| Message ID | 20231010231616.3122392-1-jarkko@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp193022vqb;
Tue, 10 Oct 2023 16:16:42 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IHvLwEs0KKPDqBsNHHLTuRZ0OsuKT2nJUsm1R6wIk5jHO7FovFXcRQNKugplF7QcG6j746+
X-Received: by 2002:a05:6358:c10a:b0:14a:cca4:55d7 with SMTP id
fh10-20020a056358c10a00b0014acca455d7mr15983614rwb.3.1696979802189;
Tue, 10 Oct 2023 16:16:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696979802; cv=none;
d=google.com; s=arc-20160816;
b=dyydo2LqmOipDV5UcTFSJBcTewPmi20EbgyHzwomNJT6ATsVTws399kbfPML1z7o8W
hHFMZ8azCveLl40DAm5I6UrTVLzGSBlqAM5MT7JEktGnTzPgw6q6jTX13XPmQxT3xJ3G
70qnZbJoYSifRgvBAdY0GLnEGMxzjHrZD/xY/CGYyBXfeMg/S31MiEGhAkjmUbyWS7gc
+t1Bo5m3GS9aPAiCTsqKE/snqYJhSkQ1jt3PpHeVomKwSffvBGIyhoUAa1+HZPpL3mUu
pcVyki4aKJG3kAzISJ5p6hWAjmAXnP9iA4QCjeIyCBOL+AMpaqM/lvgw369Uspjlky6E
MQ9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=1/t5pboWPEjC5+mEWVHMbZhc4Ve/FsgJR1rAI9u7sMw=;
fh=Jsi2hACG1O9/UE06pwXOvfz6djAeuvRlW/S2PtS9YDs=;
b=cWBqVgxFJ0p9e2/ipsGXL66JPILKR9JDEBB0ZQ2FKOn+qZ4R0xmswY1sJzKV5Odhhi
V6eMOlVrrWnHz3E0gSlf22RhWl+sjyzsIhIdIUMGTsglEcDCrKYWMZJYTpbrB9Gl98aB
VLhWBtXG6MXDxEHt2BcM6vkPM3n117XhBlYm6hU8EE0WLRPzIjmKI62ynMUoxhPxq6qQ
8TNSsVLQCFHYT2zWpG398KJPb1NJaLM5yL6V8GDqy2spFt9QGI9cygUXGEToECsRtm3g
A3cESJyweXxDuq5wpOj//a8X/WS86WFY7ZTP9EvFzpOuaEkFN3YQqXgQuOygz4Es+Y4d
cmSw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pXMC74Z2;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.31 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
by mx.google.com with ESMTPS id
p5-20020a17090a74c500b00263eb5054fdsi15019979pjl.32.2023.10.10.16.16.41
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 10 Oct 2023 16:16:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pXMC74Z2;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.31 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by morse.vger.email (Postfix) with ESMTP id 4921982E2970;
Tue, 10 Oct 2023 16:16:40 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229567AbjJJXQY (ORCPT <rfc822;rua109.linux@gmail.com>
+ 19 others); Tue, 10 Oct 2023 19:16:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56494 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229460AbjJJXQX (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 10 Oct 2023 19:16:23 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F5888E;
Tue, 10 Oct 2023 16:16:22 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23AD1C433C7;
Tue, 10 Oct 2023 23:16:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1696979781;
bh=+/tFFsbWCbzFmHJU9b80+XvPt1sCZXKDdVVDEtowj5w=;
h=From:To:Cc:Subject:Date:From;
b=pXMC74Z2Goa7waeHAX/KsqDoV1yCMsrupkzcpVrj5XXkaT3LTE7a9taVjXKYBTs1z
wF60FN1h8iUIy73IMhLuofGTHlv1Z3ma9CHfpdGCtHeczFeXQITbuXWo2qR2qW7OKX
8CwabQbTWuOoRCytmGKySX+cP90SJgKYY4o4jSmaVD/CtNtbx0XR+UfxyrIQ6aEmk2
8HZN+0ubURxTGMGvJqmGKefQGxIvMbbX4BNv5Wh5puB03yEphVNrg46Tu9g/kHSzp4
XefdyPR+/1YqAktmK4M23sPvL29jBcAPojx0CoFY70NFm5qzU0nP2SGw/9t1BYgqpE
AwFNBCACjQJ7g==
From: Jarkko Sakkinen <jarkko@kernel.org>
To: keyrings@vger.kernel.org
Cc: Jarkko Sakkinen <jarkko@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
stable@vger.kernel.org, James Bottomley <jejb@linux.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Sumit Garg <sumit.garg@linaro.org>,
linux-integrity@vger.kernel.org (open list:KEYS-TRUSTED),
linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM),
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] KEYS: trusted: Rollback init_trusted() consistently
Date: Wed, 11 Oct 2023 02:16:16 +0300
Message-Id: <20231010231616.3122392-1-jarkko@kernel.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]);
Tue, 10 Oct 2023 16:16:40 -0700 (PDT)
X-Spam-Level: **
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1779412293082562817
X-GMAIL-MSGID: 1779412293082562817
|
| Series |
KEYS: trusted: Rollback init_trusted() consistently
|
|
Commit Message
Jarkko Sakkinen
Oct. 10, 2023, 11:16 p.m. UTC
Do bind neither static calls nor trusted_key_exit() before a successful
init, in order to maintain a consistent state. In addition, depart the
init_trusted() in the case of a real error (i.e. getting back something
else than -ENODEV).
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/
Cc: stable@vger.kernel.org # v5.13+
Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework")
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
security/keys/trusted-keys/trusted_core.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
Comments
On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > Do bind neither static calls nor trusted_key_exit() before a successful > init, in order to maintain a consistent state. In addition, depart the > init_trusted() in the case of a real error (i.e. getting back something > else than -ENODEV). > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > Cc: stable@vger.kernel.org # v5.13+ > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > --- > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > index 85fb5c22529a..fee1ab2c734d 100644 > --- a/security/keys/trusted-keys/trusted_core.c > +++ b/security/keys/trusted-keys/trusted_core.c > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > if (!get_random) > get_random = kernel_get_random; > > - static_call_update(trusted_key_seal, > - trusted_key_sources[i].ops->seal); > - static_call_update(trusted_key_unseal, > - trusted_key_sources[i].ops->unseal); > - static_call_update(trusted_key_get_random, > - get_random); > - trusted_key_exit = trusted_key_sources[i].ops->exit; > - migratable = trusted_key_sources[i].ops->migratable; > - > ret = trusted_key_sources[i].ops->init(); > - if (!ret) > + if (!ret) { > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > + static_call_update(trusted_key_get_random, get_random); > + > + trusted_key_exit = trusted_key_sources[i].ops->exit; > + migratable = trusted_key_sources[i].ops->migratable; > + } > + > + if (!ret || ret != -ENODEV) As mentioned in the other thread, we should allow other trust sources to be initialized if the primary one fails. -Sumit > break; > } > > -- > 2.39.2 >
On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > init, in order to maintain a consistent state. In addition, depart the > > init_trusted() in the case of a real error (i.e. getting back something > > else than -ENODEV). > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > Cc: stable@vger.kernel.org # v5.13+ > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > --- > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > index 85fb5c22529a..fee1ab2c734d 100644 > > --- a/security/keys/trusted-keys/trusted_core.c > > +++ b/security/keys/trusted-keys/trusted_core.c > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > if (!get_random) > > get_random = kernel_get_random; > > > > - static_call_update(trusted_key_seal, > > - trusted_key_sources[i].ops->seal); > > - static_call_update(trusted_key_unseal, > > - trusted_key_sources[i].ops->unseal); > > - static_call_update(trusted_key_get_random, > > - get_random); > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > - migratable = trusted_key_sources[i].ops->migratable; > > - > > ret = trusted_key_sources[i].ops->init(); > > - if (!ret) > > + if (!ret) { > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > + static_call_update(trusted_key_get_random, get_random); > > + > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > + migratable = trusted_key_sources[i].ops->migratable; > > + } > > + > > + if (!ret || ret != -ENODEV) > > As mentioned in the other thread, we should allow other trust sources > to be initialized if the primary one fails. I sent the patch before I received that response but here's what you wrote: "We should give other trust sources a chance to register for trusted keys if the primary one fails." 1. This condition is lacking an inline comment. 2. Neither this response or the one that you pointed out has any explanation why for any system failure the process should continue. You should really know the situations (e.g. list of posix error code) when the process can continue and "allow list" those. This way way too abstract. It cannot be let all possible system failures pass. Can you e.g. explain a legit use case when something else is returned than -ENODEV but it is cool and we can continue in some real world use case? BR, Jarkko
On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > init, in order to maintain a consistent state. In addition, depart the > > > init_trusted() in the case of a real error (i.e. getting back something > > > else than -ENODEV). > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > Cc: stable@vger.kernel.org # v5.13+ > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > --- > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > --- a/security/keys/trusted-keys/trusted_core.c > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > if (!get_random) > > > get_random = kernel_get_random; > > > > > > - static_call_update(trusted_key_seal, > > > - trusted_key_sources[i].ops->seal); > > > - static_call_update(trusted_key_unseal, > > > - trusted_key_sources[i].ops->unseal); > > > - static_call_update(trusted_key_get_random, > > > - get_random); > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > - migratable = trusted_key_sources[i].ops->migratable; > > > - > > > ret = trusted_key_sources[i].ops->init(); > > > - if (!ret) > > > + if (!ret) { > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > + static_call_update(trusted_key_get_random, get_random); > > > + > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > + migratable = trusted_key_sources[i].ops->migratable; > > > + } > > > + > > > + if (!ret || ret != -ENODEV) > > > > As mentioned in the other thread, we should allow other trust sources > > to be initialized if the primary one fails. > > I sent the patch before I received that response but here's what you > wrote: > > "We should give other trust sources a chance to register for trusted > keys if the primary one fails." > > 1. This condition is lacking an inline comment. > 2. Neither this response or the one that you pointed out has any > explanation why for any system failure the process should > continue. > > You should really know the situations (e.g. list of posix error > code) when the process can continue and "allow list" those. This > way way too abstract. It cannot be let all possible system failures > pass. And it would nice if it printed out something for legit cases. Like "no device found" etc. And for rest it must really withdraw the whole process. BR, Jarkko
On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > init, in order to maintain a consistent state. In addition, depart the > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > else than -ENODEV). > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > --- > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > if (!get_random) > > > > get_random = kernel_get_random; > > > > > > > > - static_call_update(trusted_key_seal, > > > > - trusted_key_sources[i].ops->seal); > > > > - static_call_update(trusted_key_unseal, > > > > - trusted_key_sources[i].ops->unseal); > > > > - static_call_update(trusted_key_get_random, > > > > - get_random); > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > - > > > > ret = trusted_key_sources[i].ops->init(); > > > > - if (!ret) > > > > + if (!ret) { > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > + static_call_update(trusted_key_get_random, get_random); > > > > + > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > + } > > > > + > > > > + if (!ret || ret != -ENODEV) > > > > > > As mentioned in the other thread, we should allow other trust sources > > > to be initialized if the primary one fails. > > > > I sent the patch before I received that response but here's what you > > wrote: > > > > "We should give other trust sources a chance to register for trusted > > keys if the primary one fails." > > > > 1. This condition is lacking an inline comment. > > 2. Neither this response or the one that you pointed out has any > > explanation why for any system failure the process should > > continue. > > > > You should really know the situations (e.g. list of posix error > > code) when the process can continue and "allow list" those. This > > way way too abstract. It cannot be let all possible system failures > > pass. > > And it would nice if it printed out something for legit cases. Like > "no device found" etc. And for rest it must really withdraw the whole > process. IMO, it would be quite tricky to come up with an allow list. Can we keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think these are all debatable. The original intention to iterate through the trust source list was to allow a single Linux kernel binary to support platforms with varying trust sources (one or choose one from multiple) available. IMO, any restriction on the basis of error codes here since we can't predict them correctly may forfeit this intended use-case. -Sumit > > BR, Jarkko
On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > else than -ENODEV). > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > --- > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > if (!get_random) > > > > > get_random = kernel_get_random; > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > - trusted_key_sources[i].ops->seal); > > > > > - static_call_update(trusted_key_unseal, > > > > > - trusted_key_sources[i].ops->unseal); > > > > > - static_call_update(trusted_key_get_random, > > > > > - get_random); > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > - > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > - if (!ret) > > > > > + if (!ret) { > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > + > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > + } > > > > > + > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > to be initialized if the primary one fails. > > > > > > I sent the patch before I received that response but here's what you > > > wrote: > > > > > > "We should give other trust sources a chance to register for trusted > > > keys if the primary one fails." > > > > > > 1. This condition is lacking an inline comment. > > > 2. Neither this response or the one that you pointed out has any > > > explanation why for any system failure the process should > > > continue. > > > > > > You should really know the situations (e.g. list of posix error > > > code) when the process can continue and "allow list" those. This > > > way way too abstract. It cannot be let all possible system failures > > > pass. > > > > And it would nice if it printed out something for legit cases. Like > > "no device found" etc. And for rest it must really withdraw the whole > > process. > > IMO, it would be quite tricky to come up with an allow list. Can we > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > these are all debatable. Yes, that does sounds reasonable. About the debate. Well, it is better eagerly block and tree falls down somewhere we can consider extending the list through a fix. This all wide open is worse than a few glitches somewhere, which are trivial to fix. BR, Jarkko
On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > else than -ENODEV). > > > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > > --- > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > if (!get_random) > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > - static_call_update(trusted_key_unseal, > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > - static_call_update(trusted_key_get_random, > > > > > > - get_random); > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > - > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > - if (!ret) > > > > > > + if (!ret) { > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > + > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > + } > > > > > > + > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > to be initialized if the primary one fails. > > > > > > > > I sent the patch before I received that response but here's what you > > > > wrote: > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > keys if the primary one fails." > > > > > > > > 1. This condition is lacking an inline comment. > > > > 2. Neither this response or the one that you pointed out has any > > > > explanation why for any system failure the process should > > > > continue. > > > > > > > > You should really know the situations (e.g. list of posix error > > > > code) when the process can continue and "allow list" those. This > > > > way way too abstract. It cannot be let all possible system failures > > > > pass. > > > > > > And it would nice if it printed out something for legit cases. Like > > > "no device found" etc. And for rest it must really withdraw the whole > > > process. > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > these are all debatable. > > Yes, that does sounds reasonable. > > About the debate. Well, it is better eagerly block and tree falls down > somewhere we can consider extending the list through a fix. > > This all wide open is worse than a few glitches somewhere, which are > trivial to fix. > Fair enough, I would suggest we document it appropriately such that it is clear to the users or somebody looking at the code. -Sumit > BR, Jarkko
On Wed, 2023-10-11 at 18:25 +0530, Sumit Garg wrote: > On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > > else than -ENODEV). > > > > > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > > > --- > > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > > if (!get_random) > > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > > - static_call_update(trusted_key_unseal, > > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > > - static_call_update(trusted_key_get_random, > > > > > > > - get_random); > > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > > - > > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > > - if (!ret) > > > > > > > + if (!ret) { > > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > > + > > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > > + } > > > > > > > + > > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > > to be initialized if the primary one fails. > > > > > > > > > > I sent the patch before I received that response but here's what you > > > > > wrote: > > > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > > keys if the primary one fails." > > > > > > > > > > 1. This condition is lacking an inline comment. > > > > > 2. Neither this response or the one that you pointed out has any > > > > > explanation why for any system failure the process should > > > > > continue. > > > > > > > > > > You should really know the situations (e.g. list of posix error > > > > > code) when the process can continue and "allow list" those. This > > > > > way way too abstract. It cannot be let all possible system failures > > > > > pass. > > > > > > > > And it would nice if it printed out something for legit cases. Like > > > > "no device found" etc. And for rest it must really withdraw the whole > > > > process. > > > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > > these are all debatable. > > > > Yes, that does sounds reasonable. > > > > About the debate. Well, it is better eagerly block and tree falls down > > somewhere we can consider extending the list through a fix. > > > > This all wide open is worse than a few glitches somewhere, which are > > trivial to fix. > > > > Fair enough, I would suggest we document it appropriately such that it > is clear to the users or somebody looking at the code. I went throught the backends on how they implement init: 1. Returns -ENODEV when it does not exist. 2. Calls driver_register(). Something is wrong enough if that fails to rollback the whole procedure. 3. TPM: -ENODEV Therefore, I would keep in the existing patch since there is no weird uapi visible legacy behavior to support in the first place. And for that reason there is no good reason to have all those four POSIX rc's in the list. BR, Jarkko
On Wed, 2023-10-11 at 16:06 +0300, Jarkko Sakkinen wrote: > On Wed, 2023-10-11 at 18:25 +0530, Sumit Garg wrote: > > On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > > > else than -ENODEV). > > > > > > > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > > > > --- > > > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > > > if (!get_random) > > > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > > > - static_call_update(trusted_key_unseal, > > > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > > > - static_call_update(trusted_key_get_random, > > > > > > > > - get_random); > > > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > - > > > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > > > - if (!ret) > > > > > > > > + if (!ret) { > > > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > > > + > > > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > + } > > > > > > > > + > > > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > > > to be initialized if the primary one fails. > > > > > > > > > > > > I sent the patch before I received that response but here's what you > > > > > > wrote: > > > > > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > > > keys if the primary one fails." > > > > > > > > > > > > 1. This condition is lacking an inline comment. > > > > > > 2. Neither this response or the one that you pointed out has any > > > > > > explanation why for any system failure the process should > > > > > > continue. > > > > > > > > > > > > You should really know the situations (e.g. list of posix error > > > > > > code) when the process can continue and "allow list" those. This > > > > > > way way too abstract. It cannot be let all possible system failures > > > > > > pass. > > > > > > > > > > And it would nice if it printed out something for legit cases. Like > > > > > "no device found" etc. And for rest it must really withdraw the whole > > > > > process. > > > > > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > > > these are all debatable. > > > > > > Yes, that does sounds reasonable. > > > > > > About the debate. Well, it is better eagerly block and tree falls down > > > somewhere we can consider extending the list through a fix. > > > > > > This all wide open is worse than a few glitches somewhere, which are > > > trivial to fix. > > > > > > > Fair enough, I would suggest we document it appropriately such that it > > is clear to the users or somebody looking at the code. > > I went throught the backends on how they implement init: > > CAAM: > 1. Returns -ENODEV when it does not exist. TEE: > 2. Calls driver_register(). Something is wrong enough if that > fails to rollback the whole procedure. > 3. TPM: -ENODEV BR, Jarkko
On Wed, 11 Oct 2023 at 18:36, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Wed, 2023-10-11 at 18:25 +0530, Sumit Garg wrote: > > On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > > > else than -ENODEV). > > > > > > > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > > > > --- > > > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > > > if (!get_random) > > > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > > > - static_call_update(trusted_key_unseal, > > > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > > > - static_call_update(trusted_key_get_random, > > > > > > > > - get_random); > > > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > - > > > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > > > - if (!ret) > > > > > > > > + if (!ret) { > > > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > > > + > > > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > + } > > > > > > > > + > > > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > > > to be initialized if the primary one fails. > > > > > > > > > > > > I sent the patch before I received that response but here's what you > > > > > > wrote: > > > > > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > > > keys if the primary one fails." > > > > > > > > > > > > 1. This condition is lacking an inline comment. > > > > > > 2. Neither this response or the one that you pointed out has any > > > > > > explanation why for any system failure the process should > > > > > > continue. > > > > > > > > > > > > You should really know the situations (e.g. list of posix error > > > > > > code) when the process can continue and "allow list" those. This > > > > > > way way too abstract. It cannot be let all possible system failures > > > > > > pass. > > > > > > > > > > And it would nice if it printed out something for legit cases. Like > > > > > "no device found" etc. And for rest it must really withdraw the whole > > > > > process. > > > > > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > > > these are all debatable. > > > > > > Yes, that does sounds reasonable. > > > > > > About the debate. Well, it is better eagerly block and tree falls down > > > somewhere we can consider extending the list through a fix. > > > > > > This all wide open is worse than a few glitches somewhere, which are > > > trivial to fix. > > > > > > > Fair enough, I would suggest we document it appropriately such that it > > is clear to the users or somebody looking at the code. > > I went throught the backends on how they implement init: > > 1. Returns -ENODEV when it does not exist. > 2. Calls driver_register(). Something is wrong enough if that > fails to rollback the whole procedure. > 3. TPM: -ENODEV > > Therefore, I would keep in the existing patch since there is no weird > uapi visible legacy behavior to support in the first place. And for > that reason there is no good reason to have all those four POSIX rc's > in the list. Okay I can live with this patch as long as it doesn't break the intended use-case. -Sumit > > BR, Jarkko > >
On Wed, 2023-10-11 at 19:12 +0530, Sumit Garg wrote: > On Wed, 11 Oct 2023 at 18:36, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > On Wed, 2023-10-11 at 18:25 +0530, Sumit Garg wrote: > > > On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > > > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > > > > else than -ENODEV). > > > > > > > > > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > > > > > --- > > > > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > > > > if (!get_random) > > > > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > > > > - static_call_update(trusted_key_unseal, > > > > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > > > > - static_call_update(trusted_key_get_random, > > > > > > > > > - get_random); > > > > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > > - > > > > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > > > > - if (!ret) > > > > > > > > > + if (!ret) { > > > > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > > > > + > > > > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > > + } > > > > > > > > > + > > > > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > > > > to be initialized if the primary one fails. > > > > > > > > > > > > > > I sent the patch before I received that response but here's what you > > > > > > > wrote: > > > > > > > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > > > > keys if the primary one fails." > > > > > > > > > > > > > > 1. This condition is lacking an inline comment. > > > > > > > 2. Neither this response or the one that you pointed out has any > > > > > > > explanation why for any system failure the process should > > > > > > > continue. > > > > > > > > > > > > > > You should really know the situations (e.g. list of posix error > > > > > > > code) when the process can continue and "allow list" those. This > > > > > > > way way too abstract. It cannot be let all possible system failures > > > > > > > pass. > > > > > > > > > > > > And it would nice if it printed out something for legit cases. Like > > > > > > "no device found" etc. And for rest it must really withdraw the whole > > > > > > process. > > > > > > > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > > > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > > > > these are all debatable. > > > > > > > > Yes, that does sounds reasonable. > > > > > > > > About the debate. Well, it is better eagerly block and tree falls down > > > > somewhere we can consider extending the list through a fix. > > > > > > > > This all wide open is worse than a few glitches somewhere, which are > > > > trivial to fix. > > > > > > > > > > Fair enough, I would suggest we document it appropriately such that it > > > is clear to the users or somebody looking at the code. > > > > I went throught the backends on how they implement init: > > > > 1. Returns -ENODEV when it does not exist. > > 2. Calls driver_register(). Something is wrong enough if that > > fails to rollback the whole procedure. > > 3. TPM: -ENODEV > > > > Therefore, I would keep in the existing patch since there is no weird > > uapi visible legacy behavior to support in the first place. And for > > that reason there is no good reason to have all those four POSIX rc's > > in the list. > > Okay I can live with this patch as long as it doesn't break the > intended use-case. Well this sort of policy has been already existing for some time: /* * encrypted_keys.ko depends on successful load of this module even if * trusted key implementation is not found. */ if (ret == -ENODEV) return 0; If we would need a list of error codes, then this is also incorrect implementation because the error codes that you listed should be also success cases. BR, Jarkko
On Wed, 2023-10-11 at 16:55 +0300, Jarkko Sakkinen wrote: > On Wed, 2023-10-11 at 19:12 +0530, Sumit Garg wrote: > > On Wed, 11 Oct 2023 at 18:36, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > On Wed, 2023-10-11 at 18:25 +0530, Sumit Garg wrote: > > > > On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > > > > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > > > > > else than -ENODEV). > > > > > > > > > > > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > > > > > > --- > > > > > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > > > > > if (!get_random) > > > > > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > > > > > - static_call_update(trusted_key_unseal, > > > > > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > > > > > - static_call_update(trusted_key_get_random, > > > > > > > > > > - get_random); > > > > > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > > > - > > > > > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > > > > > - if (!ret) > > > > > > > > > > + if (!ret) { > > > > > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > > > > > + > > > > > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > > > + } > > > > > > > > > > + > > > > > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > > > > > to be initialized if the primary one fails. > > > > > > > > > > > > > > > > I sent the patch before I received that response but here's what you > > > > > > > > wrote: > > > > > > > > > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > > > > > keys if the primary one fails." > > > > > > > > > > > > > > > > 1. This condition is lacking an inline comment. > > > > > > > > 2. Neither this response or the one that you pointed out has any > > > > > > > > explanation why for any system failure the process should > > > > > > > > continue. > > > > > > > > > > > > > > > > You should really know the situations (e.g. list of posix error > > > > > > > > code) when the process can continue and "allow list" those. This > > > > > > > > way way too abstract. It cannot be let all possible system failures > > > > > > > > pass. > > > > > > > > > > > > > > And it would nice if it printed out something for legit cases. Like > > > > > > > "no device found" etc. And for rest it must really withdraw the whole > > > > > > > process. > > > > > > > > > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > > > > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > > > > > these are all debatable. > > > > > > > > > > Yes, that does sounds reasonable. > > > > > > > > > > About the debate. Well, it is better eagerly block and tree falls down > > > > > somewhere we can consider extending the list through a fix. > > > > > > > > > > This all wide open is worse than a few glitches somewhere, which are > > > > > trivial to fix. > > > > > > > > > > > > > Fair enough, I would suggest we document it appropriately such that it > > > > is clear to the users or somebody looking at the code. > > > > > > I went throught the backends on how they implement init: > > > > > > 1. Returns -ENODEV when it does not exist. > > > 2. Calls driver_register(). Something is wrong enough if that > > > fails to rollback the whole procedure. > > > 3. TPM: -ENODEV > > > > > > Therefore, I would keep in the existing patch since there is no weird > > > uapi visible legacy behavior to support in the first place. And for > > > that reason there is no good reason to have all those four POSIX rc's > > > in the list. > > > > Okay I can live with this patch as long as it doesn't break the > > intended use-case. > > Well this sort of policy has been already existing for some time: > > /* > * encrypted_keys.ko depends on successful load of this module even if > * trusted key implementation is not found. > */ > if (ret == -ENODEV) > return 0; > > If we would need a list of error codes, then this is also incorrect > implementation because the error codes that you listed should be > also success cases. The dead obvious constraint here is that whatever error codes are processed they need to be exact same anyway right? If things fall apart you should really not continue. This is IMHO categorizes as a critical bug, not just debatable aspect on how subsystems are engineered. I.e.I do not consider this as any sort of API discussion per se. BR, Jarkko
On Wed, 11 Oct 2023 at 19:35, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Wed, 2023-10-11 at 16:55 +0300, Jarkko Sakkinen wrote: > > On Wed, 2023-10-11 at 19:12 +0530, Sumit Garg wrote: > > > On Wed, 11 Oct 2023 at 18:36, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > On Wed, 2023-10-11 at 18:25 +0530, Sumit Garg wrote: > > > > > On Wed, 11 Oct 2023 at 18:07, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > On Wed, 2023-10-11 at 17:47 +0530, Sumit Garg wrote: > > > > > > > On Wed, 11 Oct 2023 at 16:04, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > > > On Wed, 2023-10-11 at 13:12 +0300, Jarkko Sakkinen wrote: > > > > > > > > > On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote: > > > > > > > > > > On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > > > > > > > > > > > Do bind neither static calls nor trusted_key_exit() before a successful > > > > > > > > > > > init, in order to maintain a consistent state. In addition, depart the > > > > > > > > > > > init_trusted() in the case of a real error (i.e. getting back something > > > > > > > > > > > else than -ENODEV). > > > > > > > > > > > > > > > > > > > > > > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > > > > > > > > > > > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ > > > > > > > > > > > Cc: stable@vger.kernel.org # v5.13+ > > > > > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > > > > > > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > > > > > > > > --- > > > > > > > > > > > security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- > > > > > > > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > > > > > > > > > > > > > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c > > > > > > > > > > > index 85fb5c22529a..fee1ab2c734d 100644 > > > > > > > > > > > --- a/security/keys/trusted-keys/trusted_core.c > > > > > > > > > > > +++ b/security/keys/trusted-keys/trusted_core.c > > > > > > > > > > > @@ -358,17 +358,17 @@ static int __init init_trusted(void) > > > > > > > > > > > if (!get_random) > > > > > > > > > > > get_random = kernel_get_random; > > > > > > > > > > > > > > > > > > > > > > - static_call_update(trusted_key_seal, > > > > > > > > > > > - trusted_key_sources[i].ops->seal); > > > > > > > > > > > - static_call_update(trusted_key_unseal, > > > > > > > > > > > - trusted_key_sources[i].ops->unseal); > > > > > > > > > > > - static_call_update(trusted_key_get_random, > > > > > > > > > > > - get_random); > > > > > > > > > > > - trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > > > > - migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > > > > - > > > > > > > > > > > ret = trusted_key_sources[i].ops->init(); > > > > > > > > > > > - if (!ret) > > > > > > > > > > > + if (!ret) { > > > > > > > > > > > + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); > > > > > > > > > > > + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); > > > > > > > > > > > + static_call_update(trusted_key_get_random, get_random); > > > > > > > > > > > + > > > > > > > > > > > + trusted_key_exit = trusted_key_sources[i].ops->exit; > > > > > > > > > > > + migratable = trusted_key_sources[i].ops->migratable; > > > > > > > > > > > + } > > > > > > > > > > > + > > > > > > > > > > > + if (!ret || ret != -ENODEV) > > > > > > > > > > > > > > > > > > > > As mentioned in the other thread, we should allow other trust sources > > > > > > > > > > to be initialized if the primary one fails. > > > > > > > > > > > > > > > > > > I sent the patch before I received that response but here's what you > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > "We should give other trust sources a chance to register for trusted > > > > > > > > > keys if the primary one fails." > > > > > > > > > > > > > > > > > > 1. This condition is lacking an inline comment. > > > > > > > > > 2. Neither this response or the one that you pointed out has any > > > > > > > > > explanation why for any system failure the process should > > > > > > > > > continue. > > > > > > > > > > > > > > > > > > You should really know the situations (e.g. list of posix error > > > > > > > > > code) when the process can continue and "allow list" those. This > > > > > > > > > way way too abstract. It cannot be let all possible system failures > > > > > > > > > pass. > > > > > > > > > > > > > > > > And it would nice if it printed out something for legit cases. Like > > > > > > > > "no device found" etc. And for rest it must really withdraw the whole > > > > > > > > process. > > > > > > > > > > > > > > IMO, it would be quite tricky to come up with an allow list. Can we > > > > > > > keep "EACCES", "EPERM", "ENOTSUPP" etc in that allow list? I think > > > > > > > these are all debatable. > > > > > > > > > > > > Yes, that does sounds reasonable. > > > > > > > > > > > > About the debate. Well, it is better eagerly block and tree falls down > > > > > > somewhere we can consider extending the list through a fix. > > > > > > > > > > > > This all wide open is worse than a few glitches somewhere, which are > > > > > > trivial to fix. > > > > > > > > > > > > > > > > Fair enough, I would suggest we document it appropriately such that it > > > > > is clear to the users or somebody looking at the code. > > > > > > > > I went throught the backends on how they implement init: > > > > > > > > 1. Returns -ENODEV when it does not exist. > > > > 2. Calls driver_register(). Something is wrong enough if that > > > > fails to rollback the whole procedure. > > > > 3. TPM: -ENODEV > > > > > > > > Therefore, I would keep in the existing patch since there is no weird > > > > uapi visible legacy behavior to support in the first place. And for > > > > that reason there is no good reason to have all those four POSIX rc's > > > > in the list. > > > > > > Okay I can live with this patch as long as it doesn't break the > > > intended use-case. > > > > Well this sort of policy has been already existing for some time: > > > > /* > > * encrypted_keys.ko depends on successful load of this module even if > > * trusted key implementation is not found. > > */ > > if (ret == -ENODEV) > > return 0; > > > > If we would need a list of error codes, then this is also incorrect > > implementation because the error codes that you listed should be > > also success cases. > As I mentioned before we can go ahead with this policy for trust sources and see how it pans out. > The dead obvious constraint here is that whatever error codes are > processed they need to be exact same anyway right? > > If things fall apart you should really not continue. This is IMHO > categorizes as a critical bug, Here we are discussing trust sources as multiple independent devices. If a particular device probe/init fails then it shouldn't be a blocker to probe/init another device. > not just debatable aspect on how > subsystems are engineered. I.e.I do not consider this as any sort > of API discussion per se. Agree, I see it as a policy decision for the trusted keys subsystem. -Sumit > > BR, Jarkko
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c index 85fb5c22529a..fee1ab2c734d 100644 --- a/security/keys/trusted-keys/trusted_core.c +++ b/security/keys/trusted-keys/trusted_core.c @@ -358,17 +358,17 @@ static int __init init_trusted(void) if (!get_random) get_random = kernel_get_random; - static_call_update(trusted_key_seal, - trusted_key_sources[i].ops->seal); - static_call_update(trusted_key_unseal, - trusted_key_sources[i].ops->unseal); - static_call_update(trusted_key_get_random, - get_random); - trusted_key_exit = trusted_key_sources[i].ops->exit; - migratable = trusted_key_sources[i].ops->migratable; - ret = trusted_key_sources[i].ops->init(); - if (!ret) + if (!ret) { + static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); + static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); + static_call_update(trusted_key_get_random, get_random); + + trusted_key_exit = trusted_key_sources[i].ops->exit; + migratable = trusted_key_sources[i].ops->migratable; + } + + if (!ret || ret != -ENODEV) break; }