[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e200854b-116a-cbf3-256d-92a9c490b9bc@linux.vnet.ibm.com>
Date: Wed, 22 Jun 2022 21:50:45 -0400
From: Nayna <nayna@...ux.vnet.ibm.com>
To: Casey Schaufler <casey@...aufler-ca.com>,
Nayna Jain <nayna@...ux.ibm.com>,
linuxppc-dev@...ts.ozlabs.org, linux-fsdevel@...r.kernel.org
Cc: linux-efi@...r.kernel.org,
linux-security-module <linux-security-module@...r.kernel.org>,
linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michael Ellerman <mpe@...erman.id.au>,
Dov Murik <dovmurik@...ux.ibm.com>,
George Wilson <gcwilson@...ux.ibm.com>, gjoyce@....com,
Matthew Garrett <mjg59@...f.ucam.org>,
Dave Hansen <dave.hansen@...el.com>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Paul Mackerras <paulus@...ba.org>
Subject: Re: [RFC PATCH v2 2/3] fs: define a firmware security filesystem
named fwsecurityfs
On 6/22/22 18:29, Casey Schaufler wrote:
> On 6/22/2022 2:56 PM, Nayna Jain wrote:
>> securityfs is meant for linux security subsystems to expose
>> policies/logs
>> or any other information. However, there are various firmware security
>> features which expose their variables for user management via kernel.
>> There is currently no single place to expose these variables. Different
>> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
>> interface as find appropriate. Thus, there is a gap in kernel interfaces
>> to expose variables for security features.
>
> Why not put the firmware entries under /sys/kernel/security/firmware?
From man 5 sysfs page:
/sys/firmware: This subdirectory contains interfaces for viewing and
manipulating firmware-specific objects and attributes.
/sys/kernel: This subdirectory contains various files and subdirectories
that provide information about the running kernel.
The security variables which are supposed to be exposed via fwsecurityfs
are managed by firmware, stored in firmware managed space and also often
consumed by firmware for enabling various security features.
From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose
of securityfs(/sys/kernel/security) is to provide a common place for all
kernel LSMs to use a common place. The idea of
fwsecurityfs(/sys/firmware/security) is to similarly provide a common
place for all firmware security objects.
By having another firmware directory within /sys/kernel/security would
mean scattering firmware objects at multiple places and confusing the
purpose of /sys/kernel and /sys/firmware.
Thanks & Regards,
- Nayna
Powered by blists - more mailing lists