
+		       file_dentry(file)->d_iname, rc);
+		if (!exist)
+			fwsecurityfs_remove_file(file_dentry(file));
+		goto out;
+	}
+
+	/* Read variable again to get updated size of the object */
+	var.datalen = 0;
+	var.data = NULL;
+	rc = plpks_read_os_var(&var);
+	if (rc)
+		pr_err("Error updating file size\n");
+
+	inode_lock(inode);
+	i_size_write(inode, var.datalen);
+	inode->i_mtime = current_time(inode);
+	inode_unlock(inode);
+
+	rc = count;
+out:
+	kfree(data);
+	kfree(ucs2_name);
+
+	return rc;
+}
+
+static ssize_t __secvar_os_file_read(char *name, char **out, u32 *outlen)
+{
+	struct plpks_var var;
+	int rc;
+	u8 *ucs2_name = NULL;
+	u16 ucs2_namelen;
+
+	ucs2_namelen = get_ucs2name(name, &ucs2_name);
+	if (ucs2_namelen == 0)
+		return -ENOMEM;
+
+	var.component = NULL;
+	var.name = ucs2_name;
+	var.namelen = ucs2_namelen;
+	var.os = PLPKS_VAR_LINUX;
+	var.datalen = 0;
+	var.data = NULL;
+	rc = plpks_read_os_var(&var);
+	if (rc) {
+		pr_err("Error %d reading object %s from firmware\n", rc, name);
+		kfree(ucs2_name);
+		return rc;
+	}
+
+	*outlen = sizeof(var.policy) + var.datalen;
+	*out = kzalloc(*outlen, GFP_KERNEL);
+	if (!*out) {
+		rc = -ENOMEM;
+		goto err;
+	}
+
+	memcpy(*out, &var.policy, sizeof(var.policy));
+
+	memcpy(*out + sizeof(var.policy), var.data, var.datalen);
+
+err:
+	kfree(ucs2_name);
+	kfree(var.data);
+	return rc;
+}
+
+static ssize_t __secvar_fw_file_read(char *name, char **out, u32 *outlen)
+{
+	struct plpks_var var;
+	int rc;
+
+	var.component = NULL;
+	var.name = name;
+	var.namelen = strlen(name);
+	var.datalen = 0;
+	var.data = NULL;
+	rc = plpks_read_fw_var(&var);
+	if (rc) {
+		if (rc == -ENOENT) {
+			var.datalen = 1;
+			var.data = kzalloc(var.datalen, GFP_KERNEL);
+			rc = 0;
+		} else {
+			pr_err("Error %d reading object %s from firmware\n",
+			       rc, name);
+			return rc;
+		}
+	}
+
+	*outlen = var.datalen;
+	*out = kzalloc(*outlen, GFP_KERNEL);
+	if (!*out) {
+		kfree(var.data);
+		return -ENOMEM;
+	}
+
+	memcpy(*out, var.data, var.datalen);
+
+	kfree(var.data);
+	return 0;
+}
+
+static ssize_t plpks_secvar_file_read(struct file *file, char __user *userbuf,
+				      size_t count, loff_t *ppos)
+{
+	int rc;
+	char *out = NULL;
+	u32 outlen;
+	char *fname = file_dentry(file)->d_iname;
+
+	if (strcmp(fname, "SB_VERSION") == 0)
+		rc = __secvar_fw_file_read(fname, &out, &outlen);
+	else
+		rc = __secvar_os_file_read(fname, &out, &outlen);
+	if (!rc)
+		rc = simple_read_from_buffer(userbuf, count, ppos,
+					     out, outlen);
+
+	kfree(out);
+
+	return rc;
+}
+
+static const struct file_operations plpks_secvar_file_operations = {
+	.open   = simple_open,
+	.read   = plpks_secvar_file_read,
+	.write  = plpks_secvar_file_write,
+	.llseek = no_llseek,
+};
+
+static int plpks_secvar_create(struct user_namespace *mnt_userns,
+			       struct inode *dir, struct dentry *dentry,
+			       umode_t mode, bool excl)
+{
+	const char *varname;
+	struct dentry *ldentry;
+	int rc;
+
+	varname = dentry->d_name.name;
+
+	rc = validate_name(varname);
+	if (rc)
+		goto out;
+
+	ldentry = fwsecurityfs_create_file(varname, S_IFREG | 0644, 0,
+					   secvar_dir, dentry, NULL,
+					   &plpks_secvar_file_operations);
+	if (IS_ERR(ldentry)) {
+		rc = PTR_ERR(ldentry);
+		pr_err("Creation of variable %s failed with error %d\n",
+		       varname, rc);
+	}
+
+out:
+	return rc;
+}
+
+static const struct inode_operations plpks_secvar_dir_inode_operations = {
+	.lookup = simple_lookup,
+	.create = plpks_secvar_create,
+};
+
+static int plpks_fill_secvars(void)
+{
+	struct plpks_var var;
+	int rc = 0;
+	int i = 0;
+	u8 *ucs2_name = NULL;
+	u16 ucs2_namelen;
+	struct dentry *dentry;
+
+	dentry = fwsecurityfs_create_file("SB_VERSION", S_IFREG | 0444, 1,
+					  secvar_dir, NULL, NULL,
+					  &plpks_secvar_file_operations);
+	if (IS_ERR(dentry)) {
+		rc = PTR_ERR(dentry);
+		pr_err("Creation of variable SB_VERSION failed with error %d\n", rc);
+		return rc;
+	}
+
+	while (names[i]) {
+		ucs2_namelen = get_ucs2name(names[i], &ucs2_name);
+		if (ucs2_namelen == 0) {
+			i++;
+			continue;
+		}
+
+		i++;
+		var.component = NULL;
+		var.name = ucs2_name;
+		var.namelen = ucs2_namelen;
+		var.os = PLPKS_VAR_LINUX;
+		var.datalen = 0;
+		var.data = NULL;
+		rc = plpks_read_os_var(&var);
+		kfree(ucs2_name);
+		if (rc) {
+			rc = 0;
+			continue;
+		}
+
+		dentry = fwsecurityfs_create_file(names[i - 1], S_IFREG | 0644,
+						  var.datalen, secvar_dir,
+						  NULL, NULL,
+						  &plpks_secvar_file_operations);
+
+		kfree(var.data);
+		if (IS_ERR(dentry)) {
+			rc = PTR_ERR(dentry);
+			pr_err("Creation of variable %s failed with error %d\n",
+			       names[i - 1], rc);
+			break;
+		}
+	}
+
+	return rc;
+};
+
+int plpks_secvars_init(struct dentry *parent)
+{
+	int rc;
+
+	secvar_dir = fwsecurityfs_create_dir("secvars", S_IFDIR | 0755, parent,
+					     &plpks_secvar_dir_inode_operations);
+	if (IS_ERR(secvar_dir)) {
+		rc = PTR_ERR(secvar_dir);
+		pr_err("Unable to create secvars dir: %d\n", rc);
+		return rc;
+	}
+
+	rc = plpks_fill_secvars();
+	if (rc)
+		pr_err("Filling secvars failed %d\n", rc);
+
+	return rc;
+};
-- 
2.31.1

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
> securityfs is meant for Linux security subsystems to expose policies/logs
> or any other information. However, there are various firmware security
> features which expose their variables for user management via the kernel.
> There is currently no single place to expose these variables. Different
> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
> interface as they find it appropriate. Thus, there is a gap in kernel
> interfaces to expose variables for security features.
> 
> Define a firmware security filesystem (fwsecurityfs) to be used by
> security features enabled by the firmware. These variables are platform
> specific. This filesystem provides platforms a way to implement their
>  own underlying semantics by defining own inode and file operations.
> 
> Similar to securityfs, the firmware security filesystem is recommended
> to be exposed on a well known mount point /sys/firmware/security.
> Platforms can define their own directory or file structure under this path.
> 
> Example:
> 
> # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security

Why not juset use securityfs in /sys/security/firmware/ instead?  Then
you don't have to create a new filesystem and convince userspace to
mount it in a specific location?

thanks,

greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna]

On 11/9/22 08:46, Greg Kroah-Hartman wrote:
> On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
>> securityfs is meant for Linux security subsystems to expose policies/logs
>> or any other information. However, there are various firmware security
>> features which expose their variables for user management via the kernel.
>> There is currently no single place to expose these variables. Different
>> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
>> interface as they find it appropriate. Thus, there is a gap in kernel
>> interfaces to expose variables for security features.
>>
>> Define a firmware security filesystem (fwsecurityfs) to be used by
>> security features enabled by the firmware. These variables are platform
>> specific. This filesystem provides platforms a way to implement their
>>   own underlying semantics by defining own inode and file operations.
>>
>> Similar to securityfs, the firmware security filesystem is recommended
>> to be exposed on a well known mount point /sys/firmware/security.
>> Platforms can define their own directory or file structure under this path.
>>
>> Example:
>>
>> # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
> Why not juset use securityfs in /sys/security/firmware/ instead?  Then
> you don't have to create a new filesystem and convince userspace to
> mount it in a specific location?

 From man 5 sysfs page:

/sys/firmware: This subdirectory contains interfaces for viewing and 
manipulating firmware-specific objects and attributes.

/sys/kernel: This subdirectory contains various files and subdirectories 
that provide information about the running kernel.

The security variables which are being exposed via fwsecurityfs are 
managed by firmware, stored in firmware managed space and also often 
consumed by firmware for enabling various security features.

 From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose 
of securityfs(/sys/kernel/security) is to provide a common place for all 
kernel LSMs. The idea of
fwsecurityfs(/sys/firmware/security) is to similarly provide a common 
place for all firmware security objects.

/sys/firmware already exists. The patch now defines a new /security 
directory in it for firmware security features. Using 
/sys/kernel/security would mean scattering firmware objects in multiple 
places and confusing the purpose of /sys/kernel and /sys/firmware.

Even though fwsecurityfs code is based on securityfs, since the two 
filesystems expose different types of objects and have different 
requirements, there are distinctions:

1. fwsecurityfs lets users create files in userspace, securityfs only 
allows kernel subsystems to create files.

2. firmware and kernel objects may have different requirements. For 
example, consideration of namespacing. As per my understanding, 
namespacing is applied to kernel resources and not firmware resources. 
That's why it makes sense to add support for namespacing in securityfs, 
but we concluded that fwsecurityfs currently doesn't need it. Another 
but similar example of it is: TPM space, which is exposed from hardware. 
For containers, the TPM would be made as virtual/software TPM. Similarly 
for firmware space for containers, it would have to be something 
virtualized/software version of it.

3. firmware objects are persistent and read at boot time by interaction 
with firmware, unlike kernel objects which are not persistent.

For a more detailed explanation refer to the LSS-NA 2022 "PowerVM 
Platform Keystore - Securing Linux Credentials Locally" talk and 
slides[1]. The link to previously posted RFC version is [2].

[1] 
https://static.sched.com/hosted_files/lssna2022/25/NaynaJain_PowerVM_PlatformKeyStore_SecuringLinuxCredentialsLocally.pdf
[2] https://lore.kernel.org/linuxppc-dev/YrQqPhi4+jHZ1WJc@kroah.com/

Thanks & Regards,

      - Nayna

>
> thanks,
>
> greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Wed, Nov 09, 2022 at 03:10:37PM -0500, Nayna wrote:
> 
> On 11/9/22 08:46, Greg Kroah-Hartman wrote:
> > On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
> > > securityfs is meant for Linux security subsystems to expose policies/logs
> > > or any other information. However, there are various firmware security
> > > features which expose their variables for user management via the kernel.
> > > There is currently no single place to expose these variables. Different
> > > platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
> > > interface as they find it appropriate. Thus, there is a gap in kernel
> > > interfaces to expose variables for security features.
> > > 
> > > Define a firmware security filesystem (fwsecurityfs) to be used by
> > > security features enabled by the firmware. These variables are platform
> > > specific. This filesystem provides platforms a way to implement their
> > >   own underlying semantics by defining own inode and file operations.
> > > 
> > > Similar to securityfs, the firmware security filesystem is recommended
> > > to be exposed on a well known mount point /sys/firmware/security.
> > > Platforms can define their own directory or file structure under this path.
> > > 
> > > Example:
> > > 
> > > # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
> > Why not juset use securityfs in /sys/security/firmware/ instead?  Then
> > you don't have to create a new filesystem and convince userspace to
> > mount it in a specific location?
> 
> From man 5 sysfs page:
> 
> /sys/firmware: This subdirectory contains interfaces for viewing and
> manipulating firmware-specific objects and attributes.
> 
> /sys/kernel: This subdirectory contains various files and subdirectories
> that provide information about the running kernel.
> 
> The security variables which are being exposed via fwsecurityfs are managed
> by firmware, stored in firmware managed space and also often consumed by
> firmware for enabling various security features.

Ok, then just use the normal sysfs interface for /sys/firmware, why do
you need a whole new filesystem type?

> From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of
> securityfs(/sys/kernel/security) is to provide a common place for all kernel
> LSMs. The idea of
> fwsecurityfs(/sys/firmware/security) is to similarly provide a common place
> for all firmware security objects.
> 
> /sys/firmware already exists. The patch now defines a new /security
> directory in it for firmware security features. Using /sys/kernel/security
> would mean scattering firmware objects in multiple places and confusing the
> purpose of /sys/kernel and /sys/firmware.

sysfs is confusing already, no problem with making it more confusing :)

Just document where you add things and all should be fine.

> Even though fwsecurityfs code is based on securityfs, since the two
> filesystems expose different types of objects and have different
> requirements, there are distinctions:
> 
> 1. fwsecurityfs lets users create files in userspace, securityfs only allows
> kernel subsystems to create files.

Wait, why would a user ever create a file in this filesystem?  If you
need that, why not use configfs?  That's what that is for, right?

> 2. firmware and kernel objects may have different requirements. For example,
> consideration of namespacing. As per my understanding, namespacing is
> applied to kernel resources and not firmware resources. That's why it makes
> sense to add support for namespacing in securityfs, but we concluded that
> fwsecurityfs currently doesn't need it. Another but similar example of it
> is: TPM space, which is exposed from hardware. For containers, the TPM would
> be made as virtual/software TPM. Similarly for firmware space for
> containers, it would have to be something virtualized/software version of
> it.

I do not understand, sorry.  What does namespaces have to do with this?
sysfs can already handle namespaces just fine, why not use that?

> 3. firmware objects are persistent and read at boot time by interaction with
> firmware, unlike kernel objects which are not persistent.

That doesn't matter, sysfs exports what the hardware provides, and that
might persist over boot.

So I don't see why a new filesystem is needed.

You didn't explain why sysfs, or securitfs (except for the location in
the tree) does not work at all for your needs.  The location really
doesn't matter all that much as you are creating a brand new location
anyway so we can just declare "this is where this stuff goes" and be ok.

And again, how are you going to get all Linux distros to now mount your
new filesystem?

thanks,

greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna]

On 11/10/22 04:58, Greg Kroah-Hartman wrote:
> On Wed, Nov 09, 2022 at 03:10:37PM -0500, Nayna wrote:
>> On 11/9/22 08:46, Greg Kroah-Hartman wrote:
>>> On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
>>>> securityfs is meant for Linux security subsystems to expose policies/logs
>>>> or any other information. However, there are various firmware security
>>>> features which expose their variables for user management via the kernel.
>>>> There is currently no single place to expose these variables. Different
>>>> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
>>>> interface as they find it appropriate. Thus, there is a gap in kernel
>>>> interfaces to expose variables for security features.
>>>>
>>>> Define a firmware security filesystem (fwsecurityfs) to be used by
>>>> security features enabled by the firmware. These variables are platform
>>>> specific. This filesystem provides platforms a way to implement their
>>>>    own underlying semantics by defining own inode and file operations.
>>>>
>>>> Similar to securityfs, the firmware security filesystem is recommended
>>>> to be exposed on a well known mount point /sys/firmware/security.
>>>> Platforms can define their own directory or file structure under this path.
>>>>
>>>> Example:
>>>>
>>>> # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
>>> Why not juset use securityfs in /sys/security/firmware/ instead?  Then
>>> you don't have to create a new filesystem and convince userspace to
>>> mount it in a specific location?
>>  From man 5 sysfs page:
>>
>> /sys/firmware: This subdirectory contains interfaces for viewing and
>> manipulating firmware-specific objects and attributes.
>>
>> /sys/kernel: This subdirectory contains various files and subdirectories
>> that provide information about the running kernel.
>>
>> The security variables which are being exposed via fwsecurityfs are managed
>> by firmware, stored in firmware managed space and also often consumed by
>> firmware for enabling various security features.
> Ok, then just use the normal sysfs interface for /sys/firmware, why do
> you need a whole new filesystem type?
>
>>  From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of
>> securityfs(/sys/kernel/security) is to provide a common place for all kernel
>> LSMs. The idea of
>> fwsecurityfs(/sys/firmware/security) is to similarly provide a common place
>> for all firmware security objects.
>>
>> /sys/firmware already exists. The patch now defines a new /security
>> directory in it for firmware security features. Using /sys/kernel/security
>> would mean scattering firmware objects in multiple places and confusing the
>> purpose of /sys/kernel and /sys/firmware.
> sysfs is confusing already, no problem with making it more confusing :)
>
> Just document where you add things and all should be fine.
>
>> Even though fwsecurityfs code is based on securityfs, since the two
>> filesystems expose different types of objects and have different
>> requirements, there are distinctions:
>>
>> 1. fwsecurityfs lets users create files in userspace, securityfs only allows
>> kernel subsystems to create files.
> Wait, why would a user ever create a file in this filesystem?  If you
> need that, why not use configfs?  That's what that is for, right?

The purpose of fwsecurityfs is not to expose configuration items but 
rather security objects used for firmware security features. I think 
these are more comparable to EFI variables, which are exposed via an 
EFI-specific filesystem, efivarfs, rather than configfs.

>
>> 2. firmware and kernel objects may have different requirements. For example,
>> consideration of namespacing. As per my understanding, namespacing is
>> applied to kernel resources and not firmware resources. That's why it makes
>> sense to add support for namespacing in securityfs, but we concluded that
>> fwsecurityfs currently doesn't need it. Another but similar example of it
>> is: TPM space, which is exposed from hardware. For containers, the TPM would
>> be made as virtual/software TPM. Similarly for firmware space for
>> containers, it would have to be something virtualized/software version of
>> it.
> I do not understand, sorry.  What does namespaces have to do with this?
> sysfs can already handle namespaces just fine, why not use that?

Firmware objects are not namespaced. I mentioned it here as an example 
of the difference between firmware and kernel objects. It is also in 
response to the feedback from James Bottomley in RFC v2 
[https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38adb59a66dcae4c59b.camel@HansenPartnership.com/].

>
>> 3. firmware objects are persistent and read at boot time by interaction with
>> firmware, unlike kernel objects which are not persistent.
> That doesn't matter, sysfs exports what the hardware provides, and that
> might persist over boot.
>
> So I don't see why a new filesystem is needed.
>
> You didn't explain why sysfs, or securitfs (except for the location in
> the tree) does not work at all for your needs.  The location really
> doesn't matter all that much as you are creating a brand new location
> anyway so we can just declare "this is where this stuff goes" and be ok.

For rest of the questions, here is the summarized response.

Based on mailing list previous discussions [1][2][3] and considering 
various firmware security use cases, our fwsecurityfs proposal seemed to 
be a reasonable and acceptable approach based on the feedback [4].

[1] https://lore.kernel.org/linuxppc-dev/YeuyUVVdFADCuDr4@kroah.com/#t
[2] https://lore.kernel.org/linuxppc-dev/Yfk6gucNmJuR%2Fegi@kroah.com/
[3] 
https://lore.kernel.org/all/Yfo%2F5gYgb9Sv24YB@kroah.com/t/#m40250fdb3fddaafe502ab06e329e63381b00582d
[4] https://lore.kernel.org/linuxppc-dev/YrQqPhi4+jHZ1WJc@kroah.com/

RFC v1 was using sysfs. After considering feedback[1][2][3], the 
following are design considerations for unification via fwsecurityfs:

1. Unify the location: Defining a security directory under /sys/firmware 
facilitates exposing objects related to firmware security features in a 
single place. Different platforms can create their respective directory 
structures within /sys/firmware/security.

2. Unify the code:  To support unification, having the fwsecurityfs 
filesystem API allows different platforms to define the inode and file 
operations they need. fwsecurityfs provides a common API that can be 
used by each platform-specific implementation to support its particular 
requirements and interaction with firmware. Initializing 
platform-specific functions is the purpose of the 
fwsecurityfs_arch_init() function that is called on mount. Patch 3/4 
implements fwsecurityfs_arch_init() for powerpc.

Similar to the common place securityfs provides for LSMs to interact 
with kernel security objects, fwsecurityfs would provide a common place 
for all firmware security objects, which interact with the firmware 
rather than the kernel. Although at the API level, the two filesystem 
look similar, the requirements for firmware and kernel objects are 
different. Therefore, reusing securityfs wasn't a good fit for the 
firmware use case and we are proposing a similar but different 
filesystem -  fwsecurityfs - focused for firmware security.

>
> And again, how are you going to get all Linux distros to now mount your
> new filesystem?

It would be analogous to the way securityfs is mounted.

Thanks & Regards,

     - Nayna

>
> thanks,
>
> greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
> 
> On 11/10/22 04:58, Greg Kroah-Hartman wrote:
> > On Wed, Nov 09, 2022 at 03:10:37PM -0500, Nayna wrote:
> > > On 11/9/22 08:46, Greg Kroah-Hartman wrote:
> > > > On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
> > > > > securityfs is meant for Linux security subsystems to expose policies/logs
> > > > > or any other information. However, there are various firmware security
> > > > > features which expose their variables for user management via the kernel.
> > > > > There is currently no single place to expose these variables. Different
> > > > > platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
> > > > > interface as they find it appropriate. Thus, there is a gap in kernel
> > > > > interfaces to expose variables for security features.
> > > > > 
> > > > > Define a firmware security filesystem (fwsecurityfs) to be used by
> > > > > security features enabled by the firmware. These variables are platform
> > > > > specific. This filesystem provides platforms a way to implement their
> > > > >    own underlying semantics by defining own inode and file operations.
> > > > > 
> > > > > Similar to securityfs, the firmware security filesystem is recommended
> > > > > to be exposed on a well known mount point /sys/firmware/security.
> > > > > Platforms can define their own directory or file structure under this path.
> > > > > 
> > > > > Example:
> > > > > 
> > > > > # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
> > > > Why not juset use securityfs in /sys/security/firmware/ instead?  Then
> > > > you don't have to create a new filesystem and convince userspace to
> > > > mount it in a specific location?
> > >  From man 5 sysfs page:
> > > 
> > > /sys/firmware: This subdirectory contains interfaces for viewing and
> > > manipulating firmware-specific objects and attributes.
> > > 
> > > /sys/kernel: This subdirectory contains various files and subdirectories
> > > that provide information about the running kernel.
> > > 
> > > The security variables which are being exposed via fwsecurityfs are managed
> > > by firmware, stored in firmware managed space and also often consumed by
> > > firmware for enabling various security features.
> > Ok, then just use the normal sysfs interface for /sys/firmware, why do
> > you need a whole new filesystem type?
> > 
> > >  From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of
> > > securityfs(/sys/kernel/security) is to provide a common place for all kernel
> > > LSMs. The idea of
> > > fwsecurityfs(/sys/firmware/security) is to similarly provide a common place
> > > for all firmware security objects.
> > > 
> > > /sys/firmware already exists. The patch now defines a new /security
> > > directory in it for firmware security features. Using /sys/kernel/security
> > > would mean scattering firmware objects in multiple places and confusing the
> > > purpose of /sys/kernel and /sys/firmware.
> > sysfs is confusing already, no problem with making it more confusing :)
> > 
> > Just document where you add things and all should be fine.
> > 
> > > Even though fwsecurityfs code is based on securityfs, since the two
> > > filesystems expose different types of objects and have different
> > > requirements, there are distinctions:
> > > 
> > > 1. fwsecurityfs lets users create files in userspace, securityfs only allows
> > > kernel subsystems to create files.
> > Wait, why would a user ever create a file in this filesystem?  If you
> > need that, why not use configfs?  That's what that is for, right?
> 
> The purpose of fwsecurityfs is not to expose configuration items but rather
> security objects used for firmware security features. I think these are more
> comparable to EFI variables, which are exposed via an EFI-specific
> filesystem, efivarfs, rather than configfs.
> 
> > 
> > > 2. firmware and kernel objects may have different requirements. For example,
> > > consideration of namespacing. As per my understanding, namespacing is
> > > applied to kernel resources and not firmware resources. That's why it makes
> > > sense to add support for namespacing in securityfs, but we concluded that
> > > fwsecurityfs currently doesn't need it. Another but similar example of it
> > > is: TPM space, which is exposed from hardware. For containers, the TPM would
> > > be made as virtual/software TPM. Similarly for firmware space for
> > > containers, it would have to be something virtualized/software version of
> > > it.
> > I do not understand, sorry.  What does namespaces have to do with this?
> > sysfs can already handle namespaces just fine, why not use that?
> 
> Firmware objects are not namespaced. I mentioned it here as an example of
> the difference between firmware and kernel objects. It is also in response
> to the feedback from James Bottomley in RFC v2 [https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38adb59a66dcae4c59b.camel@HansenPartnership.com/].

I do not understand, sorry.  Do you want to use a namespace for these or
not?  The code does not seem to be using namespaces.  You can use sysfs
with, or without, a namespace so I don't understand the issue here.

With your code, there is no namespace.

> > > 3. firmware objects are persistent and read at boot time by interaction with
> > > firmware, unlike kernel objects which are not persistent.
> > That doesn't matter, sysfs exports what the hardware provides, and that
> > might persist over boot.
> > 
> > So I don't see why a new filesystem is needed.
> > 
> > You didn't explain why sysfs, or securitfs (except for the location in
> > the tree) does not work at all for your needs.  The location really
> > doesn't matter all that much as you are creating a brand new location
> > anyway so we can just declare "this is where this stuff goes" and be ok.
> 
> For rest of the questions, here is the summarized response.
> 
> Based on mailing list previous discussions [1][2][3] and considering various
> firmware security use cases, our fwsecurityfs proposal seemed to be a
> reasonable and acceptable approach based on the feedback [4].
> 
> [1] https://lore.kernel.org/linuxppc-dev/YeuyUVVdFADCuDr4@kroah.com/#t
> [2] https://lore.kernel.org/linuxppc-dev/Yfk6gucNmJuR%2Fegi@kroah.com/
> [3] https://lore.kernel.org/all/Yfo%2F5gYgb9Sv24YB@kroah.com/t/#m40250fdb3fddaafe502ab06e329e63381b00582d
> [4] https://lore.kernel.org/linuxppc-dev/YrQqPhi4+jHZ1WJc@kroah.com/
> 
> RFC v1 was using sysfs. After considering feedback[1][2][3], the following
> are design considerations for unification via fwsecurityfs:
> 
> 1. Unify the location: Defining a security directory under /sys/firmware
> facilitates exposing objects related to firmware security features in a
> single place. Different platforms can create their respective directory
> structures within /sys/firmware/security.

So just pick one place in sysfs for this to always go into.

Your patch series does not document anything here, there are no
Documentation/ABI/ entries that define the files being created, so that
it's really hard to be able to review the code to determine if it is
doing what you are wanting it to do.

You can't document apis with just a changelog text alone, sorry.

> 2. Unify the code:  To support unification, having the fwsecurityfs
> filesystem API allows different platforms to define the inode and file
> operations they need. fwsecurityfs provides a common API that can be used by
> each platform-specific implementation to support its particular requirements
> and interaction with firmware. Initializing platform-specific functions is
> the purpose of the fwsecurityfs_arch_init() function that is called on
> mount. Patch 3/4 implements fwsecurityfs_arch_init() for powerpc.

But you only are doing this for one platform, that's not any
unification.  APIs don't really work unless they can handle 3 users, as
then you really understand if they work or not.

Right now you wrote this code and it only has one user, that's a
platform-specific-filesystem-only so far.

> Similar to the common place securityfs provides for LSMs to interact with
> kernel security objects, fwsecurityfs would provide a common place for all
> firmware security objects, which interact with the firmware rather than the
> kernel. Although at the API level, the two filesystem look similar, the
> requirements for firmware and kernel objects are different. Therefore,
> reusing securityfs wasn't a good fit for the firmware use case and we are
> proposing a similar but different filesystem -  fwsecurityfs - focused for
> firmware security.

What other platforms will use this?  Who is going to move their code
over to it?

> > And again, how are you going to get all Linux distros to now mount your
> > new filesystem?
> 
> It would be analogous to the way securityfs is mounted.

That did not answer the question.  The question is how are you going to
get the distros to mount your new filesystem specifically?  How will
they know that they need to modify their init scripts to do this?  Who
is going to do that?  For what distro?  On what timeline?

Oh, and it looks like this series doesn't pass the kernel testing bot at
all, so I'll not review the code until that's all fixed up at the very
least.

thanks,

greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna]

On 11/17/22 16:27, Greg Kroah-Hartman wrote:
> On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
>> On 11/10/22 04:58, Greg Kroah-Hartman wrote:
>>> On Wed, Nov 09, 2022 at 03:10:37PM -0500, Nayna wrote:
>>>> On 11/9/22 08:46, Greg Kroah-Hartman wrote:
>>>>> On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
>>>>>> securityfs is meant for Linux security subsystems to expose policies/logs
>>>>>> or any other information. However, there are various firmware security
>>>>>> features which expose their variables for user management via the kernel.
>>>>>> There is currently no single place to expose these variables. Different
>>>>>> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
>>>>>> interface as they find it appropriate. Thus, there is a gap in kernel
>>>>>> interfaces to expose variables for security features.
>>>>>>
>>>>>> Define a firmware security filesystem (fwsecurityfs) to be used by
>>>>>> security features enabled by the firmware. These variables are platform
>>>>>> specific. This filesystem provides platforms a way to implement their
>>>>>>     own underlying semantics by defining own inode and file operations.
>>>>>>
>>>>>> Similar to securityfs, the firmware security filesystem is recommended
>>>>>> to be exposed on a well known mount point /sys/firmware/security.
>>>>>> Platforms can define their own directory or file structure under this path.
>>>>>>
>>>>>> Example:
>>>>>>
>>>>>> # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
>>>>> Why not juset use securityfs in /sys/security/firmware/ instead?  Then
>>>>> you don't have to create a new filesystem and convince userspace to
>>>>> mount it in a specific location?
>>>>   From man 5 sysfs page:
>>>>
>>>> /sys/firmware: This subdirectory contains interfaces for viewing and
>>>> manipulating firmware-specific objects and attributes.
>>>>
>>>> /sys/kernel: This subdirectory contains various files and subdirectories
>>>> that provide information about the running kernel.
>>>>
>>>> The security variables which are being exposed via fwsecurityfs are managed
>>>> by firmware, stored in firmware managed space and also often consumed by
>>>> firmware for enabling various security features.
>>> Ok, then just use the normal sysfs interface for /sys/firmware, why do
>>> you need a whole new filesystem type?
>>>
>>>>   From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of
>>>> securityfs(/sys/kernel/security) is to provide a common place for all kernel
>>>> LSMs. The idea of
>>>> fwsecurityfs(/sys/firmware/security) is to similarly provide a common place
>>>> for all firmware security objects.
>>>>
>>>> /sys/firmware already exists. The patch now defines a new /security
>>>> directory in it for firmware security features. Using /sys/kernel/security
>>>> would mean scattering firmware objects in multiple places and confusing the
>>>> purpose of /sys/kernel and /sys/firmware.
>>> sysfs is confusing already, no problem with making it more confusing :)
>>>
>>> Just document where you add things and all should be fine.
>>>
>>>> Even though fwsecurityfs code is based on securityfs, since the two
>>>> filesystems expose different types of objects and have different
>>>> requirements, there are distinctions:
>>>>
>>>> 1. fwsecurityfs lets users create files in userspace, securityfs only allows
>>>> kernel subsystems to create files.
>>> Wait, why would a user ever create a file in this filesystem?  If you
>>> need that, why not use configfs?  That's what that is for, right?
>> The purpose of fwsecurityfs is not to expose configuration items but rather
>> security objects used for firmware security features. I think these are more
>> comparable to EFI variables, which are exposed via an EFI-specific
>> filesystem, efivarfs, rather than configfs.
>>
>>>> 2. firmware and kernel objects may have different requirements. For example,
>>>> consideration of namespacing. As per my understanding, namespacing is
>>>> applied to kernel resources and not firmware resources. That's why it makes
>>>> sense to add support for namespacing in securityfs, but we concluded that
>>>> fwsecurityfs currently doesn't need it. Another but similar example of it
>>>> is: TPM space, which is exposed from hardware. For containers, the TPM would
>>>> be made as virtual/software TPM. Similarly for firmware space for
>>>> containers, it would have to be something virtualized/software version of
>>>> it.
>>> I do not understand, sorry.  What does namespaces have to do with this?
>>> sysfs can already handle namespaces just fine, why not use that?
>> Firmware objects are not namespaced. I mentioned it here as an example of
>> the difference between firmware and kernel objects. It is also in response
>> to the feedback from James Bottomley in RFC v2 [https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38adb59a66dcae4c59b.camel@HansenPartnership.com/].
> I do not understand, sorry.  Do you want to use a namespace for these or
> not?  The code does not seem to be using namespaces.  You can use sysfs
> with, or without, a namespace so I don't understand the issue here.
>
> With your code, there is no namespace.

You are correct. There's no namespace for these.


>
>>>> 3. firmware objects are persistent and read at boot time by interaction with
>>>> firmware, unlike kernel objects which are not persistent.
>>> That doesn't matter, sysfs exports what the hardware provides, and that
>>> might persist over boot.
>>>
>>> So I don't see why a new filesystem is needed.
>>>
>>> You didn't explain why sysfs, or securitfs (except for the location in
>>> the tree) does not work at all for your needs.  The location really
>>> doesn't matter all that much as you are creating a brand new location
>>> anyway so we can just declare "this is where this stuff goes" and be ok.
>> For rest of the questions, here is the summarized response.
>>
>> Based on mailing list previous discussions [1][2][3] and considering various
>> firmware security use cases, our fwsecurityfs proposal seemed to be a
>> reasonable and acceptable approach based on the feedback [4].
>>
>> [1] https://lore.kernel.org/linuxppc-dev/YeuyUVVdFADCuDr4@kroah.com/#t
>> [2] https://lore.kernel.org/linuxppc-dev/Yfk6gucNmJuR%2Fegi@kroah.com/
>> [3] https://lore.kernel.org/all/Yfo%2F5gYgb9Sv24YB@kroah.com/t/#m40250fdb3fddaafe502ab06e329e63381b00582d
>> [4] https://lore.kernel.org/linuxppc-dev/YrQqPhi4+jHZ1WJc@kroah.com/
>>
>> RFC v1 was using sysfs. After considering feedback[1][2][3], the following
>> are design considerations for unification via fwsecurityfs:
>>
>> 1. Unify the location: Defining a security directory under /sys/firmware
>> facilitates exposing objects related to firmware security features in a
>> single place. Different platforms can create their respective directory
>> structures within /sys/firmware/security.
> So just pick one place in sysfs for this to always go into.

I agree that the objects should go directly under a 
/sys/firmware/security mountpoint.


> Your patch series does not document anything here, there are no
> Documentation/ABI/ entries that define the files being created, so that
> it's really hard to be able to review the code to determine if it is
> doing what you are wanting it to do.
>
> You can't document apis with just a changelog text alone, sorry.


Agreed, I'll include documentation in the next version.


>
>> 2. Unify the code:  To support unification, having the fwsecurityfs
>> filesystem API allows different platforms to define the inode and file
>> operations they need. fwsecurityfs provides a common API that can be used by
>> each platform-specific implementation to support its particular requirements
>> and interaction with firmware. Initializing platform-specific functions is
>> the purpose of the fwsecurityfs_arch_init() function that is called on
>> mount. Patch 3/4 implements fwsecurityfs_arch_init() for powerpc.
> But you only are doing this for one platform, that's not any
> unification.  APIs don't really work unless they can handle 3 users, as
> then you really understand if they work or not.
>
> Right now you wrote this code and it only has one user, that's a
> platform-specific-filesystem-only so far.


Yes I agree, having more exploiters would certainly help to confirm and 
improve the interface.

If you prefer, we could start with an arch specific filesystem. It could 
be made generic in the future if required.


>
>> Similar to the common place securityfs provides for LSMs to interact with
>> kernel security objects, fwsecurityfs would provide a common place for all
>> firmware security objects, which interact with the firmware rather than the
>> kernel. Although at the API level, the two filesystem look similar, the
>> requirements for firmware and kernel objects are different. Therefore,
>> reusing securityfs wasn't a good fit for the firmware use case and we are
>> proposing a similar but different filesystem -  fwsecurityfs - focused for
>> firmware security.
> What other platforms will use this?  Who is going to move their code
> over to it?


I had received constructive feedback on my RFC v2 but thus far, no other 
platforms have indicated they have a need for it.


>>> And again, how are you going to get all Linux distros to now mount your
>>> new filesystem?
>> It would be analogous to the way securityfs is mounted.
> That did not answer the question.  The question is how are you going to
> get the distros to mount your new filesystem specifically?  How will
> they know that they need to modify their init scripts to do this?  Who
> is going to do that?  For what distro?  On what timeline?


I'll add a documentation patch for fwsecurityfs.  And I'll propose a 
systemd patch to extend mount_table[] in src/shared/mount-setup.c to 
include fwsecurityfs.

For RHEL 9.3 and SLES 15 SP6, we have feature requests opened to request 
adoption of the PKS userspace interface. We will communicate the mount 
point and init script changes via those feature requests.

Other distros can adapt the upstream implementation to fit their 
requirements, such as mounting via simple init scripts without systemd 
for more constrained systems, using the systemd as an example.

Please let me know if you have other concerns with respect to mounting 
the filesystem.


> Oh, and it looks like this series doesn't pass the kernel testing bot at
> all, so I'll not review the code until that's all fixed up at the very
> least.


I knew it failed, but I wanted to get your feedback on the approach 
before posting a new version. I'll fix it.

Thank you for your review and feedback. I hope I have addressed your 
concerns.

Thanks & Regards,

       - Nayna

> thanks,
>
> greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Ritesh Harjani (IBM)]

Hello Nayna, 

On 22/11/09 03:10PM, Nayna wrote:
> 
> On 11/9/22 08:46, Greg Kroah-Hartman wrote:
> > On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
> > > securityfs is meant for Linux security subsystems to expose policies/logs
> > > or any other information. However, there are various firmware security
> > > features which expose their variables for user management via the kernel.
> > > There is currently no single place to expose these variables. Different
> > > platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
> > > interface as they find it appropriate. Thus, there is a gap in kernel
> > > interfaces to expose variables for security features.
> > > 
> > > Define a firmware security filesystem (fwsecurityfs) to be used by
> > > security features enabled by the firmware. These variables are platform
> > > specific. This filesystem provides platforms a way to implement their
> > >   own underlying semantics by defining own inode and file operations.
> > > 
> > > Similar to securityfs, the firmware security filesystem is recommended
> > > to be exposed on a well known mount point /sys/firmware/security.
> > > Platforms can define their own directory or file structure under this path.
> > > 
> > > Example:
> > > 
> > > # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
> > Why not juset use securityfs in /sys/security/firmware/ instead?  Then
> > you don't have to create a new filesystem and convince userspace to
> > mount it in a specific location?

I am also curious to know on why not use securityfs, given the similarity
between the two. :)
More specifics on that below...

> 
> From man 5 sysfs page:
> 
> /sys/firmware: This subdirectory contains interfaces for viewing and
> manipulating firmware-specific objects and attributes.
> 
> /sys/kernel: This subdirectory contains various files and subdirectories
> that provide information about the running kernel.
> 
> The security variables which are being exposed via fwsecurityfs are managed
> by firmware, stored in firmware managed space and also often consumed by
> firmware for enabling various security features.

That's ok. As I see it users of securityfs can define their own fileops
(like how you are doing in fwsecurityfs).
See securityfs_create_file() & securityfs_create_symlink(), can accept the fops
& iops. Except maybe securityfs_create_dir(), that could be since there might
not be a usecase for it. But do you also need it in your case is the question to
ask.

> 
> From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of
> securityfs(/sys/kernel/security) is to provide a common place for all kernel
> LSMs. The idea of

Which was then seperated out by commit,
da31894ed7b654e2 ("securityfs: do not depend on CONFIG_SECURITY").

securityfs now has a seperate CONFIG_SECURITYFS config option. In fact I was even
thinking of why shouldn't we move security/inode.c into fs/securityfs/inode.c .
fs/* is a common place for all filesystems. Users of securityfs can call it's 
exported kernel APIs to create files/dirs/symlinks.

If we move security/inode.c to fs/security/inode.c, then...
...below call within securityfs_init() should be moved into some lsm sepecific 
file.

#ifdef CONFIG_SECURITY
static struct dentry *lsm_dentry;
static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
			loff_t *ppos)
{
	return simple_read_from_buffer(buf, count, ppos, lsm_names,
		strlen(lsm_names));
}

static const struct file_operations lsm_ops = {
	.read = lsm_read,
	.llseek = generic_file_llseek,
};
#endif

securityfs_init()

#ifdef CONFIG_SECURITY
	lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
						&lsm_ops);
#endif

So why not move it? Maybe others, can comment more on whether it's a good idea 
to move security/inode.c into fs/security/inode.c? 
This should then help others identify securityfs filesystem in fs/security/ 
for everyone to notice and utilize for their use?

> fwsecurityfs(/sys/firmware/security) is to similarly provide a common place
> for all firmware security objects.
> 
> /sys/firmware already exists. The patch now defines a new /security
> directory in it for firmware security features. Using /sys/kernel/security
> would mean scattering firmware objects in multiple places and confusing the
> purpose of /sys/kernel and /sys/firmware.

We can also think of it this way that, all security related exports should 
happen via /sys/kernel/security/. Then /sys/kernel/security/firmware/ becomes 
the security related firmware exports.

If you see find /sys -iname firmware, I am sure you will find other firmware
specifics directories related to other specific subsystems
(e.g. 
root@qemu:/home/qemu# find /sys -iname firmware
/sys/devices/ndbus0/nmem0/firmware
/sys/devices/ndbus0/firmware
/sys/firmware
)

But it could be, I am not an expert here, although I was thinking a good 
Documentation might solve this problem.

> 
> Even though fwsecurityfs code is based on securityfs, since the two
> filesystems expose different types of objects and have different
> requirements, there are distinctions:
> 
> 1. fwsecurityfs lets users create files in userspace, securityfs only allows
> kernel subsystems to create files.

Sorry could you please elaborate how? both securityfs & fwsecurityfs
calls simple_fill_super() which uses the same inode (i_op) and inode file 
operations (i_fop) from fs/libfs.c for their root inode. So how it is enabling
user (as in userspace) to create a file in this filesystem?

So am I missing anything?

> 
> 2. firmware and kernel objects may have different requirements. For example,
> consideration of namespacing. As per my understanding, namespacing is
> applied to kernel resources and not firmware resources. That's why it makes
> sense to add support for namespacing in securityfs, but we concluded that
> fwsecurityfs currently doesn't need it. Another but similar example of it

It "currently" doesn't need it. But can it in future? Then why not go with
securityfs which has an additional namespacing feature available?
That's actually also the point of utilizing an existing FS which can get 
features like this in future. As long as it doesn't affect the functionality 
of your use case, we simply need not reject securityfs, no?

> is: TPM space, which is exposed from hardware. For containers, the TPM would
> be made as virtual/software TPM. Similarly for firmware space for
> containers, it would have to be something virtualized/software version of
> it.
> 
> 3. firmware objects are persistent and read at boot time by interaction with
> firmware, unlike kernel objects which are not persistent.

I think this got addressed in a seperate thread.

-ritesh

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Sat, Nov 19, 2022 at 01:20:09AM -0500, Nayna wrote:
> 
> On 11/17/22 16:27, Greg Kroah-Hartman wrote:
> > On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
> > > On 11/10/22 04:58, Greg Kroah-Hartman wrote:
> > > > On Wed, Nov 09, 2022 at 03:10:37PM -0500, Nayna wrote:
> > > > > On 11/9/22 08:46, Greg Kroah-Hartman wrote:
> > > > > > On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
> > > > > > > securityfs is meant for Linux security subsystems to expose policies/logs
> > > > > > > or any other information. However, there are various firmware security
> > > > > > > features which expose their variables for user management via the kernel.
> > > > > > > There is currently no single place to expose these variables. Different
> > > > > > > platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
> > > > > > > interface as they find it appropriate. Thus, there is a gap in kernel
> > > > > > > interfaces to expose variables for security features.
> > > > > > > 
> > > > > > > Define a firmware security filesystem (fwsecurityfs) to be used by
> > > > > > > security features enabled by the firmware. These variables are platform
> > > > > > > specific. This filesystem provides platforms a way to implement their
> > > > > > >     own underlying semantics by defining own inode and file operations.
> > > > > > > 
> > > > > > > Similar to securityfs, the firmware security filesystem is recommended
> > > > > > > to be exposed on a well known mount point /sys/firmware/security.
> > > > > > > Platforms can define their own directory or file structure under this path.
> > > > > > > 
> > > > > > > Example:
> > > > > > > 
> > > > > > > # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
> > > > > > Why not juset use securityfs in /sys/security/firmware/ instead?  Then
> > > > > > you don't have to create a new filesystem and convince userspace to
> > > > > > mount it in a specific location?
> > > > >   From man 5 sysfs page:
> > > > > 
> > > > > /sys/firmware: This subdirectory contains interfaces for viewing and
> > > > > manipulating firmware-specific objects and attributes.
> > > > > 
> > > > > /sys/kernel: This subdirectory contains various files and subdirectories
> > > > > that provide information about the running kernel.
> > > > > 
> > > > > The security variables which are being exposed via fwsecurityfs are managed
> > > > > by firmware, stored in firmware managed space and also often consumed by
> > > > > firmware for enabling various security features.
> > > > Ok, then just use the normal sysfs interface for /sys/firmware, why do
> > > > you need a whole new filesystem type?
> > > > 
> > > > >   From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of
> > > > > securityfs(/sys/kernel/security) is to provide a common place for all kernel
> > > > > LSMs. The idea of
> > > > > fwsecurityfs(/sys/firmware/security) is to similarly provide a common place
> > > > > for all firmware security objects.
> > > > > 
> > > > > /sys/firmware already exists. The patch now defines a new /security
> > > > > directory in it for firmware security features. Using /sys/kernel/security
> > > > > would mean scattering firmware objects in multiple places and confusing the
> > > > > purpose of /sys/kernel and /sys/firmware.
> > > > sysfs is confusing already, no problem with making it more confusing :)
> > > > 
> > > > Just document where you add things and all should be fine.
> > > > 
> > > > > Even though fwsecurityfs code is based on securityfs, since the two
> > > > > filesystems expose different types of objects and have different
> > > > > requirements, there are distinctions:
> > > > > 
> > > > > 1. fwsecurityfs lets users create files in userspace, securityfs only allows
> > > > > kernel subsystems to create files.
> > > > Wait, why would a user ever create a file in this filesystem?  If you
> > > > need that, why not use configfs?  That's what that is for, right?
> > > The purpose of fwsecurityfs is not to expose configuration items but rather
> > > security objects used for firmware security features. I think these are more
> > > comparable to EFI variables, which are exposed via an EFI-specific
> > > filesystem, efivarfs, rather than configfs.
> > > 
> > > > > 2. firmware and kernel objects may have different requirements. For example,
> > > > > consideration of namespacing. As per my understanding, namespacing is
> > > > > applied to kernel resources and not firmware resources. That's why it makes
> > > > > sense to add support for namespacing in securityfs, but we concluded that
> > > > > fwsecurityfs currently doesn't need it. Another but similar example of it
> > > > > is: TPM space, which is exposed from hardware. For containers, the TPM would
> > > > > be made as virtual/software TPM. Similarly for firmware space for
> > > > > containers, it would have to be something virtualized/software version of
> > > > > it.
> > > > I do not understand, sorry.  What does namespaces have to do with this?
> > > > sysfs can already handle namespaces just fine, why not use that?
> > > Firmware objects are not namespaced. I mentioned it here as an example of
> > > the difference between firmware and kernel objects. It is also in response
> > > to the feedback from James Bottomley in RFC v2 [https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38adb59a66dcae4c59b.camel@HansenPartnership.com/].
> > I do not understand, sorry.  Do you want to use a namespace for these or
> > not?  The code does not seem to be using namespaces.  You can use sysfs
> > with, or without, a namespace so I don't understand the issue here.
> > 
> > With your code, there is no namespace.
> 
> You are correct. There's no namespace for these.

So again, I do not understand.  Do you want to use filesystem
namespaces, or do you not?

How again can you not use sysfs or securityfs due to namespaces?  What
is missing?

confused,

greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[James Bottomley]

On Sun, 2022-11-20 at 17:13 +0100, Greg Kroah-Hartman wrote:
> On Sat, Nov 19, 2022 at 01:20:09AM -0500, Nayna wrote:
> > 
> > On 11/17/22 16:27, Greg Kroah-Hartman wrote:
> > > On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
> > > > On 11/10/22 04:58, Greg Kroah-Hartman wrote:
[...]
> > > > > I do not understand, sorry.  What does namespaces have to do
> > > > > with this?
> > > > > sysfs can already handle namespaces just fine, why not use
> > > > > that?
> > > > Firmware objects are not namespaced. I mentioned it here as an
> > > > example of the difference between firmware and kernel objects.
> > > > It is also in response to the feedback from James Bottomley in
> > > > RFC v2 [
> > > > https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38ad
> > > > b59a66dcae4c59b.camel@HansenPartnership.com/].
> > > I do not understand, sorry.  Do you want to use a namespace for
> > > these or not?  The code does not seem to be using namespaces. 
> > > You can use sysfs with, or without, a namespace so I don't
> > > understand the issue here.
> > > 
> > > With your code, there is no namespace.
> > 
> > You are correct. There's no namespace for these.
> 
> So again, I do not understand.  Do you want to use filesystem
> namespaces, or do you not?

Since this seems to go back to my email quoted again, let me repeat:
the question isn't if this patch is namespaced; I think you've agreed
several times it isn't.  The question is if the exposed properties
would ever need to be namespaced.  This is a subtle and complex
question which isn't at all explored by the above interchange.

> How again can you not use sysfs or securityfs due to namespaces? 
> What is missing?

I already explained in the email that sysfs contains APIs like
simple_pin_... which are completely inimical to namespacing.  Currently
securityfs contains them as well, so in that regard they're both no
better than each other.  The point I was making is that securityfs is
getting namespaced by the IMA namespace rework (which is pretty complex
due to having to replace the simple_pin_... APIs), so when (perhaps if)
the IMA namespace is accepted, securityfs will make a good home for
quantities that need namespacing.  That's not to say you can't
namespace things in sysfs, you can, in the same way that you can get a
round peg into a square hole if you bang hard enough.

So perhaps we could get back to the original question of whether these
quantities would ever be namespaced ... or, conversely, whether they
would never need namespacing.

James

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Sun, Nov 20, 2022 at 10:14:26PM -0500, James Bottomley wrote:
> On Sun, 2022-11-20 at 17:13 +0100, Greg Kroah-Hartman wrote:
> > On Sat, Nov 19, 2022 at 01:20:09AM -0500, Nayna wrote:
> > > 
> > > On 11/17/22 16:27, Greg Kroah-Hartman wrote:
> > > > On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
> > > > > On 11/10/22 04:58, Greg Kroah-Hartman wrote:
> [...]
> > > > > > I do not understand, sorry.  What does namespaces have to do
> > > > > > with this?
> > > > > > sysfs can already handle namespaces just fine, why not use
> > > > > > that?
> > > > > Firmware objects are not namespaced. I mentioned it here as an
> > > > > example of the difference between firmware and kernel objects.
> > > > > It is also in response to the feedback from James Bottomley in
> > > > > RFC v2 [
> > > > > https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38ad
> > > > > b59a66dcae4c59b.camel@HansenPartnership.com/].
> > > > I do not understand, sorry.  Do you want to use a namespace for
> > > > these or not?  The code does not seem to be using namespaces. 
> > > > You can use sysfs with, or without, a namespace so I don't
> > > > understand the issue here.
> > > > 
> > > > With your code, there is no namespace.
> > > 
> > > You are correct. There's no namespace for these.
> > 
> > So again, I do not understand.  Do you want to use filesystem
> > namespaces, or do you not?
> 
> Since this seems to go back to my email quoted again, let me repeat:
> the question isn't if this patch is namespaced; I think you've agreed
> several times it isn't.  The question is if the exposed properties
> would ever need to be namespaced.  This is a subtle and complex
> question which isn't at all explored by the above interchange.
> 
> > How again can you not use sysfs or securityfs due to namespaces? 
> > What is missing?
> 
> I already explained in the email that sysfs contains APIs like
> simple_pin_... which are completely inimical to namespacing.

Then how does the networking code handle the namespace stuff in sysfs?
That seems to work today, or am I missing something?

If the namespace support needs to be fixed up in sysfs (or in
securityfs), then great, let's do that, and not write a whole new
filesystem just because that's not done.

Also this patch series also doesn't handle namespaces, so again, I am
totally confused as to why this is even being discussed...

thanks,

greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[James Bottomley]

On Mon, 2022-11-21 at 12:05 +0100, Greg Kroah-Hartman wrote:
> On Sun, Nov 20, 2022 at 10:14:26PM -0500, James Bottomley wrote:
> > On Sun, 2022-11-20 at 17:13 +0100, Greg Kroah-Hartman wrote:
> > > On Sat, Nov 19, 2022 at 01:20:09AM -0500, Nayna wrote:
> > > > 
> > > > On 11/17/22 16:27, Greg Kroah-Hartman wrote:
> > > > > On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
> > > > > > On 11/10/22 04:58, Greg Kroah-Hartman wrote:
> > [...]
> > > > > > > I do not understand, sorry.  What does namespaces have to
> > > > > > > do
> > > > > > > with this?
> > > > > > > sysfs can already handle namespaces just fine, why not
> > > > > > > use
> > > > > > > that?
> > > > > > Firmware objects are not namespaced. I mentioned it here as
> > > > > > an
> > > > > > example of the difference between firmware and kernel
> > > > > > objects.
> > > > > > It is also in response to the feedback from James Bottomley
> > > > > > in
> > > > > > RFC v2 [
> > > > > > https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38ad
> > > > > > b59a66dcae4c59b.camel@HansenPartnership.com/].
> > > > > I do not understand, sorry.  Do you want to use a namespace
> > > > > for
> > > > > these or not?  The code does not seem to be using
> > > > > namespaces. 
> > > > > You can use sysfs with, or without, a namespace so I don't
> > > > > understand the issue here.
> > > > > 
> > > > > With your code, there is no namespace.
> > > > 
> > > > You are correct. There's no namespace for these.
> > > 
> > > So again, I do not understand.  Do you want to use filesystem
> > > namespaces, or do you not?
> > 
> > Since this seems to go back to my email quoted again, let me
> > repeat: the question isn't if this patch is namespaced; I think
> > you've agreed several times it isn't.  The question is if the
> > exposed properties would ever need to be namespaced.  This is a
> > subtle and complex question which isn't at all explored by the
> > above interchange.
> > 
> > > How again can you not use sysfs or securityfs due to namespaces? 
> > > What is missing?
> > 
> > I already explained in the email that sysfs contains APIs like
> > simple_pin_... which are completely inimical to namespacing.
> 
> Then how does the networking code handle the namespace stuff in
> sysfs?
> That seems to work today, or am I missing something?

have you actually tried?

jejb@lingrow:~> sudo unshare --net bash
lingrow:/home/jejb # ls /sys/class/net/
lo  tun0  tun10  wlan0
lingrow:/home/jejb # ip link show
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

So, as you see, I've entered a network namespace and ip link shows me
the only interface I can see in that namespace (a down loopback) but
sysfs shows me every interface on the system outside the namespace.

This is pretty much the story of containers and sysfs: if you mount it
inside the container, it leaks information about the host
configuration.  Since I created a container with full root, I could
actually fiddle with the host network parameters on interfaces I
shouldn't be able to see within the container using sysfs ... which is
one reason we try to persuade people to use a user namespace instead of
full root.
 
> If the namespace support needs to be fixed up in sysfs (or in
> securityfs), then great, let's do that, and not write a whole new
> filesystem just because that's not done.

As I said: a fix is proposed for securityfs.  I think everyone in
containers concluded long ago that sysfs is too big an Augean Stable.

> Also this patch series also doesn't handle namespaces, so again, I am
> totally confused as to why this is even being discussed...

Well, it's not my patch.  I came into this saying *if* there was ever a
reason to namespace these parameters then please don't use interfaces
inimical to namespacing.  My personal view is that this should all just
go in securityfs because that defers answering the question of whether
it would eventually be namespaced.

James

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Mon, Nov 21, 2022 at 09:03:18AM -0500, James Bottomley wrote:
> On Mon, 2022-11-21 at 12:05 +0100, Greg Kroah-Hartman wrote:
> > On Sun, Nov 20, 2022 at 10:14:26PM -0500, James Bottomley wrote:
> > > On Sun, 2022-11-20 at 17:13 +0100, Greg Kroah-Hartman wrote:
> > > > On Sat, Nov 19, 2022 at 01:20:09AM -0500, Nayna wrote:
> > > > > 
> > > > > On 11/17/22 16:27, Greg Kroah-Hartman wrote:
> > > > > > On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
> > > > > > > On 11/10/22 04:58, Greg Kroah-Hartman wrote:
> > > [...]
> > > > > > > > I do not understand, sorry.  What does namespaces have to
> > > > > > > > do
> > > > > > > > with this?
> > > > > > > > sysfs can already handle namespaces just fine, why not
> > > > > > > > use
> > > > > > > > that?
> > > > > > > Firmware objects are not namespaced. I mentioned it here as
> > > > > > > an
> > > > > > > example of the difference between firmware and kernel
> > > > > > > objects.
> > > > > > > It is also in response to the feedback from James Bottomley
> > > > > > > in
> > > > > > > RFC v2 [
> > > > > > > https://lore.kernel.org/linuxppc-dev/41ca51e8db9907d9060cc38ad
> > > > > > > b59a66dcae4c59b.camel@HansenPartnership.com/].
> > > > > > I do not understand, sorry.  Do you want to use a namespace
> > > > > > for
> > > > > > these or not?  The code does not seem to be using
> > > > > > namespaces. 
> > > > > > You can use sysfs with, or without, a namespace so I don't
> > > > > > understand the issue here.
> > > > > > 
> > > > > > With your code, there is no namespace.
> > > > > 
> > > > > You are correct. There's no namespace for these.
> > > > 
> > > > So again, I do not understand.  Do you want to use filesystem
> > > > namespaces, or do you not?
> > > 
> > > Since this seems to go back to my email quoted again, let me
> > > repeat: the question isn't if this patch is namespaced; I think
> > > you've agreed several times it isn't.  The question is if the
> > > exposed properties would ever need to be namespaced.  This is a
> > > subtle and complex question which isn't at all explored by the
> > > above interchange.
> > > 
> > > > How again can you not use sysfs or securityfs due to namespaces? 
> > > > What is missing?
> > > 
> > > I already explained in the email that sysfs contains APIs like
> > > simple_pin_... which are completely inimical to namespacing.
> > 
> > Then how does the networking code handle the namespace stuff in
> > sysfs?
> > That seems to work today, or am I missing something?
> 
> have you actually tried?
> 
> jejb@lingrow:~> sudo unshare --net bash
> lingrow:/home/jejb # ls /sys/class/net/
> lo  tun0  tun10  wlan0
> lingrow:/home/jejb # ip link show
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group
> default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 
> So, as you see, I've entered a network namespace and ip link shows me
> the only interface I can see in that namespace (a down loopback) but
> sysfs shows me every interface on the system outside the namespace.

Then all of the code in include/kobject_ns.h is not being used?  We have
a whole kobject namespace set up for networking, I just assumed they
were using it.  If not, I'm all for ripping it out.

thanks,

greg k-h

RE: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[David Laight]

From: James Bottomley
> Sent: 21 November 2022 14:03
...
> > Then how does the networking code handle the namespace stuff in
> > sysfs?
> > That seems to work today, or am I missing something?
> 
> have you actually tried?
> 
> jejb@lingrow:~> sudo unshare --net bash
> lingrow:/home/jejb # ls /sys/class/net/
> lo  tun0  tun10  wlan0
> lingrow:/home/jejb # ip link show
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group
> default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 
> So, as you see, I've entered a network namespace and ip link shows me
> the only interface I can see in that namespace (a down loopback) but
> sysfs shows me every interface on the system outside the namespace.

You have to remount /sys to get the restricted copy.
eg by running 'ip netns exec namespace command'.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[James Bottomley]

On Mon, 2022-11-21 at 16:05 +0100, Greg Kroah-Hartman wrote:
> On Mon, Nov 21, 2022 at 09:03:18AM -0500, James Bottomley wrote:
> > On Mon, 2022-11-21 at 12:05 +0100, Greg Kroah-Hartman wrote:
> > > On Sun, Nov 20, 2022 at 10:14:26PM -0500, James Bottomley wrote:
[...]
> > > > I already explained in the email that sysfs contains APIs like
> > > > simple_pin_... which are completely inimical to namespacing.
> > > 
> > > Then how does the networking code handle the namespace stuff in
> > > sysfs? That seems to work today, or am I missing something?
> > 
> > have you actually tried?
> > 
> > jejb@lingrow:~> sudo unshare --net bash
> > lingrow:/home/jejb # ls /sys/class/net/
> > lo  tun0  tun10  wlan0
> > lingrow:/home/jejb # ip link show
> > 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT
> > group
> > default qlen 1000
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > 
> > So, as you see, I've entered a network namespace and ip link shows
> > me the only interface I can see in that namespace (a down loopback)
> > but sysfs shows me every interface on the system outside the
> > namespace.
> 
> Then all of the code in include/kobject_ns.h is not being used?  We
> have a whole kobject namespace set up for networking, I just assumed
> they were using it.  If not, I'm all for ripping it out.

Hm, looking at the implementation, it seems to trigger off the
superblock (meaning you have to remount inside a mount namespace) and
it only works to control visibility in label based namespaces, so this
does actually work

jejb@lingrow:~/git/linux> sudo unshare  --net --mount bash 
lingrow:/home/jejb # mount -t sysfs none /sys
lingrow:/home/jejb # ls /sys/class/net/
lo

The label based approach means that any given file can be shown in one
and only one namespace, which works for net, but not much else
(although it probably could be adapted).

James

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Mon, Nov 21, 2022 at 12:33:55PM -0500, James Bottomley wrote:
> On Mon, 2022-11-21 at 16:05 +0100, Greg Kroah-Hartman wrote:
> > On Mon, Nov 21, 2022 at 09:03:18AM -0500, James Bottomley wrote:
> > > On Mon, 2022-11-21 at 12:05 +0100, Greg Kroah-Hartman wrote:
> > > > On Sun, Nov 20, 2022 at 10:14:26PM -0500, James Bottomley wrote:
> [...]
> > > > > I already explained in the email that sysfs contains APIs like
> > > > > simple_pin_... which are completely inimical to namespacing.
> > > > 
> > > > Then how does the networking code handle the namespace stuff in
> > > > sysfs? That seems to work today, or am I missing something?
> > > 
> > > have you actually tried?
> > > 
> > > jejb@lingrow:~> sudo unshare --net bash
> > > lingrow:/home/jejb # ls /sys/class/net/
> > > lo  tun0  tun10  wlan0
> > > lingrow:/home/jejb # ip link show
> > > 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT
> > > group
> > > default qlen 1000
> > >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > > 
> > > So, as you see, I've entered a network namespace and ip link shows
> > > me the only interface I can see in that namespace (a down loopback)
> > > but sysfs shows me every interface on the system outside the
> > > namespace.
> > 
> > Then all of the code in include/kobject_ns.h is not being used?  We
> > have a whole kobject namespace set up for networking, I just assumed
> > they were using it.  If not, I'm all for ripping it out.
> 
> Hm, looking at the implementation, it seems to trigger off the
> superblock (meaning you have to remount inside a mount namespace) and
> it only works to control visibility in label based namespaces, so this
> does actually work
> 
> jejb@lingrow:~/git/linux> sudo unshare  --net --mount bash 
> lingrow:/home/jejb # mount -t sysfs none /sys
> lingrow:/home/jejb # ls /sys/class/net/
> lo
> 
> The label based approach means that any given file can be shown in one
> and only one namespace, which works for net, but not much else
> (although it probably could be adapted).

Great, thanks for verifying it works properly.

No other subsystem other than networking has cared about adding support
for namespaces to their sysfs representations.  But the base logic is
all there if they want to do so.

thanks,

greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna]

On 11/20/22 22:14, James Bottomley wrote:
> On Sun, 2022-11-20 at 17:13 +0100, Greg Kroah-Hartman wrote:
>> On Sat, Nov 19, 2022 at 01:20:09AM -0500, Nayna wrote:
>>> On 11/17/22 16:27, Greg Kroah-Hartman wrote:
>>>> On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
>>>>> On 11/10/22 04:58, Greg Kroah-Hartman wrote:
> [...]
>>>
[...]
>>> You are correct. There's no namespace for these.
>> So again, I do not understand.  Do you want to use filesystem
>> namespaces, or do you not?
> Since this seems to go back to my email quoted again, let me repeat:
> the question isn't if this patch is namespaced; I think you've agreed
> several times it isn't.  The question is if the exposed properties
> would ever need to be namespaced.  This is a subtle and complex
> question which isn't at all explored by the above interchange.
>
>> How again can you not use sysfs or securityfs due to namespaces?
>> What is missing?
> I already explained in the email that sysfs contains APIs like
> simple_pin_... which are completely inimical to namespacing.  Currently
> securityfs contains them as well, so in that regard they're both no
> better than each other.  The point I was making is that securityfs is
> getting namespaced by the IMA namespace rework (which is pretty complex
> due to having to replace the simple_pin_... APIs), so when (perhaps if)
> the IMA namespace is accepted, securityfs will make a good home for
> quantities that need namespacing.  That's not to say you can't
> namespace things in sysfs, you can, in the same way that you can get a
> round peg into a square hole if you bang hard enough.
>
> So perhaps we could get back to the original question of whether these
> quantities would ever be namespaced ... or, conversely, whether they
> would never need namespacing.

To clarify, I brought up in the discussion about namespacing 
considerations because I was asked about them. However, I determined 
there were none because firmware object interactions are invariant 
across namespaces.  I don't see this changing in the future given that 
the firmware objects have no notion of namespacing.

Thanks & Regards,

     - Nayna

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna]

On 11/19/22 06:48, Ritesh Harjani (IBM) wrote:
> Hello Nayna,

Hi Ritesh,

>
> On 22/11/09 03:10PM, Nayna wrote:
>> On 11/9/22 08:46, Greg Kroah-Hartman wrote:
>>> On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
>>>> securityfs is meant for Linux security subsystems to expose policies/logs
>>>> or any other information. However, there are various firmware security
>>>> features which expose their variables for user management via the kernel.
>>>> There is currently no single place to expose these variables. Different
>>>> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
>>>> interface as they find it appropriate. Thus, there is a gap in kernel
>>>> interfaces to expose variables for security features.
>>>>
>>>> Define a firmware security filesystem (fwsecurityfs) to be used by
>>>> security features enabled by the firmware. These variables are platform
>>>> specific. This filesystem provides platforms a way to implement their
>>>>    own underlying semantics by defining own inode and file operations.
>>>>
>>>> Similar to securityfs, the firmware security filesystem is recommended
>>>> to be exposed on a well known mount point /sys/firmware/security.
>>>> Platforms can define their own directory or file structure under this path.
>>>>
>>>> Example:
>>>>
>>>> # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
>>> Why not juset use securityfs in /sys/security/firmware/ instead?  Then
>>> you don't have to create a new filesystem and convince userspace to
>>> mount it in a specific location?
> I am also curious to know on why not use securityfs, given the similarity
> between the two. :)
> More specifics on that below...
>
>>  From man 5 sysfs page:
>>
>> /sys/firmware: This subdirectory contains interfaces for viewing and
>> manipulating firmware-specific objects and attributes.
>>
>> /sys/kernel: This subdirectory contains various files and subdirectories
>> that provide information about the running kernel.
>>
>> The security variables which are being exposed via fwsecurityfs are managed
>> by firmware, stored in firmware managed space and also often consumed by
>> firmware for enabling various security features.
> That's ok. As I see it users of securityfs can define their own fileops
> (like how you are doing in fwsecurityfs).
> See securityfs_create_file() & securityfs_create_symlink(), can accept the fops
> & iops. Except maybe securityfs_create_dir(), that could be since there might
> not be a usecase for it. But do you also need it in your case is the question to
> ask.

Please refer to the function plpks_secvars_init() in Patch 4/4.

>
>>  From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of
>> securityfs(/sys/kernel/security) is to provide a common place for all kernel
>> LSMs. The idea of
> Which was then seperated out by commit,
> da31894ed7b654e2 ("securityfs: do not depend on CONFIG_SECURITY").
>
> securityfs now has a seperate CONFIG_SECURITYFS config option. In fact I was even
> thinking of why shouldn't we move security/inode.c into fs/securityfs/inode.c .
> fs/* is a common place for all filesystems. Users of securityfs can call it's
> exported kernel APIs to create files/dirs/symlinks.
>
> If we move security/inode.c to fs/security/inode.c, then...
> ...below call within securityfs_init() should be moved into some lsm sepecific
> file.
>
> #ifdef CONFIG_SECURITY
> static struct dentry *lsm_dentry;
> static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
> 			loff_t *ppos)
> {
> 	return simple_read_from_buffer(buf, count, ppos, lsm_names,
> 		strlen(lsm_names));
> }
>
> static const struct file_operations lsm_ops = {
> 	.read = lsm_read,
> 	.llseek = generic_file_llseek,
> };
> #endif
>
> securityfs_init()
>
> #ifdef CONFIG_SECURITY
> 	lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
> 						&lsm_ops);
> #endif
>
> So why not move it? Maybe others, can comment more on whether it's a good idea
> to move security/inode.c into fs/security/inode.c?
> This should then help others identify securityfs filesystem in fs/security/
> for everyone to notice and utilize for their use?
>> fwsecurityfs(/sys/firmware/security) is to similarly provide a common place
>> for all firmware security objects.
>>
>> /sys/firmware already exists. The patch now defines a new /security
>> directory in it for firmware security features. Using /sys/kernel/security
>> would mean scattering firmware objects in multiple places and confusing the
>> purpose of /sys/kernel and /sys/firmware.
> We can also think of it this way that, all security related exports should
> happen via /sys/kernel/security/. Then /sys/kernel/security/firmware/ becomes
> the security related firmware exports.
>
> If you see find /sys -iname firmware, I am sure you will find other firmware
> specifics directories related to other specific subsystems
> (e.g.
> root@qemu:/home/qemu# find /sys -iname firmware
> /sys/devices/ndbus0/nmem0/firmware
> /sys/devices/ndbus0/firmware
> /sys/firmware
> )
>
> But it could be, I am not an expert here, although I was thinking a good
> Documentation might solve this problem.

Documentation on 
sysfs(https://man7.org/linux/man-pages/man5/sysfs.5.html) already 
differentiates /sys/firmware and /sys/kernel as I responded earlier.  
The objects we are exposing are firmware objects and not kernel objects.

>
>> Even though fwsecurityfs code is based on securityfs, since the two
>> filesystems expose different types of objects and have different
>> requirements, there are distinctions:
>>
>> 1. fwsecurityfs lets users create files in userspace, securityfs only allows
>> kernel subsystems to create files.
> Sorry could you please elaborate how? both securityfs & fwsecurityfs
> calls simple_fill_super() which uses the same inode (i_op) and inode file
> operations (i_fop) from fs/libfs.c for their root inode. So how it is enabling
> user (as in userspace) to create a file in this filesystem?
>
> So am I missing anything?

The ability to let user(as in userspace) to create a file in a 
filesystem comes by allowing to define inode operations.

Please look at the implementation differences for functions 
xxx_create_dir() and xxx_create_dentry() of securityfs vs fwsecurityfs.  
Also refer to Patch 4/4 for use of fwsecurityfs_create_dir() where inode 
operations are defined.

>
>> 2. firmware and kernel objects may have different requirements. For example,
>> consideration of namespacing. As per my understanding, namespacing is
>> applied to kernel resources and not firmware resources. That's why it makes
>> sense to add support for namespacing in securityfs, but we concluded that
>> fwsecurityfs currently doesn't need it. Another but similar example of it
> It "currently" doesn't need it. But can it in future? Then why not go with
> securityfs which has an additional namespacing feature available?
> That's actually also the point of utilizing an existing FS which can get
> features like this in future. As long as it doesn't affect the functionality
> of your use case, we simply need not reject securityfs, no?

Thanks for your review and feedback. To summarize:

 From the perspective of our use case, we need to expose firmware 
security objects to userspace for management. Not all of the objects 
pre-exist and we would like to allow root to create them from userspace.

 From a unification perspective, I have considered a common location at 
/sys/firmware/security for managing any platform's security objects. And 
I've proposed a generic filesystem, which could be used by any platform 
to represent firmware security objects via /sys/firmware/security.

Here are some alternatives to generic filesystem in discussion:

1. Start with a platform-specific filesystem. If more platforms would 
like to use the approach, it can be made generic. We would still have a 
common location of /sys/firmware/security and new code would live in 
arch. This is my preference and would be the best fit for our use case.

2. Use securityfs.  This would mean modifying it to satisfy other use 
cases, including supporting userspace file creation. I don't know if the 
securityfs maintainer would find that acceptable. I would also still 
want some way to expose variables at /sys/firmware/security.

3. Use a sysfs-based approach. This would be a platform-specific 
implementation. However, sysfs has a similar issue to securityfs for 
file creation. When I tried it in RFC v1[1], I had to implement a 
workaround to achieve that.

[1] 
https://lore.kernel.org/linuxppc-dev/20220122005637.28199-3-nayna@linux.ibm.com/

Thanks & Regards,

      - Nayna

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna]

On 11/22/22 18:21, Nayna wrote:
>
> From the perspective of our use case, we need to expose firmware 
> security objects to userspace for management. Not all of the objects 
> pre-exist and we would like to allow root to create them from userspace.
>
> From a unification perspective, I have considered a common location at 
> /sys/firmware/security for managing any platform's security objects. 
> And I've proposed a generic filesystem, which could be used by any 
> platform to represent firmware security objects via 
> /sys/firmware/security.
>
> Here are some alternatives to generic filesystem in discussion:
>
> 1. Start with a platform-specific filesystem. If more platforms would 
> like to use the approach, it can be made generic. We would still have 
> a common location of /sys/firmware/security and new code would live in 
> arch. This is my preference and would be the best fit for our use case.
>
> 2. Use securityfs.  This would mean modifying it to satisfy other use 
> cases, including supporting userspace file creation. I don't know if 
> the securityfs maintainer would find that acceptable. I would also 
> still want some way to expose variables at /sys/firmware/security.
>
> 3. Use a sysfs-based approach. This would be a platform-specific 
> implementation. However, sysfs has a similar issue to securityfs for 
> file creation. When I tried it in RFC v1[1], I had to implement a 
> workaround to achieve that.
>
> [1] 
> https://lore.kernel.org/linuxppc-dev/20220122005637.28199-3-nayna@linux.ibm.com/
>
Hi Greg,

Based on the discussions so far, is Option 1, described above, an 
acceptable next step?

Thanks & Regards,

       - Nayna

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Wed, Nov 23, 2022 at 10:05:49AM -0500, Nayna wrote:
> 
> On 11/22/22 18:21, Nayna wrote:
> > 
> > From the perspective of our use case, we need to expose firmware
> > security objects to userspace for management. Not all of the objects
> > pre-exist and we would like to allow root to create them from userspace.
> > 
> > From a unification perspective, I have considered a common location at
> > /sys/firmware/security for managing any platform's security objects. And
> > I've proposed a generic filesystem, which could be used by any platform
> > to represent firmware security objects via /sys/firmware/security.
> > 
> > Here are some alternatives to generic filesystem in discussion:
> > 
> > 1. Start with a platform-specific filesystem. If more platforms would
> > like to use the approach, it can be made generic. We would still have a
> > common location of /sys/firmware/security and new code would live in
> > arch. This is my preference and would be the best fit for our use case.
> > 
> > 2. Use securityfs.  This would mean modifying it to satisfy other use
> > cases, including supporting userspace file creation. I don't know if the
> > securityfs maintainer would find that acceptable. I would also still
> > want some way to expose variables at /sys/firmware/security.
> > 
> > 3. Use a sysfs-based approach. This would be a platform-specific
> > implementation. However, sysfs has a similar issue to securityfs for
> > file creation. When I tried it in RFC v1[1], I had to implement a
> > workaround to achieve that.
> > 
> > [1] https://lore.kernel.org/linuxppc-dev/20220122005637.28199-3-nayna@linux.ibm.com/
> > 
> Hi Greg,
> 
> Based on the discussions so far, is Option 1, described above, an acceptable
> next step?

No, as I said almost a year ago, I do not want to see platform-only
filesystems going and implementing stuff that should be shared by all
platforms.

thanks,

greg k-h

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Nayna]

On 11/23/22 10:57, Greg Kroah-Hartman wrote:
> On Wed, Nov 23, 2022 at 10:05:49AM -0500, Nayna wrote:
>> On 11/22/22 18:21, Nayna wrote:
>>>  From the perspective of our use case, we need to expose firmware
>>> security objects to userspace for management. Not all of the objects
>>> pre-exist and we would like to allow root to create them from userspace.
>>>
>>>  From a unification perspective, I have considered a common location at
>>> /sys/firmware/security for managing any platform's security objects. And
>>> I've proposed a generic filesystem, which could be used by any platform
>>> to represent firmware security objects via /sys/firmware/security.
>>>
>>> Here are some alternatives to generic filesystem in discussion:
>>>
>>> 1. Start with a platform-specific filesystem. If more platforms would
>>> like to use the approach, it can be made generic. We would still have a
>>> common location of /sys/firmware/security and new code would live in
>>> arch. This is my preference and would be the best fit for our use case.
>>>
>>> 2. Use securityfs.  This would mean modifying it to satisfy other use
>>> cases, including supporting userspace file creation. I don't know if the
>>> securityfs maintainer would find that acceptable. I would also still
>>> want some way to expose variables at /sys/firmware/security.
>>>
>>> 3. Use a sysfs-based approach. This would be a platform-specific
>>> implementation. However, sysfs has a similar issue to securityfs for
>>> file creation. When I tried it in RFC v1[1], I had to implement a
>>> workaround to achieve that.
>>>
>>> [1] https://lore.kernel.org/linuxppc-dev/20220122005637.28199-3-nayna@linux.ibm.com/
>>>
>> Hi Greg,
>>
>> Based on the discussions so far, is Option 1, described above, an acceptable
>> next step?
> No, as I said almost a year ago, I do not want to see platform-only
> filesystems going and implementing stuff that should be shared by all
> platforms.

Given there are no other exploiters for fwsecurityfs and there should be 
no platform-specific fs, would modifying sysfs now to let userspace 
create files cleanly be the way forward? Or, if we should strongly 
consider securityfs, which would result in updating securityfs to allow 
userspace creation of files and then expose variables via a more 
platform-specific directory /sys/kernel/security/pks? We want to pick 
the best available option and would find some hints on direction helpful 
before we develop the next patch.

Thanks & Regards,

       - Nayna

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Andrew Donnellan]

On Wed, 2022-11-23 at 13:57 -0500, Nayna wrote:
> 
> Given there are no other exploiters for fwsecurityfs and there should
> be 
> no platform-specific fs, would modifying sysfs now to let userspace 
> create files cleanly be the way forward? Or, if we should strongly 
> consider securityfs, which would result in updating securityfs to
> allow 
> userspace creation of files and then expose variables via a more 
> platform-specific directory /sys/kernel/security/pks? We want to pick
> the best available option and would find some hints on direction
> helpful 
> before we develop the next patch.

Ping - it would be helpful for us to know your thoughts on this.


Andrew

-- 
Andrew Donnellan    OzLabs, ADL Canberra
ajd@linux.ibm.com   IBM Australia Limited

Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[Greg Kroah-Hartman]

On Mon, Dec 12, 2022 at 11:58:56AM +1100, Andrew Donnellan wrote:
> On Wed, 2022-11-23 at 13:57 -0500, Nayna wrote:
> > 
> > Given there are no other exploiters for fwsecurityfs and there should
> > be 
> > no platform-specific fs, would modifying sysfs now to let userspace 
> > create files cleanly be the way forward? Or, if we should strongly 
> > consider securityfs, which would result in updating securityfs to
> > allow 
> > userspace creation of files and then expose variables via a more 
> > platform-specific directory /sys/kernel/security/pks? We want to pick
> > the best available option and would find some hints on direction
> > helpful 
> > before we develop the next patch.
> 
> Ping - it would be helpful for us to know your thoughts on this.

sysfs is not for userspace creation of files, you all know this :)

greg k-h