Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EAC4FC64EC3 for ; Tue, 31 Jan 2023 23:01:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231444AbjAaXBE (ORCPT ); Tue, 31 Jan 2023 18:01:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229637AbjAaXBC (ORCPT ); Tue, 31 Jan 2023 18:01:02 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5DAD64ED23; Tue, 31 Jan 2023 15:01:01 -0800 (PST) Received: by linux.microsoft.com (Postfix, from userid 1052) id 02B2720E1A45; Tue, 31 Jan 2023 15:01:01 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 02B2720E1A45 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1675206061; bh=j1VoMU02KeLtjY8TDWq+rO4UuOvmlBPIER8JkQji2a8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=TggEBO122eJ2C7kl74c+1SFcSJF6DkRp8p/6zKNdTJSzcQvm+ox90trpwmt9MaD16 IA13KrKuItDN//TlUQ6WNwy6rn8jpm1/6q1u1qz9vJZwJ7lTGIAYRz9qZ0H2E4RIfZ vL2gNFuJd9e7cGHa1n52ljy9XW5xv9jEo/adSYpU= Date: Tue, 31 Jan 2023 15:01:00 -0800 From: Fan Wu To: Christoph Hellwig Cc: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com, linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, linux-audit@redhat.com, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers Subject: Re: [RFC PATCH v9 09/16] block|security: add LSM blob to block_device Message-ID: <20230131230100.GA30104@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> References: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com> <1675119451-23180-10-git-send-email-wufan@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 31, 2023 at 12:53:59AM -0800, Christoph Hellwig wrote: > On Mon, Jan 30, 2023 at 02:57:24PM -0800, Fan Wu wrote: > > From: Deven Bowers > > > > block_device structures can have valuable security properties, > > based on how they are created, and what subsystem manages them. > > That's a lot of cloudy talk but no real explanation. Sorry for being too general here. Currently the only use target of this hook is dm-verity. We use the newly added security hook to save the dm-verity roothash and signature to the new bdev security blob during the bdev creation time, so LSMs can leverage this information to protect the system. I will add this example in the next version. -Fan