Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp2492617rdb; Mon, 5 Feb 2024 08:09:59 -0800 (PST) X-Google-Smtp-Source: AGHT+IEeWGSvoOvKHgV/K39VSAaN1ax2+CJaCEt3TRl0JxEYnZW5wHmyEr6ZgM44OIeh+HUSPz1Z X-Received: by 2002:a05:6102:226d:b0:46c:f91f:b03b with SMTP id v13-20020a056102226d00b0046cf91fb03bmr112722vsd.13.1707149398910; Mon, 05 Feb 2024 08:09:58 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCVYZKrXbaSpnmLZ9bf3JLKWfWEiDOutg/049D4/veZOtydBby9xqgxe+4Y+BFOLEjnnwdfqsbzTjjB67IBuMHP90asDcD0J5QTLi0Gg/w== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id hv1-20020a67e681000000b0046b1447baa4si24058vsb.668.2024.02.05.08.09.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Feb 2024 08:09:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-52996-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@paul-moore.com header.s=google header.b=XN5GyoFt; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-52996-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-52996-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 979E11C21748 for ; Mon, 5 Feb 2024 16:09:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 323712E64B; Mon, 5 Feb 2024 16:09:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="XN5GyoFt" Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27E43374F5 for ; Mon, 5 Feb 2024 16:09:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707149383; cv=none; b=Yz6vz1V0zLPEya6lP0iNdXnOZmcE1Bf3jyPZoC5nlyDdBkceEBMwhvji/y5pzdL/Gl5fgDhJVej25bqxXtXxr03DCgqr42g9+EakbBPc2xbe/Cvn3MdaLU1+UNe2u4W5kdKm+XuQ/l0jSqkVQs5IOIyirtm4VBVv2aAAPF4NH+w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707149383; c=relaxed/simple; bh=03g8YYzWTRdjkVfeAcqvzZPU42Q430iY00QziolvaYs=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=miXgbZh3JxV64LITEJCksdEtQVjsi7quNwaXsHAv17g5JvBo5FlmMxk3qkDdvkh5OkDS9LVIkW9QWzP3/68fXtgxOLEqsfzlh69fFGgB8BdfOQkVath8vT9Z11hMbP/q+llyGaVGGM/v8TtLN0giUjua764aPJRW2yMRWSJmJ+s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=XN5GyoFt; arc=none smtp.client-ip=209.85.219.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yb1-f175.google.com with SMTP id 3f1490d57ef6-dc6d8f31930so2536698276.0 for ; Mon, 05 Feb 2024 08:09:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1707149379; x=1707754179; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=oDax4K7QGWSqZTbEFiDmrgrp84G1TitrDt4HTH4cP+s=; b=XN5GyoFt9wsWWVCrgl3h3CjdU0LFQHJs7Dit8yKsLFQOavl/AA/h22XsB/TdjyEgpa exKQrW2pe99N0Jn1A6BKTbNTbdybz31sRhSKbeqgTBZhhMpJsFU/CQ5/wiwA9jPDucSa KbR1kFMbpmheY3dXBAcWEV8zndAzR0tpIYgoAg5T/hDIDiXZ4GP9dcibH7xO2zNTnYab 5Qz7ZXbAsWD1YM2ByclymA+oQxSFkDCfwFqEhgJut98kOrmwVUiJsRbvQk3M/Rmmdpza sFjhfaj8Skw99RYMuZNfsFdNek8PrP9etYc7nJ+qXVFPaj2ofCGb3/P4+jz2bfvZThZM eE5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707149379; x=1707754179; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oDax4K7QGWSqZTbEFiDmrgrp84G1TitrDt4HTH4cP+s=; b=IPP+qvGpseic4MAh3aLEYYeg9fVDQL3p6ShCKNZAtt22uhD8TluHmXQSkkn5ztY3Kj 0iA/ME140s+mMZbfx+J6tv0xc5da+TmtWYtsCsVyDkmrf59dmbLJpeDrSNIA6bzNCSXI 6smAWiZbka4xQLS7Z3E5iPax2v2kne72aKGdgxipi3KsgUDapu6pkVrIOSMDWRhaX6Ck mdRvctNBICRUvYrOmFOyNSodJyTqFfx7dDCJTUEk+C70WKNL3DYe0Rq9Y95tr5Qa68en O7cm5FdsbkclSVPWmWW+BgDDwjnN15tVZzU010EDe9tTfOtCXCOt0YAD+R1Ou1uqkyR9 PJUg== X-Gm-Message-State: AOJu0YwnyIQdLvCCs7yj5uEC4Wc+eTg8CM5w7uMhmT4wtWbaV/QrFIdB oOl4esgqAAeasFkQr836a8bHPnHbe28Gnx1QsapeVkPERhwxVrX19YWHfcpMqUbpBu6w//tK2xM qVQ2aCsEkdgpF6YwVH87qEKKdkXFBk9I3SMio X-Received: by 2002:a25:df06:0:b0:dc6:bbb9:5dc with SMTP id w6-20020a25df06000000b00dc6bbb905dcmr186303ybg.6.1707149379072; Mon, 05 Feb 2024 08:09:39 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20230710102319.19716-3-greg@enjellic.com> <20240108114324.GA4085@wind.enjellic.com> In-Reply-To: <20240108114324.GA4085@wind.enjellic.com> From: Paul Moore Date: Mon, 5 Feb 2024 11:09:28 -0500 Message-ID: Subject: Re: [PATCH 2/13] Add TSEM specific documentation. To: "Dr. Greg" Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, corbet@lwn.net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jan 8, 2024 at 6:43=E2=80=AFAM Dr. Greg wrote: > On Wed, Jan 03, 2024 at 11:00:33PM -0500, Paul Moore wrote: > > On Jul 10, 2023 "Dr. Greg" wrote: > > > > > > An entry was added to the ABI testing documentation to document > > > the files in the TSEM management filesystem. > > > > > > The file documenting the kernel command-line parameters was > > > updated to document the TSEM specific command-line parameters > > > > > > The primary TSEM documentation file was added to the LSM > > > administration guide and the file was linked to the index of LSM > > > documentation. > > > > > > Signed-off-by: Greg Wettstein > > > --- > > > Documentation/ABI/testing/tsem | 828 +++++++++ > > > Documentation/admin-guide/LSM/index.rst | 1 + > > > Documentation/admin-guide/LSM/tsem.rst | 1526 +++++++++++++++= ++ > > > .../admin-guide/kernel-parameters.txt | 18 + > > > 4 files changed, 2373 insertions(+) > > > create mode 100644 Documentation/ABI/testing/tsem > > > create mode 100644 Documentation/admin-guide/LSM/tsem.rst .. > > I don't want to assume too much about the TSEM design, but I'm > > guessing the aggregate is intended to be a deterministic value based > > on the PCRs and therefore it seems like there is value in providing > > a clear explanation of how it is calculated. > > The aggregate is the linear extension sum over PCR registers 0 through > 8 using the namespace hash function, we will cook up a generic > description, although it should be a common enough concept for anyone > working on trusted system implementations. The Linux kernel documentation is used by a wide variety of administrators, users, and developers with varying backgrounds, I would recommend assuming very little about the documentation's audience. This is not to say that you need to explain everything yourself, referring interested readers to established, publicly available sources of background information can be acceptable. > > > + trusted pid=3DPID key=3DHEXID > > > + The trusted keyword is used by a trust > > > + orchestrator to indicate that the process > > > + identified by the PID argument should be > > > + allowed to run in trusted status after the > > > + modeling of a security event. > > > I mentioned this quite a few times in my review of the previous > > patchset, PIDs are not a safe way to identify a process in the > > system. PID reuse/recycling is a real danger and you need to > > account for this risk. > > We will defer that discussion to our previous e-mail where we > discussed how this is addressed. Adding a secret key/token/etc. may provide some additional authentication benefits, but it doesn't entirely solve the PID identification issue, it only reduces the likelihood of a process misidentification. We need to do better for new designs/implementations; look at the pidfd work as an example of work that has gone into reducing/eliminating the use of PIDs to identify processes. --=20 paul-moore.com