From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Fan Wu" <wufan@linux.microsoft.com>,
"Paul Moore" <paul@paul-moore.com>, <corbet@lwn.net>,
<zohar@linux.ibm.com>, <jmorris@namei.org>, <serge@hallyn.com>,
<tytso@mit.edu>, <ebiggers@kernel.org>, <axboe@kernel.dk>,
<agk@redhat.com>, <snitzer@kernel.org>, <eparis@redhat.com>
Cc: <linux-doc@vger.kernel.org>, <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<fsverity@lists.linux.dev>, <linux-block@vger.kernel.org>,
<dm-devel@lists.linux.dev>, <audit@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RFC v15 12/21] security: add security_bdev_setintegrity() hook
Date: Thu, 21 Mar 2024 19:25:21 +0200 [thread overview]
Message-ID: <CZZLQN9CUN2E.5PNZ0C2JHP42@kernel.org> (raw)
In-Reply-To: <a69805c7-7b8a-44ee-9b32-f9314b5a9763@linux.microsoft.com>
On Wed Mar 20, 2024 at 10:31 PM EET, Fan Wu wrote:
>
>
> On 3/20/2024 1:31 AM, Jarkko Sakkinen wrote:
> > On Wed Mar 20, 2024 at 10:28 AM EET, Jarkko Sakkinen wrote:
> >> On Wed Mar 20, 2024 at 1:00 AM EET, Paul Moore wrote:
> >>> On Mar 15, 2024 Fan Wu <wufan@linux.microsoft.com> wrote:
> >>>>
> >>>> This patch introduces a new hook to save block device's integrity
> >>>> data. For example, for dm-verity, LSMs can use this hook to save
> >>>> the roothash signature of a dm-verity into the security blob,
> >>>> and LSMs can make access decisions based on the data inside
> >>>> the signature, like the signer certificate.
> >>>>
> >>>> Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
> >>>>
> >>>> --
> >>>> v1-v14:
> >>>> + Not present
> >>>>
> >>>> v15:
> >>>> + Introduced
> >>>>
> >>>> ---
> >>>> include/linux/lsm_hook_defs.h | 2 ++
> >>>> include/linux/security.h | 14 ++++++++++++++
> >>>> security/security.c | 28 ++++++++++++++++++++++++++++
> >>>> 3 files changed, 44 insertions(+)
> >>>
> >>> I'm not sure why you made this a separate patch, help? If there is
> >>> no significant reason why this is separate, please squash it together
> >>> with patch 11/21.
> >>
> >> Off-topic: it is weird to have *RFC* patch set at v15.
> >>
> >> RFC by de-facto is something that can be safely ignored if you don't
> >> have bandwidth. 15 versions of anything that can be safely ignored
> >> is by definition spamming :-) I mean just conceptually.
> >>
> >> So does the RFC still hold or what the heck is going on with this one?
> >>
> >> Haven't followed for some time now...
> >
> > I mean if this RFC trend continues I'll just put auto-filter for this
> > thread to put straight to the bin. There's enough non-RFC patch sets
> > to review.
> >
> > BR, Jarkko
>
> Sorry about the confusion with the RFC tag – I wasn't fully aware of its
> conventional meaning and how it's perceived in terms of importance and
> urgency. Point taken, and I'll make sure to remove the RFC tag for
> future submissions. Definitely not my intention to clog up the workflow
> or seem like I'm spamming.
OK cool! Just wanted to point this out also because it already looks
good enough not to be considered as RFC in my eyes :-) If you keep RFC
it is by definition "look into if you have the bandwidth but please
do not take this to mainline". No means to nitpick here...
BR, Jarkko
next prev parent reply other threads:[~2024-03-21 17:25 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-16 3:35 [RFC PATCH v15 00/21] Integrity Policy Enforcement LSM (IPE) Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 01/21] security: add ipe lsm Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 02/21] ipe: add policy parser Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 03/21] ipe: add evaluation loop Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 04/21] ipe: add LSM hooks on execution and kernel read Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 05/21] initramfs|security: Add a security hook to do_populate_rootfs() Fan Wu
2024-03-18 0:29 ` Casey Schaufler
2024-03-18 1:58 ` Paul Moore
2024-03-16 3:35 ` [RFC PATCH v15 06/21] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 07/21] security: add new securityfs delete function Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 08/21] ipe: add userspace interface Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 09/21] uapi|audit|ipe: add ipe auditing support Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 10/21] ipe: add permissive toggle Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 11/21] block|security: add LSM blob to block_device Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 12/21] security: add security_bdev_setintegrity() hook Fan Wu
2024-03-19 23:00 ` [PATCH RFC " Paul Moore
2024-03-20 8:28 ` Jarkko Sakkinen
2024-03-20 8:31 ` Jarkko Sakkinen
2024-03-20 20:31 ` Fan Wu
2024-03-21 17:25 ` Jarkko Sakkinen [this message]
2024-03-16 3:35 ` [RFC PATCH v15 13/21] dm: add finalize hook to target_type Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 14/21] dm verity: consume root hash digest and signature data via LSM hook Fan Wu
2024-03-19 23:00 ` [PATCH RFC " Paul Moore
2024-03-20 2:19 ` Mike Snitzer
2024-03-20 17:23 ` Paul Moore
2024-03-20 18:49 ` Mike Snitzer
2024-03-20 17:56 ` Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 15/21] ipe: add support for dm-verity as a trust provider Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 16/21] security: add security_inode_setintegrity() hook Fan Wu
2024-03-19 23:00 ` [PATCH RFC " Paul Moore
2024-03-16 3:35 ` [RFC PATCH v15 17/21] fsverity: consume builtin signature via LSM hook Fan Wu
2024-03-18 5:29 ` Eric Biggers
2024-03-19 23:00 ` Paul Moore
2024-03-16 3:35 ` [RFC PATCH v15 18/21] ipe: enable support for fs-verity as a trust provider Fan Wu
2024-03-18 5:17 ` Eric Biggers
2024-03-18 8:08 ` Roberto Sassu
2024-03-18 20:58 ` Fan Wu
2024-03-18 20:40 ` Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 19/21] scripts: add boot policy generation program Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 20/21] ipe: kunit test for parser Fan Wu
2024-03-16 3:35 ` [RFC PATCH v15 21/21] documentation: add ipe documentation Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CZZLQN9CUN2E.5PNZ0C2JHP42@kernel.org \
--to=jarkko@kernel.org \
--cc=agk@redhat.com \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=dm-devel@lists.linux.dev \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=fsverity@lists.linux.dev \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).