2024-06-04 17:59:35

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [RFC PATCH v2 0/8] Clavis LSM

On Fri May 31, 2024 at 3:39 AM EEST, Eric Snowberg wrote:
> Introduce a new LSM called Clavis (Latin word meaning key). The motivation
> behind this LSM is to provide access control for system keys. Before spending
> more time on this LSM, I am sending this as an RFC to start a discussion to see
> if the current direction taken has a possibility of being accepted in the
> future.
>
> Today the kernel has the following system keyrings: .builtin_trusted_keyring,
> .secondary_trusted_keyring, and the .machine. It also has the .platform
> keyring which has limited capabilities; it can only be used to verify a kernel
> for kexec.

Would be nice to have a reminder of applications for secondary keyrings
use cases of today [1]. It is not entirely clear for me, given that I
need personally just the builtin and machine keyring. This is not the
same as saying that it would not be useful, but it would clarity to
scope it a bit in the current state of the art.

>
> Today the kernel also tracks key usage for verification done with any of these
> keys. Current verification usage includes: VERIFYING_MODULE_SIGNATURE,
> VERIFYING_FIRMWARE_SIGNATURE, VERIFYING_KEXEC_PE_SIGNATURE,
> VERIFYING_KEY_SIGNATURE, VERIFYING_KEY_SELF_SIGNATURE, and
> VERIFYING_UNSPECIFIED_SIGNATURE. After these usage types were originally
> introduced, most additions have typically used the
> VERIFYING_UNSPECIFIED_SIGNATURE.

Since there are so many why not just format them as a list here?

Maybe start the whole cover letter with exactly two lists:

1. All possible keyrings that are below described as "system keys",
and their purpose and scope (briefly).
2. The above verification methods and exact same level of detail
for each.

There's so much text here that maybe even subsections like:

Background
==========

<Those two lists>

Motivation
==========

<Motivation behind Clavis>

Solution
========

<Mechanics of Clavis>

Would make reviewing this heck a lot easier as you can then focus in one
of these three parts. And I guess I have a brain of a goldfish ;-)

[1] https://lore.kernel.org/all/[email protected]/

BR, Jarkko


2024-06-05 20:42:07

by Eric Snowberg

[permalink] [raw]
Subject: Re: [RFC PATCH v2 0/8] Clavis LSM



> On Jun 4, 2024, at 11:59 AM, Jarkko Sakkinen <[email protected]> wrote:
>
> On Fri May 31, 2024 at 3:39 AM EEST, Eric Snowberg wrote:
>> Introduce a new LSM called Clavis (Latin word meaning key). The motivation
>> behind this LSM is to provide access control for system keys. Before spending
>> more time on this LSM, I am sending this as an RFC to start a discussion to see
>> if the current direction taken has a possibility of being accepted in the
>> future.
>>
>> Today the kernel has the following system keyrings: .builtin_trusted_keyring,
>> .secondary_trusted_keyring, and the .machine. It also has the .platform
>> keyring which has limited capabilities; it can only be used to verify a kernel
>> for kexec.
>
> Would be nice to have a reminder of applications for secondary keyrings
> use cases of today [1]. It is not entirely clear for me, given that I
> need personally just the builtin and machine keyring. This is not the
> same as saying that it would not be useful, but it would clarity to
> scope it a bit in the current state of the art.
>
>>
>> Today the kernel also tracks key usage for verification done with any of these
>> keys. Current verification usage includes: VERIFYING_MODULE_SIGNATURE,
>> VERIFYING_FIRMWARE_SIGNATURE, VERIFYING_KEXEC_PE_SIGNATURE,
>> VERIFYING_KEY_SIGNATURE, VERIFYING_KEY_SELF_SIGNATURE, and
>> VERIFYING_UNSPECIFIED_SIGNATURE. After these usage types were originally
>> introduced, most additions have typically used the
>> VERIFYING_UNSPECIFIED_SIGNATURE.
>
> Since there are so many why not just format them as a list here?
>
> Maybe start the whole cover letter with exactly two lists:
>
> 1. All possible keyrings that are below described as "system keys",
> and their purpose and scope (briefly).
> 2. The above verification methods and exact same level of detail
> for each.
>
> There's so much text here that maybe even subsections like:
>
> Background
> ==========
>
> <Those two lists>
>
> Motivation
> ==========
>
> <Motivation behind Clavis>
>
> Solution
> ========
>
> <Mechanics of Clavis>
>
> Would make reviewing this heck a lot easier as you can then focus in one
> of these three parts. And I guess I have a brain of a goldfish ;-)

If you think that would make reviewing easier, I'll make these changes to the cover
letter in the next round. Thanks.