From: Vitaly Kuznetsov <vkuznets@redhat.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
Eric Snowberg <eric.snowberg@oracle.com>
Cc: "linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-modules@vger.kernel.org" <linux-modules@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jonathan Corbet <corbet@lwn.net>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Sami Tolvanen <samitolvanen@google.com>,
Daniel Gomez <da.gomez@samsung.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Peter Jones <pjones@redhat.com>,
Robert Holmes <robeholmes@gmail.com>,
Jeremy Cline <jcline@redhat.com>, Coiby Xu <coxu@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [PATCH RFC 0/1] module: Optionally use .platform keyring for signatures verification
Date: Thu, 05 Jun 2025 15:43:23 +0200 [thread overview]
Message-ID: <87tt4unw1w.fsf@redhat.com> (raw)
In-Reply-To: <e4e838d03b3619df5523d429e0cd8160a8aef9f8.camel@HansenPartnership.com>
James Bottomley <James.Bottomley@HansenPartnership.com> writes:
> On Thu, 2025-06-05 at 09:54 +0200, Vitaly Kuznetsov wrote:
>> One additional consideration is the fact that we already trust 'db'
>> for dm-verity (since 6fce1f40e951) and kexec (since 278311e417be) and
>> especially the later gives someone who is able to control 'db' access
>> to CPL0; a 'db'-signed module (IMO) wouldn't change much.
>
> Well, the kexec case is because kexec has to verify the new kernel as
> shim would and shim would use the UEFI keys. The dm-verity one was
> added for a cloud use case by pressuring the maintainers in spite of
> the objection to using the platform keyring (it went to dm-devel only
> so not many integrity people saw it):
>
> https://lore.kernel.org/all/20240617220037.594792-1-luca.boccassi@gmail.com/
>
> The point here is I do think the cloud use case is legitimate, but it
> can't be supported simply by ignoring the bare metal security domain
> separation concerns of the integrity community. The argument that
> distros have done it so it must be safe isn't really a winning one
> (especially as there's no clear explanation of why they did it). So
> either you need a better argument or we need a way to support both sets
> of communities ... which is why I was wondering about a runtime
> differentiator.
So far, I got two 'runtime' ideas:
- Observe MokListTrustedRT and distrust .platform when it is
non-empty. This can, of course, be combine with a Kconfig for those, who
do not want it at all.
and/or
- Sysctl toggle. Keep things as they are by default but make .platform
trusted (either for modules or for everything) when switched 'on'. This
can (optionally) by combined with a previous idea and have e.g. an
'auto' state for the toggle which follows MokListTrustedRT.
--
Vitaly
next prev parent reply other threads:[~2025-06-05 13:43 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-02 13:25 [PATCH RFC 0/1] module: Optionally use .platform keyring for signatures verification Vitaly Kuznetsov
2025-06-02 13:25 ` [PATCH RFC 1/1] module: Make use of platform keyring for module signature verify Vitaly Kuznetsov
2025-06-02 18:34 ` James Bottomley
2025-06-03 8:52 ` Vitaly Kuznetsov
2025-06-03 13:03 ` James Bottomley
2025-06-04 7:47 ` Vitaly Kuznetsov
2025-06-05 8:34 ` Coiby Xu
2025-06-05 12:05 ` James Bottomley
2025-06-08 11:14 ` Coiby Xu
2025-06-04 17:01 ` [PATCH RFC 0/1] module: Optionally use .platform keyring for signatures verification Eric Snowberg
2025-06-04 17:34 ` James Bottomley
2025-06-05 7:54 ` Vitaly Kuznetsov
2025-06-05 12:22 ` James Bottomley
2025-06-05 13:43 ` Vitaly Kuznetsov [this message]
2025-06-05 15:49 ` James Bottomley
2025-06-09 8:58 ` Vitaly Kuznetsov
2025-06-05 13:35 ` Eric Snowberg
2025-06-05 14:56 ` Vitaly Kuznetsov
2025-06-05 14:35 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tt4unw1w.fsf@redhat.com \
--to=vkuznets@redhat.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=corbet@lwn.net \
--cc=coxu@redhat.com \
--cc=da.gomez@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=eric.snowberg@oracle.com \
--cc=jcline@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=kraxel@redhat.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=pjones@redhat.com \
--cc=robeholmes@gmail.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).