Re: [RFC PATCH v3 03/13] clavis: Introduce a new system keyring called clavis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Eric,

On Fri, 2025-01-03 at 23:27 +0000, Eric Snowberg wrote:
> > > +config SECURITY_CLAVIS
> > > + bool "Clavis keyring"
> > 
> > Isn't SECURITY_CLAVIS the new LSM?  Why is the bool defined as just "Clavis
> > keyring"?
> > 
> > > + depends on SECURITY
> > > + select SYSTEM_DATA_VERIFICATION
> > > + select CRYPTO_SHA256
> > > + help
> > > +   Enable the clavis keyring. This keyring shall contain a single asymmetric key.
> > > +   This key shall be linked to a key already contained in one of the system
> > > +   keyrings (builtin, secondary, or platform). One way to add this key
> > > +   is during boot by passing in the asymmetric key id within the "clavis=" boot
> > > +   param.  This keyring is required by the Clavis LSM.
> > 
> > If SECURITY_CLAVIS is a new LSM, the 'help' shouldn't be limited to just the
> > clavis keyring, but written at a higher level describing the new LSM.  For
> > example,
> > 
> > This option enables the Clavis LSM, which provides the ability to configure and
> > enforce the usage of keys contained on the system keyrings -
> > .builtin_trusted_keys, .secondary_trusted_keys, .machine, and .platform
> > keyrings.  The clavis LSM defines a keyring named "clavis", which contains a
> > single asymmetric key and the key usage rules.
> > 
> > The single asymmetric key may be specified on the boot command line ...
> > 
> > [The patch that introduces the key usage rules would add additional info here.]
> > 
> > [The patch that adds the Documentatoin would add a reference here.]
> 
> I went the route of creating the keyring in this patch and then introducing the 
> LSM which uses it in a later patch.  My reasoning was it can be tested 
> independently.  Also, I thought it would make it easier to review, since 
> everything isn't contained within a single patch.  I could look at combining 
> them together if you think that would be better.

SECURITY_CLAVIS is not just about the CLAVIS keyring, right?  The Kconfig can be
defined and used here, but eventually the SECURITY_CLAVIS "help" needs to be
updated to describe the new LSM.

thanks,

Mimi
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux