Re: [RFC PATCH v2 2/3] fs: define a firmware security filesystem named fwsecurityfs

From: Nayna
Date: Wed Jun 22 2022 - 21:53:52 EST



On 6/22/22 18:29, Casey Schaufler wrote:
On 6/22/2022 2:56 PM, Nayna Jain wrote:
securityfs is meant for linux security subsystems to expose policies/logs
or any other information. However, there are various firmware security
features which expose their variables for user management via kernel.
There is currently no single place to expose these variables. Different
platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
interface as find appropriate. Thus, there is a gap in kernel interfaces
to expose variables for security features.

Why not put the firmware entries under /sys/kernel/security/firmware?

From man 5 sysfs page:

/sys/firmware: This subdirectory contains interfaces for viewing and manipulating firmware-specific objects and attributes.

/sys/kernel: This subdirectory contains various files and subdirectories that provide information about the running kernel.

The security variables which are supposed to be exposed via fwsecurityfs are managed by firmware, stored in firmware managed space and also often consumed by firmware for enabling various security features.

From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose of securityfs(/sys/kernel/security) is to provide a common place for all kernel LSMs to use a common place. The idea of fwsecurityfs(/sys/firmware/security) is to similarly provide a common place for all firmware security objects.

By having another firmware directory within /sys/kernel/security would mean scattering firmware objects at multiple places and confusing the purpose of /sys/kernel and /sys/firmware.

Thanks & Regards,

     - Nayna