Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp826789rdg; Wed, 11 Oct 2023 06:43:18 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFj7QKsSMkgtt4jy1acJ34OZA3AKMwHpVKu917/NejZSL2o56KWQ9dn2yThVvmpx8zDvyd+ X-Received: by 2002:a05:6870:2326:b0:1bb:8867:f7ed with SMTP id w38-20020a056870232600b001bb8867f7edmr26182974oao.33.1697031798133; Wed, 11 Oct 2023 06:43:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697031798; cv=none; d=google.com; s=arc-20160816; b=WjDCz17JJ2f5h0MAlaT/sZ3epjnquIzBTk6khTe0meZYMAQBiLIZaK/3ty/8sQwB6C t23JOga7kVzNNioTNmQPSDff6DxoD6R1mIC+yIglWIq+DxkL1cRrLsfBpoDfh/YJ6Ycg j++fNaRG61mKMQ2L7WKmusy22IVpn97cFGMY35xWGVAuFv3xEh0IuI4Rp1AcPwhNaMZt BoRYxtGStJa26j2G2CwQgg5i/LGm5QPyE4DCo4GT8aLRYV0VMaM37bxXC47wcF/TwNcF PhWUQVw5zazDBBOnCBUhpzPZ1enMPydw8u49TIX08ZvuZDfRW4XqA44gdrkNlFybxUBl Dixw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=qTDjoIZ03CBcH7tMxcjA6MiVaUkDiBuhxsHI1DayPds=; fh=f5UyjC5PrCi2lDA+xJZtuRhGywk1v2m53NQP3Cmmqak=; b=mHiT/ftK3LhphvaPK7HAYIXNYgazC8+DR0d+fI6/D8SCtp5cdjcNFuTN/wfNfqMhvT uJdik0s5NZpBYB65mH7R+A36FBdPlMMbuBw6ZUbRK4QBT9fw2rp5wuO5pFN1MiuyUYV3 hipG8mebsRvAULeeMw1DRip7MtlrmLehM6uZMqUIH0zuLUYTy+eMIuBbu+KEM8RoPX3j ZFgrqq6xAXfQNpDWDfVqfaEwkOXY5flpe6k2h0JIfLerQkbC6TL5Vm2yRsD+o6g0ex1o Tl5cKVMgQPfBI5EpvukMIS2WYI1tGJHrIF1yD2Zt47gmXTN3tXMTARDrrNOZ8+GlJe9D YENg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YOA+1xFF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id y18-20020a63b512000000b0058511efe7d7si11863338pge.97.2023.10.11.06.43.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 06:43:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YOA+1xFF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 98AB480ECFA8; Wed, 11 Oct 2023 06:43:14 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235016AbjJKNm7 (ORCPT + 99 others); Wed, 11 Oct 2023 09:42:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51624 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235042AbjJKNm5 (ORCPT ); Wed, 11 Oct 2023 09:42:57 -0400 Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 247B4A7 for ; Wed, 11 Oct 2023 06:42:54 -0700 (PDT) Received: by mail-vs1-xe36.google.com with SMTP id ada2fe7eead31-457819ae142so1260904137.2 for ; Wed, 11 Oct 2023 06:42:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1697031773; x=1697636573; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qTDjoIZ03CBcH7tMxcjA6MiVaUkDiBuhxsHI1DayPds=; b=YOA+1xFFutX/RIyhN+/R8fGTBEmjYDlqZas2kbAZtJycIYxadkjqrOBjkey27n/AFy q2ouVB+Cf3puvXQ6VujxCT4Hf+xR1x0Bxq/4P/jSgA0x99rc3bp/nJE9+5DmfvG/GWUj Di96SRjEyAp65ncUuSpkjgQjLHkCOhaF7m3O66JslKdMP4YvFJ6Bi8TS2Uvx0cSEHVne YU/LzIxqrxvauV7BgGfGWjer70qlJs/9uAVW1vynOJThzfVxGwy1tUGlFBWjvbXYEzBr VXdMHKn1xP6/a7mKg/Rysy56Hn1TltbHM44eEpH2ZoeMfK8jGMsCYAC43DuJxV4LoheG nUVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697031773; x=1697636573; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qTDjoIZ03CBcH7tMxcjA6MiVaUkDiBuhxsHI1DayPds=; b=ZzaPg81mHZlkoiPNlBL1Rov79COdMtYDDicOPQ+C5oDfgfUIKyQD8NxoVDQuFSusH5 IEHOd4ADbTNCcaWOep712T1G9jxhkG0TAenumRQW19pPQ3+KQXz2EPPQmlISLk4Xjl/0 mX+GdM6A7OvYHjN1pxwrnf8oywRpwks/cQKUmlpsc/PhGMJGCATdRMoLwBBimA+O7E54 QoxW/C7VteZtSmBsEc2SypfPQZs0O5gXyHWfapQ06Ils5ODNMRu2rh7qj7ZUsFf7OoN5 Jrt4VtQS4PYHacTGgVlbIPCdZh+e9hTqRPfFSlQMQMiCiV/h97Ec/Vgo8LnleDyOgfXC 8J4w== X-Gm-Message-State: AOJu0YyaZ9Sao5x8qId3Gm9LgfBx6Dpo2THrewvCiUfGZYKh7YMtZagp SaW/B0qolBZnANlccgQBmGQLNyEH5/YSKItG8ullkQ== X-Received: by 2002:a05:6102:4a5:b0:44d:5a92:ec40 with SMTP id r5-20020a05610204a500b0044d5a92ec40mr20501986vsa.24.1697031773138; Wed, 11 Oct 2023 06:42:53 -0700 (PDT) MIME-Version: 1.0 References: <20231010231616.3122392-1-jarkko@kernel.org> <186a4b62517ead88df8c3c0e9e9585e88f9a6fd8.camel@kernel.org> <0aeb4d88952aff53c5c1a40b547a9819ebd1947e.camel@kernel.org> <79fe0b97e2f5d1f02d08c9f633b7c0da13dc9127.camel@kernel.org> In-Reply-To: From: Sumit Garg Date: Wed, 11 Oct 2023 19:12:41 +0530 Message-ID: Subject: Re: [PATCH] KEYS: trusted: Rollback init_trusted() consistently To: Jarkko Sakkinen Cc: keyrings@vger.kernel.org, Linus Torvalds , stable@vger.kernel.org, James Bottomley , Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , "open list:KEYS-TRUSTED" , "open list:SECURITY SUBSYSTEM" , open list Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Wed, 11 Oct 2023 06:43:14 -0700 (PDT) X-Spam-Level: ** On Wed, 11 Oct 2023 at 18:36, Jarkko Sakkinen wrote: > > On Wed, 2023-10-11 at 18:25 +0530, Sumit Garg wrote: > > On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen wrote: > > > > > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen wrote: > > > > > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen wrote: > > > > > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > > > else than -ENODEV). > > > > > > > > > > > > > > > > Reported-by: Linus Torvalds > > > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > > > Signed-off-by: Jarkko Sakkinen > > > > > > > > --- > > > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > > > if (!get_random) > > > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > > > - static_call_update(trusted_key_unseal, > > > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > > > - static_call_update(trusted_key_get_random, > > > > > > > > - get_random); > > > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > - > > > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > > > - if (!ret) > > > > > > > > + if (!ret) { > > > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > > > + > > > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > + } > > > > > > > > + > > > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > > > to be initialized if the primary one fails. > > > > > > > > > > > > I sent the patch before I received that response but here's what you > > > > > > wrote: > > > > > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > > > keys if the primary one fails." > > > > > > > > > > > > 1. This condition is lacking an inline comment. > > > > > > 2. Neither this response or the one that you pointed out has any > > > > > > explanation why for any system failure the process should > > > > > > continue. > > > > > > > > > > > > You should really know the situations (e.g. list of posix error > > > > > > code) when the process can continue and "allow list" those. This > > > > > > way way too abstract. It cannot be let all possible system failures > > > > > > pass. > > > > > > > > > > And it would nice if it printed out something for legit cases. Like > > > > > "no device found" etc. And for rest it must really withdraw the whole > > > > > process. > > > > > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > > > these are all debatable. > > > > > > Yes, that does sounds reasonable. > > > > > > About the debate. Well, it is better eagerly block and tree falls down > > > somewhere we can consider extending the list through a fix. > > > > > > This all wide open is worse than a few glitches somewhere, which are > > > trivial to fix. > > > > > > > Fair enough, I would suggest we document it appropriately such that it > > is clear to the users or somebody looking at the code. > > I went throught the backends on how they implement init: > > 1. Returns -ENODEV when it does not exist. > 2. Calls driver_register(). Something is wrong enough if that > fails to rollback the whole procedure. > 3. TPM: -ENODEV > > Therefore, I would keep in the existing patch since there is no weird > uapi visible legacy behavior to support in the first place. And for > that reason there is no good reason to have all those four POSIX rc's > in the list. Okay I can live with this patch as long as it doesn't break the intended use-case. -Sumit > > BR, Jarkko > >