[RFC PATCH v3 03/13] clavis: Introduce a new system keyring called clavis
Mimi Zohar
zohar at linux.ibm.com
Sun Jan 5 11:43:24 UTC 2025
Hi Eric,
On Fri, 2025-01-03 at 23:27 +0000, Eric Snowberg wrote:
> > > +config SECURITY_CLAVIS
> > > + bool "Clavis keyring"
> >
> > Isn't SECURITY_CLAVIS the new LSM? Why is the bool defined as just "Clavis
> > keyring"?
> >
> > > + depends on SECURITY
> > > + select SYSTEM_DATA_VERIFICATION
> > > + select CRYPTO_SHA256
> > > + help
> > > + Enable the clavis keyring. This keyring shall contain a single asymmetric key.
> > > + This key shall be linked to a key already contained in one of the system
> > > + keyrings (builtin, secondary, or platform). One way to add this key
> > > + is during boot by passing in the asymmetric key id within the "clavis=" boot
> > > + param. This keyring is required by the Clavis LSM.
> >
> > If SECURITY_CLAVIS is a new LSM, the 'help' shouldn't be limited to just the
> > clavis keyring, but written at a higher level describing the new LSM. For
> > example,
> >
> > This option enables the Clavis LSM, which provides the ability to configure and
> > enforce the usage of keys contained on the system keyrings -
> > .builtin_trusted_keys, .secondary_trusted_keys, .machine, and .platform
> > keyrings. The clavis LSM defines a keyring named "clavis", which contains a
> > single asymmetric key and the key usage rules.
> >
> > The single asymmetric key may be specified on the boot command line ...
> >
> > [The patch that introduces the key usage rules would add additional info here.]
> >
> > [The patch that adds the Documentatoin would add a reference here.]
>
> I went the route of creating the keyring in this patch and then introducing the
> LSM which uses it in a later patch. My reasoning was it can be tested
> independently. Also, I thought it would make it easier to review, since
> everything isn't contained within a single patch. I could look at combining
> them together if you think that would be better.
SECURITY_CLAVIS is not just about the CLAVIS keyring, right? The Kconfig can be
defined and used here, but eventually the SECURITY_CLAVIS "help" needs to be
updated to describe the new LSM.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list