On 06/03/2019 03:29 AM, Greg KH wrote:
On Mon, Jun 03, 2019 at 04:04:32PM +1000, Daniel Axtens wrote:
Hi Nayna,
As PowerNV moves towards secure boot, we need a place to put secure
variables. One option that has been canvassed is to make our secure
variables look like EFI variables. This is an early sketch of another
approach where we create a generic firmware variable file system,
fwvarfs, and an OPAL Secure Variable backend for it.
Is there a need of new filesystem ? I am wondering why can't these be
exposed via sysfs / securityfs ?
Probably, something like... /sys/firmware/secureboot or
/sys/kernel/security/secureboot/ ?
I suppose we could put secure variables in sysfs, but I'm not sure
that's what sysfs was intended for. I understand sysfs as "a
filesystem-based view of kernel objects" (from
Documentation/filesystems/configfs/configfs.txt), and I don't think a
secure variable is really a kernel object in the same way most other
things in sysfs are... but I'm open to being convinced.
What makes them more "secure" than anything else that is in sysfs today?
I didn't see anything in this patchset that provided "additional
security", did I miss it?
securityfs seems to be reserved for LSMs, I don't think we can put
things there.
Yeah, I wouldn't mess with that.
Thanks Greg for clarifying!! I am curious, the TPM exposes the BIOS event log to userspace via securityfs. Is there a reason for not exposing these security variables to userspace via securityfs as well?
Thanks & Regards,
- Nayna