On Fri, Mar 6, 2020 at 12:20 PM Connor Kuehl <ckuehl@xxxxxxxxxx> wrote: > > Some background: > > My team is working on a project that interacts very closely with > SEV so we have a layer of code that wraps around the SEV ioctl calls. > We have an automated test suite that ends up testing these ioctls > on our test machine. > > We are in the process of adding this test machine as a dedicated test > runner in our continuous integration process. Any time someone opens a > pull request against our project, this test runner automatically checks > that code out and executes the tests. > > Right now, the SEV ioctls that affect the state of the platform require > CAP_SYS_ADMIN to run. This is not a capability we can give to an > automated test runner, because it means that anyone who would like to > contribute to the project would be able to run any code they want (for > good or evil) as CAP_SYS_ADMIN on our machine. > > This patch replaces the check for CAP_SYS_ADMIN with a check that can > still be easily controlled by an administrator with the file permissions > ACL. This way access to the device can still be controlled, but without > also assigning such broad system privileges at the same time. > > Connor Kuehl (1): > crypto: ccp: use file mode for sev ioctl permissions > > drivers/crypto/ccp/sev-dev.c | 33 +++++++++++++++++---------------- > 1 file changed, 17 insertions(+), 16 deletions(-) > > -- > 2.24.1 > One additional note is that this permission structure is more flexible for general SEV usage anyway, and isn't special-case for our usage. Currently, the SEV admin commands are mostly limited to public key certificate management. I would imagine that it would be desirable to have a sev-admin account which can automate the certificate management without having CAP_SYS_ADMIN for the rest of the system. So we believe this patch has broader applicability than just our corner case.