Re: [PATCH 0/3] Allow access to confidential computing secret area in SEV guests
From: James Bottomley
Date: Thu Sep 02 2021 - 12:20:40 EST
On Thu, 2021-09-02 at 18:09 +0200, Greg KH wrote:
> On Thu, Sep 02, 2021 at 08:19:51AM -0700, James Bottomley wrote:
> > On Thu, 2021-09-02 at 17:05 +0200, Greg KH wrote:
> > > On Thu, Sep 02, 2021 at 07:35:10AM -0700, James Bottomley wrote:
> > > > On Thu, 2021-09-02 at 14:57 +0200, Greg KH wrote:
> > > > [...]
> > > > > Wait, why are you using securityfs for this?
> > > > >
> > > > > securityfs is for LSMs to use.
> > > >
> > > > No it isn't ... at least not exclusively; we use it for non LSM
> > > > security purposes as well, like for the TPM BIOS log and for
> > > > IMA. What makes you think we should start restricting
> > > > securityfs to LSMs only? That's not been the policy up to now.
> > >
> > > Well that was the original intent of the filesystem when it was
> > > created, but I guess it's really up to the LSM maintainers now
> > > what they want it for.
> > >
> > > > > If you want your own filesystem to play around with stuff
> > > > > like this, great, write your own, it's only 200 lines or less
> > > > > these days. We used to do it all the time until people
> > > > > realized they should just use sysfs for driver stuff.
> > > >
> > > > This is a security purpose (injected key retrieval), so
> > > > securityfs seems to be the best choice. It's certainly
> > > > possible to create a new filesystem, but I really think things
> > > > with a security purpose should use securityfs so people know
> > > > where to look for them.
> > >
> > > knowing where to look should not be an issue, as that should be
> > > documented in Documentation/ABI/ anyway, right?
> > >
> > > It's just the overlap / overreach of using an existing filesystem
> > > for things that don't seem to be LSM-related that feels odd to
> > > me.
> > >
> > > Why not just make a cocofs if those people want a filesystem
> > > interface?
> > > It's 200 lines or so these days, if not less, and that way you
> > > only mount what you actually need for the system.
> >
> > Secrets transfer is actually broader than confidential computing,
> > although confidential computing is a first proposed use, so I think
> > cocofs would be too narrow.
> >
> > > Why force this into securityfs if it doesn't have to be?
> >
> > It's not being forced. Secrets transfer is a security function in
> > the same way the bios log is.
>
> Is the bios log in securityfs today?
Yes. It's under /sys/kernel/security/tpm0/ All the ima policy control
and its log is under /sys/kernel/security/ima/ that's why I think
declaring securityfs as being for anything security related is already
our de facto (if not de jure) policy.
> Anyway, it's up to the securityfs maintainer (i.e. not me), but
> personally, I think this should be a separate filesystem as that
> would probably make things easier in the long run...
I know Al likes this business of loads of separate filesystems, but
personally I'm not in favour. For every one you do, you not only have
to document it all, you also have to find a preferred mount point that
the distributions can agree on and also have them agree to enable the
mount for, which often takes months of negotiation. Having fewer
filesystems grouped by common purpose which have agreed mount points
that distros actually mount seems a far easier approach to enablement.
James