[PATCH] KEYS: trusted: Rollback init_trusted() consistently

Jarkko Sakkinen jarkko at kernel.org
Wed Oct 11 10:12:02 UTC 2023


On Wed, 2023-10-11 at 11:27 +0530, Sumit Garg wrote:
> On Wed, 11 Oct 2023 at 04:46, Jarkko Sakkinen <jarkko at kernel.org> wrote:
> > 
> > Do bind neither static calls nor trusted_key_exit() before a successful
> > init, in order to maintain a consistent state. In addition, depart the
> > init_trusted() in the case of a real error (i.e. getting back something
> > else than -ENODEV).
> > 
> > Reported-by: Linus Torvalds <torvalds at linux-foundation.org>
> > Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/
> > Cc: stable at vger.kernel.org # v5.13+
> > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework")
> > Signed-off-by: Jarkko Sakkinen <jarkko at kernel.org>
> > ---
> >  security/keys/trusted-keys/trusted_core.c | 20 ++++++++++----------
> >  1 file changed, 10 insertions(+), 10 deletions(-)
> > 
> > diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
> > index 85fb5c22529a..fee1ab2c734d 100644
> > --- a/security/keys/trusted-keys/trusted_core.c
> > +++ b/security/keys/trusted-keys/trusted_core.c
> > @@ -358,17 +358,17 @@ static int __init init_trusted(void)
> >                 if (!get_random)
> >                         get_random = kernel_get_random;
> > 
> > -               static_call_update(trusted_key_seal,
> > -                                  trusted_key_sources[i].ops->seal);
> > -               static_call_update(trusted_key_unseal,
> > -                                  trusted_key_sources[i].ops->unseal);
> > -               static_call_update(trusted_key_get_random,
> > -                                  get_random);
> > -               trusted_key_exit = trusted_key_sources[i].ops->exit;
> > -               migratable = trusted_key_sources[i].ops->migratable;
> > -
> >                 ret = trusted_key_sources[i].ops->init();
> > -               if (!ret)
> > +               if (!ret) {
> > +                       static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal);
> > +                       static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal);
> > +                       static_call_update(trusted_key_get_random, get_random);
> > +
> > +                       trusted_key_exit = trusted_key_sources[i].ops->exit;
> > +                       migratable = trusted_key_sources[i].ops->migratable;
> > +               }
> > +
> > +               if (!ret || ret != -ENODEV)
> 
> As mentioned in the other thread, we should allow other trust sources
> to be initialized if the primary one fails.

I sent the patch before I received that response but here's what you
wrote:

"We should give other trust sources a chance to register for trusted
keys if the primary one fails."

1. This condition is lacking an inline comment.
2. Neither this response or the one that you pointed out has any
   explanation why for any system failure the process should
   continue.

You should really know the situations (e.g. list of posix error
code) when the process can continue and "allow list" those. This
way way too abstract. It cannot be let all possible system failures
pass.

Can you e.g. explain a legit use case when something else is
returned than -ENODEV but it is cool and we can continue in 
some real world use case?

BR, Jarkko


More information about the Linux-security-module-archive mailing list