Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp187531rdb; Wed, 21 Feb 2024 23:53:30 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXKupuaBEF0WtXe80BfNanOC+6BlFoLiIQbbJjSBtctzO2Rd7xrrDoLiBayIFx1Q9n/cdGRqeGo+FuXnv+6oHJezy//VVjgR3qDrrg1Ag== X-Google-Smtp-Source: AGHT+IGZqBUIY24Ws5l0GoiqMwccZnxPWksKYyu8mR3eShcawBmAb8EMzUKhEpoihp7t9WCX7s7w X-Received: by 2002:a17:90a:7402:b0:29a:2860:28b9 with SMTP id a2-20020a17090a740200b0029a286028b9mr2827988pjg.48.1708588410037; Wed, 21 Feb 2024 23:53:30 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708588410; cv=pass; d=google.com; s=arc-20160816; b=HV25O9CDnBKxDNUkMBWiCqhlTbwZwQRldnyC2XVliINlH8bLZq78gCPe+FW/Qbs/7t vfHC3RO6mCKokN2HNMudzpHHQVXqqZCH5b+u7XS1OUbZzTCCC71lz/gOV+CIgikW1kV9 rfEyf5EfmmK/DnO28mEbGnI32zCzwnjRbwkdICCvCvZ9HVZhlWM9jq5T5TMzx8lYnDpN iCcF6QdAhBziKYr3gYqeyQlGF9AJ22a5//WXGtw3qZMoz2cG7Pv3BuKuLQj0NX3aHdWO dSI4crnjkC9YtfDDggCO9lxe5/ilisOVTnvQCJI/TcMAEMQZ8HINEmtssoujUlsS9Q/l y5GQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=dQNS4/WSFVGWaxYuywyIICob7fj4jpwBwAktHw9C3OY=; fh=MkNPPDEBmtqWVctrU0ARS7gateWogdCans3QG9Eemr4=; b=BvjFTMwvU6rBClO8jli8IF976ZtMVfgkrdpdlSeWqOjYWztaXJKCiOHhU5n+y0luko k5SMbTwNO2ssaLR7PtrAII+DwXiBrNvepjuQzsyedaxyk2aJFmeVDEXsQCrk9t77JzDr aP17UQzwiZ7snB9INNyrb3DDPtg7sBnJfTvxXvXDe1ksAW10TKwaGgAbBM0t5tX3TX7w dhR+/t1aq9vzBmlstcPZOwgcUuGfCk27+56/obSG1N3oNk0xEIc9QdFfJCXXrlhdhZId BUAzuOGMiS7H784jDZjkP1/g4mIMG4nEEL+xIyrx+AijIPKb6yJuQZCehOAxvVGwfidn QwHg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b="48Ma/MOW"; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-76031-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76031-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id rr11-20020a17090b2b4b00b00296fc31a361si9776381pjb.66.2024.02.21.23.53.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 23:53:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-76031-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b="48Ma/MOW"; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-76031-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76031-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id DDDBAB21BB8 for ; Thu, 22 Feb 2024 07:53:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B7777179BF; Thu, 22 Feb 2024 07:53:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b="48Ma/MOW" Received: from bee.tesarici.cz (bee.tesarici.cz [77.93.223.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DD0A79EA; Thu, 22 Feb 2024 07:53:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=77.93.223.253 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708588397; cv=none; b=HmP5fMNwHrVQX5JECTau9BSdKzA0FF9ISlMNewMSyb44lT+GmthHQv9QQgDHny6PGAEAYs0abMLmsqfz6zLwG0niPSHG9/GoR7bG2xfZEg5/ueq0JUjz/inyDKd6VryM25JjIbE2ASifsgFGObM71/Wl5LbkjKKI4/oSyBXDAYs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708588397; c=relaxed/simple; bh=0zMsYUy5KRhlXCfw9bBZkJji1fZijcebCOvNn9DUhEA=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=sIi+IoTHGYsH60EYFujXkgGR+iBLqrDjMFU+uiqVuEGqi/j+ckCEkRF+8GartfoYMHCrl4shqxJ0x3QaCxgj6dQVUM55KwHW0r3d8F6t5KoVYD6/iirwNQPTipDmHWzcFf4PiJ9RosWWCuV7RMl198GUBky1Jrld+X9BA2WhZUA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz; spf=pass smtp.mailfrom=tesarici.cz; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b=48Ma/MOW; arc=none smtp.client-ip=77.93.223.253 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tesarici.cz Received: from meshulam.tesarici.cz (dynamic-2a00-1028-83b8-1e7a-4427-cc85-6706-c595.ipv6.o2.cz [IPv6:2a00:1028:83b8:1e7a:4427:cc85:6706:c595]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bee.tesarici.cz (Postfix) with ESMTPSA id A76911B31AB; Thu, 22 Feb 2024 08:53:03 +0100 (CET) Authentication-Results: mail.tesarici.cz; dmarc=fail (p=quarantine dis=none) header.from=tesarici.cz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tesarici.cz; s=mail; t=1708588384; bh=dQNS4/WSFVGWaxYuywyIICob7fj4jpwBwAktHw9C3OY=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=48Ma/MOWj94u96LTX/qi6HQoXEWA87EwZimAZJ25syYh13rZwsJUIoy84O3hH0nNY EJS0J2ib0oEIfGOdlPx5tmR+K6jRGrHMFg9Cm81tBPTUrMIMTJ0TeyFILLNUenfbdO WI3wgiY3JKdJP6VcRQew17omRZySED6EkYCH2GvxDoT6Y9H/fMyQstL9DMGx7RoBwD 59k4YaAKLIjNPGmvqGeGx+MFlOJlEfKqukm8AK4zwkPAPSOVEG/H3WTjL5hHCb7Iim QIlWBnTbKu9sravsxmfQB1sw/GC1GghddPohWL0ZzhRYoeMXD3aDHhARRnCV4EiPCN zc1a96I4YTmbw== Date: Thu, 22 Feb 2024 08:53:02 +0100 From: Petr =?UTF-8?B?VGVzYcWZw61r?= To: "H. Peter Anvin" Cc: Petr Tesarik , Roberto Sassu , Matthew Wilcox , Petr Tesarik , Dave Hansen , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , Andy Lutomirski , Oleg Nesterov , Peter Zijlstra , Xin Li , Arnd Bergmann , Andrew Morton , Rick Edgecombe , Kees Cook , "Masami Hiramatsu (Google)" , Pengfei Xu , Josh Poimboeuf , Ze Gao , "Kirill A. Shutemov" , Kai Huang , David Woodhouse , Brian Gerst , Jason Gunthorpe , Joerg Roedel , "Mike Rapoport (IBM)" , Tina Zhang , Jacob Pan , "open list:DOCUMENTATION" , open list , David Howells Subject: Re: [RFC 6/8] KEYS: PGP data parser Message-ID: <20240222085302.35f3a2c3@meshulam.tesarici.cz> In-Reply-To: <70F9F1E7-4803-46C8-AB6E-AC1CF345F03E@zytor.com> References: <20240216152435.1575-1-petrtesarik@huaweicloud.com> <20240216152435.1575-7-petrtesarik@huaweicloud.com> <5916fa3ac3d0ce2ade71e7ed1c9eb6923e374c1f.camel@huaweicloud.com> <773dd9fb-e668-4652-8b24-712553bb7ab1@huawei-partners.com> <70F9F1E7-4803-46C8-AB6E-AC1CF345F03E@zytor.com> X-Mailer: Claws Mail 4.2.0 (GTK 3.24.39; x86_64-suse-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 21 Feb 2024 06:02:30 -0800 "H. Peter Anvin" wrote: > On February 20, 2024 2:55:12 AM PST, Petr Tesarik wrote: > >On 2/16/2024 6:08 PM, H. Peter Anvin wrote: > >> On February 16, 2024 8:53:01 AM PST, Roberto Sassu wrote: > >>> On Fri, 2024-02-16 at 16:44 +0000, Matthew Wilcox wrote: > >>>> On Fri, Feb 16, 2024 at 04:24:33PM +0100, Petr Tesarik wrote: > >>>>> From: David Howells > >>>>> > >>>>> Implement a PGP data parser for the crypto key type to use when > >>>>> instantiating a key. > >>>>> > >>>>> This parser attempts to parse the instantiation data as a PGP packet > >>>>> sequence (RFC 4880) and if it parses okay, attempts to extract a public-key > >>>>> algorithm key or subkey from it. > >>>> > >>>> I don't understand why we want to do this in-kernel instead of in > >>>> userspace and then pass in the actual key. > >>> > >>> Sigh, this is a long discussion. > >>> > >>> PGP keys would be used as a system-wide trust anchor to verify RPM > >>> package headers, which already contain file digests that can be used as > >>> reference values for kernel-enforced integrity appraisal. > >>> > >>> With the assumptions that: > >>> > >>> - In a locked-down system the kernel has more privileges than root > >>> - The kernel cannot offload this task to an user space process due to > >>> insufficient isolation > >>> > >>> the only available option is to do it in the kernel (that is what I got > >>> as suggestion). > >>> > >>> Roberto > >>> > >>> > >> > >> Ok, at least one of those assumptions is false, and *definitely* this approach seems to be a solution in search of a problem. > > > >As a matter of fact, there is some truth to this observation. > > > >The frustrating story of Roberto's PGP parser sparked the idea, but it > >would clearly be overkill to add all this code just for this one parser. > >I started looking around if there are other potential uses of a sandbox > >mode, which might justify the effort. I quickly found out that it is > >difficult to find a self-contained part of the kernel. > > > >Now I believe that these dependencies among different parts of the > >kernel present an issue, both to kernel security and to maintainability > >of the source code. Even if sandbox mode as such is rejected (hopefully > >with an explanation of the reasons), I believe that it is good to split > >the kernel into smaller parts and reduce their interdependencies. In > >this sense, sandbox mode is a way to express and enforce the remaining > >dependencies. > > > >Petr T > > Congratulations. You just reinvented the microkernel. Oh, I have never claimed that the idea is completely new. There is a lot of prior research in this field; the most advanced project is probably Lightweight Execution Domains (LXDs), presented at USENIX ATC in 2019 [1]. This one even adds a full-blown microkernel... However, these projects have not gone anywhere, for some reason. I tried to understand the reason and it seems to me that it is not the underlying concept. I believe the main issue is that it would require extremely intrusive changes in the overall design of the kernel. For example LXDs run their microkernel on a dedicated CPU core and it uses IDL to generate the glue code which passes data between Linux and this newly introduced microkernel... Our development process is more suited to incremental changes. This is reflected by SandBox Mode. It allows to start small, keep the existing overall design, and chip off only a few selected parts. In short, SBM does borrow some ideas from microkernels but it does not turn Linux into a microkernel. OTOH it enhances your freedom of choice. If you change your mind and decide to make a Linux microkernel after all, SBM will be able to help you during the transition. Petr T [1] https://www.usenix.org/system/files/atc19-narayanan.pdf