From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B223525E824 for ; Thu, 5 Jun 2025 13:43:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749131010; cv=none; b=m74vRXkDMK5BPaJ30Y2I10appdFv4ifD3l6g7MDLxqP3pslWS0dktJ8gitVjh4Ky+z41o4RR3muAPY7rGZf2aDK1oPZX5UVhOjpw78M1h9NYMUf85O5UiXACRfpQ70+GXsruKI1LZQqjLOhRJz0huMIXFwknYjatgcLrYrVJ7WU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749131010; c=relaxed/simple; bh=Ibr9kab54z+bb8Bbxb6yjOzT0aoFx9OQrLydi6uSjbk=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=g1oTPqr5CKjDOxqWC1ZpqrUP4TduxR3pDoF0Y2gii/wvOiJkDDGB/02rq6ZxGE82/3SI42r9vgKjLoJo7R3AEdkWSGLkXCArJ+1TLwa75xfcP+O3wvps/EG8RjcWeu6k/jCnZR3pWTNzyTGlDqCf9xhTZGBbuBmkrmQ3KLdmFlA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=If0rd5Yz; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="If0rd5Yz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1749131007; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WyJG+3VB/l9E5cKEG16NYCx4C/OXUyDFX/570MgrW70=; b=If0rd5YzEzDyvhxF/zINDSBNo61SMiB/3PH1vYJ3J5BSYkpmvpb88v6w+IATjs4iSwGm+u 8sXWpHZHTB2aQasq/JtnhUcjknQPT2d3qnvsWZ1BM18/TrTSCSHlh78ZpVXDP/9ZNTpDB8 63DWtFjv2HDXfW8ydXwHVleOmIeTnYY= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-355-XkM9b8PkMFil808VPQlU3Q-1; Thu, 05 Jun 2025 09:43:26 -0400 X-MC-Unique: XkM9b8PkMFil808VPQlU3Q-1 X-Mimecast-MFC-AGG-ID: XkM9b8PkMFil808VPQlU3Q_1749131005 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-450d64026baso5363055e9.1 for ; Thu, 05 Jun 2025 06:43:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749131005; x=1749735805; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WyJG+3VB/l9E5cKEG16NYCx4C/OXUyDFX/570MgrW70=; b=q2LY9AloyJ9NdCjkbI1f7MIbNNbCA9ppIamIZu7FkzGAdp/XH+QzxeJsN0m220c4RS k78IYNGGAF+/tOVIfYJOVIE/jF5EQ3IIf6KpeDwEnkJsiRfgNtjBolBqpGD1zVEOA9SB ZBmtbJ16+WWR6WsUdwDEqhJfpYA6qWAIHeo7qeEzGBUSselELB91nW2Oe7bJET0PqYAV 0ShVljd8hcvWKWl4uqZakVEAXb8grxqsZ80UjvtyeHMSo864R6TR+t92C97ksPA1u1lJ 2rMBFb6DEEN3g37rdgbKW/pvH7PC5qKEGtMwu3mY77S9FqyQiDw78TKPMoOZq45xnTAj /5cQ== X-Forwarded-Encrypted: i=1; AJvYcCXJQBbB+mU/u5diWwH1IDTPMBPq6zyE3QHHJTaKmN3fFSQuYhc9/WqDji344xkk2RvBx9Ebx0tyHuQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yzv3C+sCOC7tw3XHICaXh9tAkm8o6ghE6jmQ5x59oI7GK7QXejW mLqB5jA5mZUgj+nUAK75s9iHcV9dtO2xcIQu2YYzEdAmIutfykCiGVsym9G4/GtniEliDmt0fZz xNUGQVlVeS8N+CJzmPRh9139q2P8yvWR4CZ498zKnRmZXG9c3pF4QKOc9VEYvrQ== X-Gm-Gg: ASbGnct1CMmhvHa2013F++GtJOZw3FjGW/CbiR9szv00BRrPnhB9m3GRh+f+PWlMtiv R5tshY9UpI08fKHdlt4T/nvAimFvILlb0l4AJiOnu3PTNDjRO5mTNrkljZePO17VUFUMUMX+VCx R0KDp1PeAFEelqMUz5bxhqPgWhTWnVKOCH/NAqiq9cqIJqm7N6qtYMmQD11FrJOX2XsuGPlWP5q E9c2V7+VzdwIKHpbiu71TIySWYHr2huobxtWp0HmfIPRvwERAgc+Vc0td0tU6urZrZqMqEPFtjj of/FgE4= X-Received: by 2002:a05:6000:144c:b0:3a4:fc37:70e4 with SMTP id ffacd0b85a97d-3a51d97408amr5757678f8f.58.1749131005245; Thu, 05 Jun 2025 06:43:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH06+3a1Kbk78BFgL3ZwbDTDTsWsomlMTVTUM+GFt6c6uDgEbkD9kGtXYidxIou37MFPIzdSQ== X-Received: by 2002:a05:6000:144c:b0:3a4:fc37:70e4 with SMTP id ffacd0b85a97d-3a51d97408amr5757647f8f.58.1749131004775; Thu, 05 Jun 2025 06:43:24 -0700 (PDT) Received: from fedora (g3.ign.cz. [91.219.240.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a4efe5b8f0sm24267394f8f.6.2025.06.05.06.43.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Jun 2025 06:43:24 -0700 (PDT) From: Vitaly Kuznetsov To: James Bottomley , Eric Snowberg Cc: "linux-security-module@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "linux-modules@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-doc@vger.kernel.org" , "keyrings@vger.kernel.org" , David Howells , David Woodhouse , Jonathan Corbet , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Peter Jones , Robert Holmes , Jeremy Cline , Coiby Xu , Gerd Hoffmann Subject: Re: [PATCH RFC 0/1] module: Optionally use .platform keyring for signatures verification In-Reply-To: References: <20250602132535.897944-1-vkuznets@redhat.com> <0FD18D05-6114-4A25-BD77-C32C1D706CC3@oracle.com> <87zfemoc76.fsf@redhat.com> Date: Thu, 05 Jun 2025 15:43:23 +0200 Message-ID: <87tt4unw1w.fsf@redhat.com> Precedence: bulk X-Mailing-List: linux-doc@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain James Bottomley writes: > On Thu, 2025-06-05 at 09:54 +0200, Vitaly Kuznetsov wrote: >> One additional consideration is the fact that we already trust 'db' >> for dm-verity (since 6fce1f40e951) and kexec (since 278311e417be) and >> especially the later gives someone who is able to control 'db' access >> to CPL0; a 'db'-signed module (IMO) wouldn't change much. > > Well, the kexec case is because kexec has to verify the new kernel as > shim would and shim would use the UEFI keys. The dm-verity one was > added for a cloud use case by pressuring the maintainers in spite of > the objection to using the platform keyring (it went to dm-devel only > so not many integrity people saw it): > > https://lore.kernel.org/all/20240617220037.594792-1-luca.boccassi@gmail.com/ > > The point here is I do think the cloud use case is legitimate, but it > can't be supported simply by ignoring the bare metal security domain > separation concerns of the integrity community. The argument that > distros have done it so it must be safe isn't really a winning one > (especially as there's no clear explanation of why they did it). So > either you need a better argument or we need a way to support both sets > of communities ... which is why I was wondering about a runtime > differentiator. So far, I got two 'runtime' ideas: - Observe MokListTrustedRT and distrust .platform when it is non-empty. This can, of course, be combine with a Kconfig for those, who do not want it at all. and/or - Sysctl toggle. Keep things as they are by default but make .platform trusted (either for modules or for everything) when switched 'on'. This can (optionally) by combined with a previous idea and have e.g. an 'auto' state for the toggle which follows MokListTrustedRT. -- Vitaly