Re: [GIT PULL] tomoyo update for v6.12

From: John Johansen
Date: Sat Oct 05 2024 - 00:06:55 EST


On 10/3/24 05:59, Tetsuo Handa wrote:
On 2024/10/03 15:16, Tetsuo Handa wrote:
TOMOYO is one of in-tree modules that can be signed together when building
distribution kernels. Fedora can provide tomoyo.ko as a signed-but-unsupported
module (i.e. excluded from main kernel package that is supported by
distributors but provided as a separate package that is not supported by
distributors).

yes it can, it has chosen not to. As I have said before that is
a choice/political reason, not technical. I wish I had a solution to this
problem for you but I don't.

What does "it" referring to? Fedora has chosen not to build TOMOYO into Fedora's
vmlinux. But I haven't heard from Fedora that Fedora won't ship tomoyo.ko as a
separate package.

Currently, a Linux distributor is an entity that provides kernel program and
userspace program. But as the kernel code signing getting more important,
the role of a Linux distributor regarding the kernel program might change as
below?

Currently, people expect that "distributor takes care of handling all bugs
that happens with kernel code built by that distributor". Due to bandwidth
problem, distributor needs to disable kernel code which that distributor cannot
take care of bugs. My understanding is that some distributors started providing
separated kernel packages; the kernel package which that distributor can take
care of bugs and the kernel package which that distributor cannot take care of
bugs. The tomoyo.ko change is intended for being included in the latter package
if that distributor cannot include in the former package.

honestly its easier to just build a separate kernel package with tomoyo builtin.
Module packages can be done, but they are a pita.

Since distributor needs to sign kernel code, I think this separation is becoming
more inevitable. That is, people might need to change their expectation to that
"distributor takes care of handling bugs that happens with kernel code in the
former package, and somebody takes care of handling bugs that happens with kernel
code in the latter package", and distributor's role is to compile as many kernel
code as possible and sign all compiled kernel code so that the kernel code is
compiled and shipped (and not tampered) by known entities; something like SSL
certificates providers.

Sure. Distribution already tell users they aren't using supported stuff. Ubuntu
builds in selinux, tomoyo, smack. We get a bug we tell them it is community
supported.

That has some overhead, but really not that much more than responding to the
bugs where users ask for feature X to be enabled. Or how to build a kernel with
feature X, ...

Ubuntu made a different decision than fedora around how best to support users.
I am not going to argue its right or wrong, just different. Again getting a
distro to change a config/stance is a political problem, not technical.