Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp246486iob; Mon, 2 May 2022 18:25:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPZtsmwL/llHVYieP4t8qlKxTMJWzPcG0EEF/FWmQBmW0SC5ZJz71PEaDeFVAzEjECno68 X-Received: by 2002:a63:9502:0:b0:386:3916:ca8e with SMTP id p2-20020a639502000000b003863916ca8emr11745452pgd.357.1651541100017; Mon, 02 May 2022 18:25:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651541100; cv=none; d=google.com; s=arc-20160816; b=OeB1aXRyYrUii2s7NgDpqB7HVJLkBDXdmgigHsrtJlXjOIxHFLpI0KS7WgkBIY5u3s 5AgnW+HPzXosfDC1rIc8uKKXVikkYqNvRJauwh4qMFz8qeaWm58LlyjlDhSrkvfkLd7O xs87+zWDK2iMUoHYxK/RfqzPpPJvaGZ1SCqh8kFn6YtIi8Dahw4SbT4GQpt1+V2KDU0S nyYkoIdV6wh248NdrLg3zJFtBjX9VBu31dcq4ssp6BNg/2ZhLF6LVjV3PgQRpNHzC0TB IzO6NkM0cPaXlmLKIYMQ3aytoWR2GLiVF52Sst1hxqVa3d8yuFlrt2YiP1HR79h318EH X00Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=9Pev6TadqoPCvCslhpANrkqa0tRzANTdzEtaxAf0Hbw=; b=XchanftEZif0ee/yNPNKBYUlSRaZiCbFkFB898WsomKbmicM6hFoIN/SQRntL5/RMM rFSmuGJ5lXjRCyn/oDNEvv4vjwDWzeeHCF/VUN909nPoFSfR+qcrOSRVjUSOnlM7vcU+ ROqq9SU9sIHx8YBTFcw5daAZB36yZ9r2Laxad3YPJ23e2WU4NtmqWDDFpXMYTrm++/gf GGDhBxMEWw3WhxbNbkd/JatsoK/T/vXMHJGPpJCKxmYGegnMAKDQxV10ovyRBfAE2hLc 1XNSyZqr7u+4UAMGxvClBWI6udeSjtFbc5ZpUGuhSGTDhIW8HfOmLhBW8ooS5JvOanQL fh9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=IO+ItVxT; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id w11-20020a170902d3cb00b0015663d4ac43si5324571plb.346.2022.05.02.18.24.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 May 2022 18:25:00 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=IO+ItVxT; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9B2A169730; Mon, 2 May 2022 18:04:00 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232613AbiEBWsd (ORCPT + 99 others); Mon, 2 May 2022 18:48:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230368AbiEBWs3 (ORCPT ); Mon, 2 May 2022 18:48:29 -0400 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D2551E0AA for ; Mon, 2 May 2022 15:44:58 -0700 (PDT) Received: by mail-pj1-x1030.google.com with SMTP id l11-20020a17090a49cb00b001d923a9ca99so582119pjm.1 for ; Mon, 02 May 2022 15:44:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=9Pev6TadqoPCvCslhpANrkqa0tRzANTdzEtaxAf0Hbw=; b=IO+ItVxTbHRREuluGK2fhmQblF4cgW5vavOTKIpFPkRROJX9gmuVnnXRYdROnlh0zK 5E/tkPZJOY5b9uCPVSTrQo5ZT1qEvx0sCk9u5l6zkQG9tJNfyrMIAV++5Lw/q2Ftl4OP 5q5eBsfs5slcB3cSP6ZXkHWEyjFQtO83O56Dk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=9Pev6TadqoPCvCslhpANrkqa0tRzANTdzEtaxAf0Hbw=; b=JkxuA7Kj5GsXHcOkWj/TFpTc7w8LfEeODlQHHWOMjkt6amGKwczFfjxdUgpUiD6Nm/ /JbJZO+LjnIomrhr2C7EicBuUpXwlxJwT0ZjU/StBJ4FKBPVj75uU7i2jGsCjWQECukd fO34Ye30VQHwHd2uF8q0W+GqokZ13a7DYdr2Fhaqgmi4cTPLA3vnqeHjq1r4kFWBLOnq gpylmA11pIG/vW0x8MLw3a36XYW4aZDYmlBkPmbA8rHwnKlFYAo7AZt2CvkGTONZz0LN 4fsD3NqParg/EtJbaj+LwqjmIAc6QT3CaCki9J/lxxfHqq7FVB+a2fzciv0s7HymczYA QOtw== X-Gm-Message-State: AOAM532+LqbUbyLlYnBkESfF3hSmevHYZLaenj7+XLkU1Cza4RgqAwyP Pxn3attDSvRnhd51RPbNU8g5Pg== X-Received: by 2002:a17:902:d4c2:b0:15e:abd0:926f with SMTP id o2-20020a170902d4c200b0015eabd0926fmr4925055plg.129.1651531497972; Mon, 02 May 2022 15:44:57 -0700 (PDT) Received: from localhost ([2620:15c:202:201:1e1a:955c:a9ca:e550]) by smtp.gmail.com with UTF8SMTPSA id f3-20020a17090a654300b001d26c7d5aacsm218470pjs.13.2022.05.02.15.44.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 May 2022 15:44:57 -0700 (PDT) Date: Mon, 2 May 2022 15:44:56 -0700 From: Matthias Kaehlcke To: Kees Cook Cc: Alasdair Kergon , Mike Snitzer , James Morris , "Serge E . Hallyn" , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, Douglas Anderson , Song Liu Subject: Re: [PATCH v2 2/3] LoadPin: Enable loading from trusted dm-verity devices Message-ID: References: <20220426213110.3572568-1-mka@chromium.org> <20220426143059.v2.2.I01c67af41d2f6525c6d023101671d7339a9bc8b5@changeid> <202204302316.AF04961@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <202204302316.AF04961@keescook> X-Spam-Status: No, score=-2.6 required=5.0 tests=APP_DEVELOPMENT_NORDNS, BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 30, 2022 at 11:21:54PM -0700, Kees Cook wrote: > On Tue, Apr 26, 2022 at 02:31:09PM -0700, Matthias Kaehlcke wrote: > > I'm still doubting what would be the best way to configure > > the list of trusted digests. The approach in v2 of writing > > a path through sysctl is flexible, but it also feels a bit > > odd. I did some experiments with passing a file descriptor > > through sysctl, but it's also odd and has its own issues. > > Passing the list through a kernel parameter seems hacky. > > A Kconfig string would work, but can be have issues when > > the same config is used for different platforms, where > > some may have trusted digests and others not. > > I prefer the idea of passing an fd, since that can just use LoadPin > itself to verify the origin of the fd. > > I also agree, though, that it's weird as a sysctl. Possible thoughts: > > - make it a new ioctl on /dev/mapper/control (seems reasonable given > that it's specifically about dm devices). > - have LoadPin grow a securityfs node, maybe something like > /sys/kernel/security/loadpin/dm-verify and do the ioctl there (seems > reasonable given that it's specifically about LoadPin, but is perhaps > more overhead to built the securityfs). Thanks for your feedback! Agreed that an ioctl is preferable over a sysctl interface. I wasn't aware of securityfs and prefer it over a /dev/mapper/control ioctl. Ultimately the list of digests is meaningful to LoadPin, not (directly) to the device mapper / verity. I'm not sure how well this feature of integrating LoadPin with verity will be by the verity maintainers in the first place, it's probably best to limit the LoadPin specific stuff in verity to a minimum. I experimented a bit with the securityfs option, building it doesn't seem too much of an overhead. If loadpin.c ends up too cluttered with the verity and securityfs stuff I could try to outsource some of it to (a) dedicated file(s).