Re: [PATCH v10 7/9] platform: cznic: turris-omnia-mcu: Add support for digital message signing via debugfs

["Marek Behún" <kabel@kernel.org>]

On Fri, 10 May 2024 11:52:56 +0100
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:

> On Fri, May 10, 2024 at 12:18:17PM +0200, Marek Behún wrote:
> > Add support for digital message signing with private key stored in the
> > MCU. Boards with MKL MCUs have a NIST256p ECDSA private key created
> > when manufactured. The private key is not readable from the MCU, but
> > MCU allows for signing messages with it and retrieving the public key.
> > 
> > As described in a similar commit 50524d787de3 ("firmware:
> > turris-mox-rwtm: support ECDSA signatures via debugfs"):
> >   The optimal solution would be to register an akcipher provider via
> >   kernel's crypto API, but crypto API does not yet support accessing
> >   akcipher API from userspace (and probably won't for some time, see
> >   https://www.spinics.net/lists/linux-crypto/msg38388.html).
> > 
> > Therefore we add support for accessing this signature generation
> > mechanism via debugfs for now, so that userspace can access it.  
> 
> Having a "real" user/kernel api in debugfs feels wrong here, why would
> you not do this properly?  On most, if not all, systems, debugfs is
> locked down so you do not have access to it, as it is only there for
> debugging.  So how is a user supposed to use this feature if they can't
> get access to it?
> 
> And debugfs files can be changed at any time, so how can you ensure that
> your new api will always be there?
> 
> In other words, please solve this properly, do not just add a hack into
> debugfs that no one can use as that is not a good idea.

Hi Greg,

this is the same thing we discussed 5 years ago, I wanted to implement
it via crypto's akcipher, but was refused due to
  https://www.spinics.net/lists/linux-crypto/msg38388.html

I've then exposed this via debugfs in the turris-mox-rwtm driver 4
years ago, and we have supported this in our utility scripts, with the
plan that to reimplement it in the kernel via the correct ABI once
akcipher (or other ABI) is available to userspace, but AFAIK after 5
years this is still not the case :-(

If not debugfs and not akcipher, another option is to expose this via
sysfs, but that also doesn't seem right, and if I recall correctly you
also disapproved of this 5 years ago.

The last option would be to create another device, something like
/dev/turris-crypto for this. I wanted to avoid that and wait for
akcipher to be exposed do crypto since another /dev device must be
supported forever, while debugfs implementation can be removed once
this is supported via standardized ABI.

Do you have any suggestions?

Marek