lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOASepNfDLFw_uxbB59hg7B8Rmfaroj9NB8Gw82SFrSOaPbtMQ@mail.gmail.com>
Date:   Fri, 6 Mar 2020 15:48:57 -0500
From:   Nathaniel McCallum <npmccallum@...hat.com>
To:     Connor Kuehl <ckuehl@...hat.com>
Cc:     "Lendacky, Thomas" <thomas.lendacky@....com>,
        Herbert Xu <herbert@...dor.apana.org.au>, davem@...emloft.net,
        "Hook, Gary" <gary.hook@....com>, erdemaktas@...gle.com,
        rientjes@...gle.com, "Singh, Brijesh" <brijesh.singh@....com>,
        Bandan Das <bsd@...hat.com>, linux-crypto@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/1] crypto: ccp: use file mode for sev ioctl permissions

On Fri, Mar 6, 2020 at 12:20 PM Connor Kuehl <ckuehl@...hat.com> wrote:
>
> Some background:
>
> My team is working on a project that interacts very closely with
> SEV so we have a layer of code that wraps around the SEV ioctl calls.
> We have an automated test suite that ends up testing these ioctls
> on our test machine.
>
> We are in the process of adding this test machine as a dedicated test
> runner in our continuous integration process. Any time someone opens a
> pull request against our project, this test runner automatically checks
> that code out and executes the tests.
>
> Right now, the SEV ioctls that affect the state of the platform require
> CAP_SYS_ADMIN to run. This is not a capability we can give to an
> automated test runner, because it means that anyone who would like to
> contribute to the project would be able to run any code they want (for
> good or evil) as CAP_SYS_ADMIN on our machine.
>
> This patch replaces the check for CAP_SYS_ADMIN with a check that can
> still be easily controlled by an administrator with the file permissions
> ACL. This way access to the device can still be controlled, but without
> also assigning such broad system privileges at the same time.
>
> Connor Kuehl (1):
>   crypto: ccp: use file mode for sev ioctl permissions
>
>  drivers/crypto/ccp/sev-dev.c | 33 +++++++++++++++++----------------
>  1 file changed, 17 insertions(+), 16 deletions(-)
>
> --
> 2.24.1
>

One additional note is that this permission structure is more flexible
for general SEV usage anyway, and isn't special-case for our usage.
Currently, the SEV admin commands are mostly limited to public key
certificate management. I would imagine that it would be desirable to
have a sev-admin account which can automate the certificate management
without having CAP_SYS_ADMIN for the rest of the system. So we believe
this patch has broader applicability than just our corner case.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ