From: Guenter Roeck <linux@roeck-us.net>
To: Paul Moore <paul@paul-moore.com>
Cc: KP Singh <kpsingh@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, bp@alien8.de,
sfr@canb.auug.org.au, peterz@infradead.org
Subject: Re: [PATCH] init/main.c: Initialize early LSMs after arch code
Date: Wed, 7 Aug 2024 18:40:59 -0700 [thread overview]
Message-ID: <9216940f-cee5-402e-a7f5-71e1df52f452@roeck-us.net> (raw)
In-Reply-To: <CAHC9VhTd0MKVXsZ7J_b_Mmr2vP+RMJtxzfsgpH1rZ_hoHY1D3A@mail.gmail.com>
On 8/7/24 18:18, Paul Moore wrote:
> On Wed, Aug 7, 2024 at 8:34 PM Guenter Roeck <linux@roeck-us.net> wrote:
>> On 8/7/24 16:43, Paul Moore wrote:
>>> On Wed, Aug 7, 2024 at 6:45 PM KP Singh <kpsingh@kernel.org> wrote:
>>>> On Wed, Aug 7, 2024 at 10:45 PM Paul Moore <paul@paul-moore.com> wrote:
>>>>> On Tue, Aug 6, 2024 at 5:41 PM Paul Moore <paul@paul-moore.com> wrote:
>>>>>> On Mon, Aug 5, 2024 at 10:20 PM Nathan Chancellor <nathan@kernel.org> wrote:
>>>>>
>>>>> ...
>>>>>
>>>>>>> For what it's worth, I have not noticed any issues in my -next testing
>>>>>>> with this patch applied but I only build architectures that build with
>>>>>>> LLVM due to the nature of my work. If exposure to more architectures is
>>>>>>> desirable, perhaps Guenter Roeck would not mind testing it with his
>>>>>>> matrix?
>>>>>>
>>>>>> Thanks Nathan.
>>>>>>
>>>>>> I think the additional testing would be great, KP can you please work
>>>>>> with Guenter to set this up?
>>>>>
>>>>
>>>> Adding Guenter directly to this thread.
>>>>
>>>>> Is that something you can do KP? I'm asking because I'm looking at
>>>>> merging some other patches into lsm/dev and I need to make a decision
>>>>> about the static call patches (hold off on merging the other patches
>>>>> until the static call testing is complete, or yank the static call
>>>>> patches until testing is complete and then re-merge). Understanding
>>>>> your ability to do the additional testing, and a rough idea of how
>>>>
>>>> I have done the best of the testing I could do here. I think we should
>>>> let this run its normal course and see if this breaks anything. I am
>>>> not sure how testing is done before patches are merged and what else
>>>> you expect me to do?
>>>
>>> That is why I was asking you to get in touch with Guenter to try and
>>> sort out what needs to be done to test this across different
>>> architectures.
>>>
>>> With all due respect, this patchset has a history of not being as
>>> tested as well as I would like; we had the compilation warning on gcc
>>> and then the linux-next breakage. The gcc problem wasn't a major
>>> problem (although it was disappointing, especially considering the
>>> context around it), but I consider the linux-next breakage fairly
>>> serious and would like to have some assurance beyond your "it's okay,
>>> trust me" this time around. If there really is no way to practically
>>> test this patchset across multiple arches prior to throwing it into
>>> linux-next, so be it, but I want to see at least some effort towards
>>> trying to make that happen.
>>>
>>
>> Happy to run whatever patchset there is through my testbed. Just send me
>> a pointer to it.
>>
>> Note that it should be based on mainline; linux-next is typically too broken
>> to provide any useful signals. I can handle a patchset either on top of v6.10
>> or v6.11-rc2 (meaning 6.10 passes through all my tests, and I can apply and
>> revert patches to/from 6.11-rc2 to get it to pass).
>
> Thanks Guenter, it looks like KP already make up a branch for you to
> pull, but if you have any problems or need something different let us
> know.
>
>> Question of course is if that really helps: I don't specifically test features
>> such as LSM or BPF.
>
> In this particular case we are most interested in testing the LSM
> initializing code so I don't believe you need to worry much about
> LSM/BPF configuration, it's a matter of ensuring the different arches
> are able to boot without any panics/warnings/etc.
>
> There is some Kconfig needed, KP provided a good snippet earlier in
> this thread, the relevant portion is copied below:
>
> % cat .config | grep -i LOCKDOWN
> CONFIG_SECURITY_LOCKDOWN_LSM=y
> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"
>
Ah, that might be a bit more challenging. I don't explicitly enable
security LSMs, so just building and loading them on various architectures
might be problematic even without the changes discussed here.
I'll enable all security modules referenced above in my test builds.
If we are lucky everything will pass; otherwise I may need a couple
of runs to establish a baseline.
Thanks,
Guenter
next prev parent reply other threads:[~2024-08-08 1:41 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 17:17 [PATCH] init/main.c: Initialize early LSMs after arch code KP Singh
2024-08-05 19:57 ` Paul Moore
2024-08-05 23:29 ` KP Singh
2024-08-06 2:20 ` Nathan Chancellor
2024-08-06 21:41 ` Paul Moore
2024-08-07 20:44 ` Paul Moore
2024-08-07 22:45 ` KP Singh
2024-08-07 22:50 ` KP Singh
2024-08-07 23:43 ` Paul Moore
2024-08-08 0:30 ` KP Singh
2024-08-08 0:34 ` Guenter Roeck
2024-08-08 0:40 ` KP Singh
2024-08-08 1:20 ` Guenter Roeck
2024-08-08 1:18 ` Paul Moore
2024-08-08 1:40 ` Guenter Roeck [this message]
2024-08-08 2:13 ` Guenter Roeck
2024-08-08 4:07 ` Guenter Roeck
2024-08-08 9:57 ` KP Singh
2024-08-08 15:20 ` Guenter Roeck
2024-08-08 16:43 ` Guenter Roeck
2024-08-08 17:32 ` Paul Moore
2024-08-08 18:00 ` Guenter Roeck
2024-08-08 20:49 ` Paul Moore
2024-08-12 17:12 ` KP Singh
2024-08-12 19:33 ` Paul Moore
2024-08-12 21:14 ` KP Singh
2024-08-12 21:32 ` Paul Moore
2024-08-12 22:02 ` KP Singh
2024-08-13 4:07 ` Guenter Roeck
2024-08-13 15:56 ` KP Singh
2024-08-13 16:26 ` Guenter Roeck
2024-08-13 18:21 ` Paul Moore
2024-08-08 17:19 ` Paul Moore
2025-03-11 13:37 ` joeyli
2025-03-11 15:14 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9216940f-cee5-402e-a7f5-71e1df52f452@roeck-us.net \
--to=linux@roeck-us.net \
--cc=bp@alien8.de \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=paul@paul-moore.com \
--cc=peterz@infradead.org \
--cc=sfr@canb.auug.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox