From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B346FCD6E68 for ; Wed, 11 Oct 2023 12:55:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346914AbjJKMza (ORCPT ); Wed, 11 Oct 2023 08:55:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234670AbjJKMz2 (ORCPT ); Wed, 11 Oct 2023 08:55:28 -0400 Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD3CAA7 for ; Wed, 11 Oct 2023 05:55:25 -0700 (PDT) Received: by mail-vs1-xe35.google.com with SMTP id ada2fe7eead31-457584c824dso1854659137.0 for ; Wed, 11 Oct 2023 05:55:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1697028925; x=1697633725; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TJHkKAgZfrxS1O8Tslb2tMsF0PPp/zqOL3rMiik7kWc=; b=Lz2M2d/r4s97ZOBTxD6wi/FYiH09kYAdVnpLQnfaZGz/9u2CHVruRBFSmhYfoPponp jsj+8dUOpXBoEg9L0CgBGvgg46GmXB34BcWp8CJSqQbgGCdsAsYxvhUBNsyi5Ly/FJoe nMQH2sg6UtMW42RC3oR9A0PDLP4YQr7BWtgWZRnJ8ExqPd/Z06vvpcRJOwRi9ycRxOKs Pbxl7N7BaKuqXYHE9OpsBtpIyj8HvHRzocy9t6adwMg8Rbpo7QZTja5UFcKstam0tqtL IMkebO5QLmaMPJ+2q9YkLX98jCXD9BJo82k63Gm1AfpT9sgzOufCjwSM/U5fLqpZdhBZ nc0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697028925; x=1697633725; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TJHkKAgZfrxS1O8Tslb2tMsF0PPp/zqOL3rMiik7kWc=; b=Sk/1eCQQTUmbOqgULETBhBJlGUkD7+uEObw6SheCgnWY7kO/t3PVgCCWoFwlu8RbJy KrZXqNT0jEh2M4phKNfgzCAchjn2pxbwVajY+68FS0yJw9xEGi1j9kR7LqUrSc08KM+G 0SDH6Po/793xRsLxapzbt5Kp5nFTSclkx9rCSQFncJfUHY9YzeBvoqkEL3PQFyI5QCDD r4a4f0Tq4xjwKGoUbEKPBBvQWYYtm0dZJ6b6fm9D6K+/wZ3dPkitcX7WmGOqJmoqLj7B TT/jgJDLaV2r9uLZX5ZifzmHyESYTp1+P1xomXSn8uUPEhn3hm7tXsvNVSFWyyxMzuTK oPlA== X-Gm-Message-State: AOJu0YwCW82H3jCix4358/dlbDcr/u9Rr+8INWGDrUoRwOzYr4/31Bax CdghEd2k8GF1KEhKzmxcAzDbdxr+5/qBKXmnD5dBrw== X-Google-Smtp-Source: AGHT+IE/GS3ZefqbCTRAxvzj5P2FzW1ao64b6+xoVl1jPWppctYlhVhjbQJTPsbdrbj5cpefjtgO744OBsx/DINQjDg= X-Received: by 2002:a67:f489:0:b0:44e:d415:76a3 with SMTP id o9-20020a67f489000000b0044ed41576a3mr20147184vsn.11.1697028923184; Wed, 11 Oct 2023 05:55:23 -0700 (PDT) MIME-Version: 1.0 References: <20231010231616.3122392-1-jarkko@kernel.org> <186a4b62517ead88df8c3c0e9e9585e88f9a6fd8.camel@kernel.org> <0aeb4d88952aff53c5c1a40b547a9819ebd1947e.camel@kernel.org> <79fe0b97e2f5d1f02d08c9f633b7c0da13dc9127.camel@kernel.org> In-Reply-To: <79fe0b97e2f5d1f02d08c9f633b7c0da13dc9127.camel@kernel.org> From: Sumit Garg Date: Wed, 11 Oct 2023 18:25:11 +0530 Message-ID: Subject: Re: [PATCH] KEYS: trusted: Rollback init_trusted() consistently To: Jarkko Sakkinen Cc: keyrings@vger.kernel.org, Linus Torvalds , stable@vger.kernel.org, James Bottomley , Mimi Zohar , David Howells , Paul Moore , James Morris , "Serge E. Hallyn" , "open list:KEYS-TRUSTED" , "open list:SECURITY SUBSYSTEM" , open list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen wrote: > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen wrote: > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen wrote: > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > else than -ENODEV). > > > > > > > > > > > > Reported-by: Linus Torvalds > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > Signed-off-by: Jarkko Sakkinen > > > > > > --- > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > if (!get_random) > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > - static_call_update(trusted_key_unseal, > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > - static_call_update(trusted_key_get_random, > > > > > > - get_random); > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > - > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > - if (!ret) > > > > > > + if (!ret) { > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > + > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > + } > > > > > > + > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > to be initialized if the primary one fails. > > > > > > > > I sent the patch before I received that response but here's what you > > > > wrote: > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > keys if the primary one fails." > > > > > > > > 1. This condition is lacking an inline comment. > > > > 2. Neither this response or the one that you pointed out has any > > > > explanation why for any system failure the process should > > > > continue. > > > > > > > > You should really know the situations (e.g. list of posix error > > > > code) when the process can continue and "allow list" those. This > > > > way way too abstract. It cannot be let all possible system failures > > > > pass. > > > > > > And it would nice if it printed out something for legit cases. Like > > > "no device found" etc. And for rest it must really withdraw the whole > > > process. > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > these are all debatable. > > Yes, that does sounds reasonable. > > About the debate. Well, it is better eagerly block and tree falls down > somewhere we can consider extending the list through a fix. > > This all wide open is worse than a few glitches somewhere, which are > trivial to fix. > Fair enough, I would suggest we document it appropriately such that it is clear to the users or somebody looking at the code. -Sumit > BR, Jarkko