Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp616626rwb; Wed, 9 Nov 2022 06:47:46 -0800 (PST) X-Google-Smtp-Source: AMsMyM4KQHaiDZ0YbMAhdiSCHL/NdY8eJLZkQFNX7K0Bc1+IvDpbLZm4EW6ctYoilQZHP5NBiX4M X-Received: by 2002:a17:903:260b:b0:186:fe2f:279f with SMTP id jd11-20020a170903260b00b00186fe2f279fmr58442441plb.166.1668005266532; Wed, 09 Nov 2022 06:47:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668005266; cv=none; d=google.com; s=arc-20160816; b=TRWw1x9kQIjg7qdav3KWiZZ3fEz/T7zxCoJLTDVj9r/QpE8lRmz3f99wCRlRB6rtjw anm4J/jqZcI96SLV1VMXut7er/bh5N07M2/uFrDdeRWNXtvYKVbG7eln9w23BWpldIw6 DghIOZCy0iqsiBjivR66pVq1FADfNXM+NEY6D1ildHEFBIwLfGm7tHCYsB7YGFGy7eT6 l3tU8/Ys57lrcEBYw/Ilq88mJxLZxfA21Pzk1D6y/bdqwcYBTUv3mZu0TDqqwlLQ+/D1 MqG/kcuJACy+i6e7uMu9NRuzp+KWbatMUqqufTnM6ozIYKctbMDH+PxtvLmNrAL0gL5C u8fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=fNuV8+7RCsytFlmK+Y44N0cLyNtMam6RUDXwG9ke/48=; b=zeJcmku72AQeSjJrjN+gil1Q+1jt9Wd0OM1hxE+MQDTLl/n+vLQ1kTJXidAsT5VgpX ZiylUrM12K/4moGUz0tv2nIH/KcyP3XDPp6aSkHYA1GVXKFy9/GYv+HUjpWn+1oNawL8 8VnotKu+r3Q8zycbDkHxMmfJhfQQOAlbrqVpm1dw7toFDpcn+NMu4KMO2m5+KNcQBxsY UCbadHWluPyqhGTqPqECJ7qcGtTylNEPBQ0Km3WHlB/NDlwRbVSF7BbA5mH08WQMy+RH CwMm2NoqcvpscJr9Ne7tNIJQcRadqVxIRJn0KHazDGeCQeeMiaGdygb0MOZkzx4zHyc+ Kncw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yilDZTQV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c12-20020a655a8c000000b0045f83471400si20111618pgt.328.2022.11.09.06.47.34; Wed, 09 Nov 2022 06:47:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yilDZTQV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230199AbiKINrE (ORCPT + 92 others); Wed, 9 Nov 2022 08:47:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229527AbiKINrC (ORCPT ); Wed, 9 Nov 2022 08:47:02 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0921D13FB3; Wed, 9 Nov 2022 05:47:02 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B73C3B81EC4; Wed, 9 Nov 2022 13:47:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3FE1C433C1; Wed, 9 Nov 2022 13:46:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1668001619; bh=T8ZpCfeDrYRnXim+EtribWm92PpPSXe5RMsnfAotB4g=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=yilDZTQVRk/dQ6ZjPzjqvsk7gjmJ/ywI9HPUjKi20aCPrjgXYmUwjckntNGsnqPeV OVgTzAcVyN1BnZ3Ofu/6wLcRP7+Msh6bQ75oLO7maLPj9bNjjKgnASzOY7FMZb/WBo ziaNbBLpVAhRioTwS6CD7/5TLkPzIquE2AJTNFDI= Date: Wed, 9 Nov 2022 14:46:56 +0100 From: Greg Kroah-Hartman To: Nayna Jain Cc: linuxppc-dev@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-efi@vger.kernel.org, linux-security-module , linux-kernel@vger.kernel.org, Michael Ellerman , npiggin@gmail.com, christophe.leroy@csgroup.eu, Dov Murik , George Wilson , Matthew Garrett , Dave Hansen , Benjamin Herrenschmidt , Paul Mackerras , Russell Currey , Andrew Donnellan , Stefan Berger Subject: Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs Message-ID: References: <20221106210744.603240-1-nayna@linux.ibm.com> <20221106210744.603240-3-nayna@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221106210744.603240-3-nayna@linux.ibm.com> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote: > securityfs is meant for Linux security subsystems to expose policies/logs > or any other information. However, there are various firmware security > features which expose their variables for user management via the kernel. > There is currently no single place to expose these variables. Different > platforms use sysfs/platform specific filesystem(efivarfs)/securityfs > interface as they find it appropriate. Thus, there is a gap in kernel > interfaces to expose variables for security features. > > Define a firmware security filesystem (fwsecurityfs) to be used by > security features enabled by the firmware. These variables are platform > specific. This filesystem provides platforms a way to implement their > own underlying semantics by defining own inode and file operations. > > Similar to securityfs, the firmware security filesystem is recommended > to be exposed on a well known mount point /sys/firmware/security. > Platforms can define their own directory or file structure under this path. > > Example: > > # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security Why not juset use securityfs in /sys/security/firmware/ instead? Then you don't have to create a new filesystem and convince userspace to mount it in a specific location? thanks, greg k-h