Re: [PATCH v19 15/20] fsverity: expose verified fsverity built-in signatures to LSMs

From: Paul Moore
Date: Thu May 30 2024 - 16:55:10 EST


On Wed, May 29, 2024 at 11:06 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> On Wed, May 29, 2024 at 09:46:57PM -0400, Paul Moore wrote:
> > On Fri, May 24, 2024 at 4:46 PM Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > This patch enhances fsverity's capabilities to support both integrity and
> > > authenticity protection by introducing the exposure of built-in
> > > signatures through a new LSM hook. This functionality allows LSMs,
> > > e.g. IPE, to enforce policies based on the authenticity and integrity of
> > > files, specifically focusing on built-in fsverity signatures. It enables
> > > a policy enforcement layer within LSMs for fsverity, offering granular
> > > control over the usage of authenticity claims. For instance, a policy
> > > could be established to permit the execution of all files with verified
> > > built-in fsverity signatures while restricting kernel module loading
> > > from specified fsverity files via fsverity digests.

..

> > Eric, can you give this patch in particular a look to make sure you
> > are okay with everything? I believe Fan has addressed all of your
> > previous comments and it would be nice to have your Ack/Review tag if
> > you are okay with the current revision.
>
> Sorry, I've just gotten a bit tired of finding so many basic issues in this
> patchset even after years of revisions.
>
> This patch in particular is finally looking better. There are a couple issues
> that I still see. (BTW, you're welcome to review it too to help find these
> things, given that you seem to have an interest in getting this landed...):

I too have been reviewing this patchset across multiple years and have
worked with Fan to fix locking issues, parsing issues, the initramfs
approach, etc. My interest in getting this landed is simply a
combination of fulfilling my role as LSM maintainer as well as being
Fan's coworker. While I realize you don't work with Fan, you are
listed as the fs-verity maintainer and as such I've been looking to
you to help review and authorize the fs-verity related code. If you
are too busy, frustrated, or <fill in the blank> to continue reviewing
this patchset it would be helpful if you could identify an authorized
fs-verity reviewer. I don't see any besides you and Ted listed in the
MAINTAINERS file, but perhaps the fs-verity entry is dated.

Regardless, I appreciate your time and feedback thus far and I'm sure
Fan does as well.

--
paul-moore.com