Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4257642yba; Sun, 12 May 2019 08:32:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqzEaJ+acck13KnwlHjo/QCYHT4de3iV0vVCzL6YA2DjgCoUOVhsHr6eQHWFZEH5bk5dRjdi X-Received: by 2002:a63:3dcf:: with SMTP id k198mr26537221pga.60.1557675149240; Sun, 12 May 2019 08:32:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557675149; cv=none; d=google.com; s=arc-20160816; b=Sovf3liPX7kGu09d9Tq2Ua5RpO99fqewfqrLO4LdCiCnalOmSHSsEKm30YQjcrlSZm RIvDYYhizERxFcI+cmk1lQE8pderXcdqWRAP32+wxfeS8Gx1jbxAecsM8wccrrXzcEY+ LvB5q6Ap3skiYd3HyuNMBi/3AEWOVTTpHvs7V/m2ANgd12Y55+vf2UDRc4IsVNtbxdl6 pRc1yx/fh9GgQ7CYzIrLYXBR45/geVQEi6WNjEjz2FXqd7HABzKSgIu/7afO9e0fzjMi slt3Pg0XEaUoLSa/MsyrJj71V6ozop+f0T1xOZRmrG6/YfnC1DbWMtzNiV9ccA7Bvdlf 3wJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:message-id:subject:cc:to:from:date; bh=4EBCI+5SFwwBhuKihXsiEv6Y4ZeOyH8t2XhKFOKNf40=; b=PW2MwkdBXVK6wlPMjI4FYlsw99mP2SoZ35KjyBjASlNeEtIcOV78Et1QQPMft6BHe0 Yyo2EcYloOS7NQ3G5wLXShkXxllLAx8O+ebs1FUZTpdgp8/kVeBEZl7XNp/7JvLUCRA3 Di3hbzkLaHZsEOMdA6XQfLEsnFC1NjE3fsIL13YaIZ21T+u1/wnU8DtxdRbTI7XXnN5k GzW05y6LIeBRMizTG4zgWja3iq1tdxqiP8LdFr5XRTTxhujwD2hI/VDLmSXbKZ8C77TW deLcX+dzCsRSERsVtBn+rz8CZTpTVnhCjzCsquWUmFiCuSd3BiKgo61IHd7VGte1GsIx mx3Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q81si14038223pfa.207.2019.05.12.08.32.12; Sun, 12 May 2019 08:32:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726769AbfELPbZ (ORCPT + 99 others); Sun, 12 May 2019 11:31:25 -0400 Received: from isilmar-4.linta.de ([136.243.71.142]:52230 "EHLO isilmar-4.linta.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726355AbfELPbY (ORCPT ); Sun, 12 May 2019 11:31:24 -0400 Received: from light.dominikbrodowski.net (isilmar.linta [10.0.0.1]) by isilmar-4.linta.de (Postfix) with ESMTPS id 73CE5200611; Sun, 12 May 2019 15:31:22 +0000 (UTC) Received: by light.dominikbrodowski.net (Postfix, from userid 1000) id 3642120920; Sun, 12 May 2019 17:31:05 +0200 (CEST) Date: Sun, 12 May 2019 17:31:05 +0200 From: Dominik Brodowski To: hpa@zytor.com, Mimi Zohar Cc: Roberto Sassu , viro@zeniv.linux.org.uk, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, initramfs@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, silviu.vlasceanu@huawei.com, dmitry.kasatkin@huawei.com, takondra@cisco.com, kamensky@cisco.com, arnd@arndb.de, rob@landley.net, james.w.mcmechan@gmail.com Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk Message-ID: <20190512153105.GA25254@light.dominikbrodowski.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1557665567.10635.222.camel@linux.ibm.com> <4E92753A-04BD-4018-A3A4-5E3E4242D8B9@zytor.com> User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 12, 2019 at 03:18:16AM -0700, hpa@zytor.com wrote: > > Couldn't this parsing of the .xattr-list file and the setting of the xattrs > > be done equivalently by the initramfs' /init? Why is kernel involvement > > actually required here? > > There are a lot of things that could/should be done that way... Indeed... so why not try to avoid adding more such "things", and keeping them in userspace (or in a fork_usermode_blob)? On Sun, May 12, 2019 at 08:52:47AM -0400, Mimi Zohar wrote: > It's too late. The /init itself should be signed and verified. Could you elaborate a bit more about the threat model, and why deferring this to the initramfs is too late? Thanks, Dominik