Re: [RFC PATCH v3 03/13] clavis: Introduce a new system keyring called clavis

From: Mimi Zohar
Date: Sun Jan 05 2025 - 06:44:24 EST

Next message: kernel test robot: "drivers/gpu/drm/imx/ipuv3/imx-ldb.c:658:57: warning: '_sel' directive output may be truncated writing 4 bytes into a region of size between 3 and 13"
Previous message: Ivaylo Ivanov: "Re: [PATCH] arm64: dts: exynos990: Rename and sort PMU nodes"
In reply to: Eric Snowberg: "Re: [RFC PATCH v3 03/13] clavis: Introduce a new system keyring called clavis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Eric,

On Fri, 2025-01-03 at 23:27 +0000, Eric Snowberg wrote:
> > > +config SECURITY_CLAVIS
> > > + bool "Clavis keyring"
> >
> > Isn't SECURITY_CLAVIS the new LSM? Why is the bool defined as just "Clavis
> > keyring"?
> >
> > > + depends on SECURITY
> > > + select SYSTEM_DATA_VERIFICATION
> > > + select CRYPTO_SHA256
> > > + help
> > > +   Enable the clavis keyring. This keyring shall contain a single asymmetric key.
> > > +   This key shall be linked to a key already contained in one of the system
> > > +   keyrings (builtin, secondary, or platform). One way to add this key
> > > +   is during boot by passing in the asymmetric key id within the "clavis=" boot
> > > +   param. This keyring is required by the Clavis LSM.
> >
> > If SECURITY_CLAVIS is a new LSM, the 'help' shouldn't be limited to just the
> > clavis keyring, but written at a higher level describing the new LSM. For
> > example,
> >
> > This option enables the Clavis LSM, which provides the ability to configure and
> > enforce the usage of keys contained on the system keyrings -
> > .builtin_trusted_keys, .secondary_trusted_keys, .machine, and .platform
> > keyrings. The clavis LSM defines a keyring named "clavis", which contains a
> > single asymmetric key and the key usage rules.
> >
> > The single asymmetric key may be specified on the boot command line ...
> >
> > [The patch that introduces the key usage rules would add additional info here.]
> >
> > [The patch that adds the Documentatoin would add a reference here.]
>
> I went the route of creating the keyring in this patch and then introducing the
> LSM which uses it in a later patch. My reasoning was it can be tested
> independently. Also, I thought it would make it easier to review, since
> everything isn't contained within a single patch. I could look at combining
> them together if you think that would be better.

SECURITY_CLAVIS is not just about the CLAVIS keyring, right? The Kconfig can be
defined and used here, but eventually the SECURITY_CLAVIS "help" needs to be
updated to describe the new LSM.

thanks,

Mimi

Next message: kernel test robot: "drivers/gpu/drm/imx/ipuv3/imx-ldb.c:658:57: warning: '_sel' directive output may be truncated writing 4 bytes into a region of size between 3 and 13"
Previous message: Ivaylo Ivanov: "Re: [PATCH] arm64: dts: exynos990: Rename and sort PMU nodes"
In reply to: Eric Snowberg: "Re: [RFC PATCH v3 03/13] clavis: Introduce a new system keyring called clavis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]