On 6/22/22 18:29, Casey Schaufler wrote:
On 6/22/2022 2:56 PM, Nayna Jain wrote:
securityfs is meant for linux security subsystems to expose
policies/logs
or any other information. However, there are various firmware security
features which expose their variables for user management via kernel.
There is currently no single place to expose these variables. Different
platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
interface as find appropriate. Thus, there is a gap in kernel interfaces
to expose variables for security features.
Why not put the firmware entries under /sys/kernel/security/firmware?
From man 5 sysfs page:
/sys/firmware: This subdirectory contains interfaces for viewing and
manipulating firmware-specific objects and attributes.
/sys/kernel: This subdirectory contains various files and subdirectories
that provide information about the running kernel.
The security variables which are supposed to be exposed via fwsecurityfs
are managed by firmware, stored in firmware managed space and also often
consumed by firmware for enabling various security features.
From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose
of securityfs(/sys/kernel/security) is to provide a common place for all
kernel LSMs to use a common place. The idea of
fwsecurityfs(/sys/firmware/security) is to similarly provide a common
place for all firmware security objects.
By having another firmware directory within /sys/kernel/security would
mean scattering firmware objects at multiple places and confusing the
purpose of /sys/kernel and /sys/firmware.
Thanks & Regards,
- Nayna