diff mbox series

[RFC,v2,2/3] fs: define a firmware security filesystem named fwsecurityfs

Message ID 20220622215648.96723-3-nayna@linux.ibm.com (mailing list archive)
State Handled Elsewhere
Headers show
Series powerpc/pseries: add support for local secure storage called Platform KeyStore(PKS) | expand

Commit Message

Nayna Jain June 22, 2022, 9:56 p.m. UTC
securityfs is meant for linux security subsystems to expose policies/logs
or any other information. However, there are various firmware security
features which expose their variables for user management via kernel.
There is currently no single place to expose these variables. Different
platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
interface as find appropriate. Thus, there is a gap in kernel interfaces
to expose variables for security features.

Define a firmware security filesystem (fwsecurityfs) to be used for
exposing variables managed by firmware and to be used by firmware
enabled security features. These variables are platform specific.
Filesystem provides platforms to implement their own underlying
semantics by defining own inode and file operations.

Similar to securityfs, the firmware security filesystem is recommended
to be exposed on a well known mount point /sys/firmware/security.
Platforms can define their own directory or file structure under this path.

Example:

# mount -t fwsecurityfs fwsecurityfs /sys/firmware/security

# cd /sys/firmware/security/

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 fs/Kconfig                   |   1 +
 fs/Makefile                  |   1 +
 fs/fwsecurityfs/Kconfig      |  14 +++
 fs/fwsecurityfs/Makefile     |  10 +++
 fs/fwsecurityfs/inode.c      | 159 +++++++++++++++++++++++++++++++++++
 fs/fwsecurityfs/internal.h   |  13 +++
 fs/fwsecurityfs/super.c      | 154 +++++++++++++++++++++++++++++++++
 include/linux/fwsecurityfs.h |  29 +++++++
 include/uapi/linux/magic.h   |   1 +
 9 files changed, 382 insertions(+)
 create mode 100644 fs/fwsecurityfs/Kconfig
 create mode 100644 fs/fwsecurityfs/Makefile
 create mode 100644 fs/fwsecurityfs/inode.c
 create mode 100644 fs/fwsecurityfs/internal.h
 create mode 100644 fs/fwsecurityfs/super.c
 create mode 100644 include/linux/fwsecurityfs.h

Comments

Casey Schaufler June 22, 2022, 10:29 p.m. UTC | #1
On 6/22/2022 2:56 PM, Nayna Jain wrote:
> securityfs is meant for linux security subsystems to expose policies/logs
> or any other information. However, there are various firmware security
> features which expose their variables for user management via kernel.
> There is currently no single place to expose these variables. Different
> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
> interface as find appropriate. Thus, there is a gap in kernel interfaces
> to expose variables for security features.

Why not put the firmware entries under /sys/kernel/security/firmware?
Nayna June 23, 2022, 1:50 a.m. UTC | #2
On 6/22/22 18:29, Casey Schaufler wrote:
> On 6/22/2022 2:56 PM, Nayna Jain wrote:
>> securityfs is meant for linux security subsystems to expose 
>> policies/logs
>> or any other information. However, there are various firmware security
>> features which expose their variables for user management via kernel.
>> There is currently no single place to expose these variables. Different
>> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
>> interface as find appropriate. Thus, there is a gap in kernel interfaces
>> to expose variables for security features.
>
> Why not put the firmware entries under /sys/kernel/security/firmware?

 From man 5 sysfs page:

/sys/firmware: This subdirectory contains interfaces for viewing and 
manipulating firmware-specific objects and attributes.

/sys/kernel: This subdirectory contains various files and subdirectories 
that provide information about the running kernel.

The security variables which are supposed to be exposed via fwsecurityfs 
are managed by firmware, stored in firmware managed space and also often 
consumed by firmware for enabling various security features.

 From git commit b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2, the purpose 
of securityfs(/sys/kernel/security) is to provide a common place for all 
kernel LSMs to use a common place. The idea of 
fwsecurityfs(/sys/firmware/security) is to similarly provide a common 
place for all firmware security objects.

By having another firmware directory within /sys/kernel/security would 
mean scattering firmware objects at multiple places and confusing the 
purpose of /sys/kernel and /sys/firmware.

Thanks & Regards,

      - Nayna
Greg Kroah-Hartman June 23, 2022, 8:54 a.m. UTC | #3
On Wed, Jun 22, 2022 at 05:56:47PM -0400, Nayna Jain wrote:
> securityfs is meant for linux security subsystems to expose policies/logs
> or any other information. However, there are various firmware security
> features which expose their variables for user management via kernel.
> There is currently no single place to expose these variables. Different
> platforms use sysfs/platform specific filesystem(efivarfs)/securityfs
> interface as find appropriate. Thus, there is a gap in kernel interfaces
> to expose variables for security features.
> 
> Define a firmware security filesystem (fwsecurityfs) to be used for
> exposing variables managed by firmware and to be used by firmware
> enabled security features. These variables are platform specific.
> Filesystem provides platforms to implement their own underlying
> semantics by defining own inode and file operations.
> 
> Similar to securityfs, the firmware security filesystem is recommended
> to be exposed on a well known mount point /sys/firmware/security.
> Platforms can define their own directory or file structure under this path.
> 
> Example:
> 
> # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security
> 
> # cd /sys/firmware/security/
> 
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
>  fs/Kconfig                   |   1 +
>  fs/Makefile                  |   1 +
>  fs/fwsecurityfs/Kconfig      |  14 +++
>  fs/fwsecurityfs/Makefile     |  10 +++
>  fs/fwsecurityfs/inode.c      | 159 +++++++++++++++++++++++++++++++++++
>  fs/fwsecurityfs/internal.h   |  13 +++
>  fs/fwsecurityfs/super.c      | 154 +++++++++++++++++++++++++++++++++
>  include/linux/fwsecurityfs.h |  29 +++++++
>  include/uapi/linux/magic.h   |   1 +
>  9 files changed, 382 insertions(+)
>  create mode 100644 fs/fwsecurityfs/Kconfig
>  create mode 100644 fs/fwsecurityfs/Makefile
>  create mode 100644 fs/fwsecurityfs/inode.c
>  create mode 100644 fs/fwsecurityfs/internal.h
>  create mode 100644 fs/fwsecurityfs/super.c
>  create mode 100644 include/linux/fwsecurityfs.h
> 
> diff --git a/fs/Kconfig b/fs/Kconfig
> index 5976eb33535f..19ea28143428 100644
> --- a/fs/Kconfig
> +++ b/fs/Kconfig
> @@ -276,6 +276,7 @@ config ARCH_HAS_GIGANTIC_PAGE
>  
>  source "fs/configfs/Kconfig"
>  source "fs/efivarfs/Kconfig"
> +source "fs/fwsecurityfs/Kconfig"
>  
>  endmenu
>  
> diff --git a/fs/Makefile b/fs/Makefile
> index 208a74e0b00e..5792cd0443cb 100644
> --- a/fs/Makefile
> +++ b/fs/Makefile
> @@ -137,6 +137,7 @@ obj-$(CONFIG_F2FS_FS)		+= f2fs/
>  obj-$(CONFIG_CEPH_FS)		+= ceph/
>  obj-$(CONFIG_PSTORE)		+= pstore/
>  obj-$(CONFIG_EFIVAR_FS)		+= efivarfs/
> +obj-$(CONFIG_FWSECURITYFS)		+= fwsecurityfs/
>  obj-$(CONFIG_EROFS_FS)		+= erofs/
>  obj-$(CONFIG_VBOXSF_FS)		+= vboxsf/
>  obj-$(CONFIG_ZONEFS_FS)		+= zonefs/
> diff --git a/fs/fwsecurityfs/Kconfig b/fs/fwsecurityfs/Kconfig
> new file mode 100644
> index 000000000000..f1665511eeb9
> --- /dev/null
> +++ b/fs/fwsecurityfs/Kconfig
> @@ -0,0 +1,14 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +#
> +# Copyright (C) 2022 IBM Corporation
> +# Author: Nayna Jain <nayna@linux.ibm.com>
> +#
> +
> +config FWSECURITYFS
> +	bool "Enable the fwsecurityfs filesystem"
> +	help
> +	  This will build the fwsecurityfs file system which is recommended
> +	  to be mounted on /sys/firmware/security. This can be used by
> +	  platforms to expose their variables which are managed by firmware.
> +
> +	  If you are unsure how to answer this question, answer N.
> diff --git a/fs/fwsecurityfs/Makefile b/fs/fwsecurityfs/Makefile
> new file mode 100644
> index 000000000000..b9931d180178
> --- /dev/null
> +++ b/fs/fwsecurityfs/Makefile
> @@ -0,0 +1,10 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +#
> +# Copyright (C) 2022 IBM Corporation
> +# Author: Nayna Jain <nayna@linux.ibm.com>
> +#
> +# Makefile for the firmware security filesystem
> +
> +obj-$(CONFIG_FWSECURITYFS)		+= fwsecurityfs.o
> +
> +fwsecurityfs-objs			:= inode.o super.o
> diff --git a/fs/fwsecurityfs/inode.c b/fs/fwsecurityfs/inode.c
> new file mode 100644
> index 000000000000..5d06dc0de059
> --- /dev/null
> +++ b/fs/fwsecurityfs/inode.c
> @@ -0,0 +1,159 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Copyright (C) 2022 IBM Corporation
> + * Author: Nayna Jain <nayna@linux.ibm.com>
> + */
> +
> +#include <linux/sysfs.h>
> +#include <linux/kobject.h>
> +#include <linux/fs.h>
> +#include <linux/fs_context.h>
> +#include <linux/mount.h>
> +#include <linux/pagemap.h>
> +#include <linux/init.h>
> +#include <linux/namei.h>
> +#include <linux/security.h>
> +#include <linux/lsm_hooks.h>
> +#include <linux/magic.h>
> +#include <linux/ctype.h>
> +#include <linux/fwsecurityfs.h>
> +
> +#include "internal.h"
> +
> +int fwsecurityfs_remove_file(struct dentry *dentry)
> +{
> +	drop_nlink(d_inode(dentry));
> +	dput(dentry);
> +	return 0;
> +};
> +EXPORT_SYMBOL_GPL(fwsecurityfs_remove_file);
> +
> +int fwsecurityfs_create_file(const char *name, umode_t mode,
> +					u16 filesize, struct dentry *parent,
> +					struct dentry *dentry,
> +					const struct file_operations *fops)
> +{
> +	struct inode *inode;
> +	int error;
> +	struct inode *dir;
> +
> +	if (!parent)
> +		return -EINVAL;
> +
> +	dir = d_inode(parent);
> +	pr_debug("securityfs: creating file '%s'\n", name);

Did you forget to call simple_pin_fs() here or anywhere else?

And this can be just one function with the directory creation file, just
check the mode and you will be fine.  Look at securityfs as an example
of how to make this simpler.

> diff --git a/fs/fwsecurityfs/super.c b/fs/fwsecurityfs/super.c

super.c and inode.c can be in the same file, these are tiny, just make
one file for the filesystem logic.

thanks,

greg k-h
James Bottomley June 23, 2022, 1:23 p.m. UTC | #4
On Thu, 2022-06-23 at 10:54 +0200, Greg Kroah-Hartman wrote:
[...]
> > diff --git a/fs/fwsecurityfs/inode.c b/fs/fwsecurityfs/inode.c
> > new file mode 100644
> > index 000000000000..5d06dc0de059
> > --- /dev/null
> > +++ b/fs/fwsecurityfs/inode.c
> > @@ -0,0 +1,159 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +/*
> > + * Copyright (C) 2022 IBM Corporation
> > + * Author: Nayna Jain <nayna@linux.ibm.com>
> > + */
> > +
> > +#include <linux/sysfs.h>
> > +#include <linux/kobject.h>
> > +#include <linux/fs.h>
> > +#include <linux/fs_context.h>
> > +#include <linux/mount.h>
> > +#include <linux/pagemap.h>
> > +#include <linux/init.h>
> > +#include <linux/namei.h>
> > +#include <linux/security.h>
> > +#include <linux/lsm_hooks.h>
> > +#include <linux/magic.h>
> > +#include <linux/ctype.h>
> > +#include <linux/fwsecurityfs.h>
> > +
> > +#include "internal.h"
> > +
> > +int fwsecurityfs_remove_file(struct dentry *dentry)
> > +{
> > +	drop_nlink(d_inode(dentry));
> > +	dput(dentry);
> > +	return 0;
> > +};
> > +EXPORT_SYMBOL_GPL(fwsecurityfs_remove_file);
> > +
> > +int fwsecurityfs_create_file(const char *name, umode_t mode,
> > +					u16 filesize, struct dentry
> > *parent,
> > +					struct dentry *dentry,
> > +					const struct file_operations
> > *fops)
> > +{
> > +	struct inode *inode;
> > +	int error;
> > +	struct inode *dir;
> > +
> > +	if (!parent)
> > +		return -EINVAL;
> > +
> > +	dir = d_inode(parent);
> > +	pr_debug("securityfs: creating file '%s'\n", name);
> 
> Did you forget to call simple_pin_fs() here or anywhere else?
> 
> And this can be just one function with the directory creation file,
> just check the mode and you will be fine.  Look at securityfs as an
> example of how to make this simpler.

Actually, before you go down this route can you consider the namespace
ramifications.  In fact we're just having to rework securityfs to pull
out all the simple_pin_... calls because simple_pin_... is completely
inimical to namespaces.

The first thing to consider is if you simply use securityfs you'll
inherit all the simple_pin_... removal work and be namespace ready.  It
could be that creating a new filesystem that can't be namespaced is the
right thing to do here, but at least ask the question: would we ever
want any of these files to be presented selectively inside containers? 
If the answer is "yes" then simple_pin_... is the wrong interface.

James
Mimi Zohar June 26, 2022, 3:48 p.m. UTC | #5
On Thu, 2022-06-23 at 09:23 -0400, James Bottomley wrote:
> On Thu, 2022-06-23 at 10:54 +0200, Greg Kroah-Hartman wrote:
> [...]
> > > diff --git a/fs/fwsecurityfs/inode.c b/fs/fwsecurityfs/inode.c
> > > new file mode 100644
> > > index 000000000000..5d06dc0de059
> > > --- /dev/null
> > > +++ b/fs/fwsecurityfs/inode.c
> > > @@ -0,0 +1,159 @@
> > > +// SPDX-License-Identifier: GPL-2.0-only
> > > +/*
> > > + * Copyright (C) 2022 IBM Corporation
> > > + * Author: Nayna Jain <nayna@linux.ibm.com>
> > > + */
> > > +
> > > +#include <linux/sysfs.h>
> > > +#include <linux/kobject.h>
> > > +#include <linux/fs.h>
> > > +#include <linux/fs_context.h>
> > > +#include <linux/mount.h>
> > > +#include <linux/pagemap.h>
> > > +#include <linux/init.h>
> > > +#include <linux/namei.h>
> > > +#include <linux/security.h>
> > > +#include <linux/lsm_hooks.h>
> > > +#include <linux/magic.h>
> > > +#include <linux/ctype.h>
> > > +#include <linux/fwsecurityfs.h>
> > > +
> > > +#include "internal.h"
> > > +
> > > +int fwsecurityfs_remove_file(struct dentry *dentry)
> > > +{
> > > +	drop_nlink(d_inode(dentry));
> > > +	dput(dentry);
> > > +	return 0;
> > > +};
> > > +EXPORT_SYMBOL_GPL(fwsecurityfs_remove_file);
> > > +
> > > +int fwsecurityfs_create_file(const char *name, umode_t mode,
> > > +					u16 filesize, struct dentry
> > > *parent,
> > > +					struct dentry *dentry,
> > > +					const struct file_operations
> > > *fops)
> > > +{
> > > +	struct inode *inode;
> > > +	int error;
> > > +	struct inode *dir;
> > > +
> > > +	if (!parent)
> > > +		return -EINVAL;
> > > +
> > > +	dir = d_inode(parent);
> > > +	pr_debug("securityfs: creating file '%s'\n", name);
> > 
> > Did you forget to call simple_pin_fs() here or anywhere else?
> > 
> > And this can be just one function with the directory creation file,
> > just check the mode and you will be fine.  Look at securityfs as an
> > example of how to make this simpler.
> 
> Actually, before you go down this route can you consider the namespace
> ramifications.  In fact we're just having to rework securityfs to pull
> out all the simple_pin_... calls because simple_pin_... is completely
> inimical to namespaces.
> 
> The first thing to consider is if you simply use securityfs you'll
> inherit all the simple_pin_... removal work and be namespace ready.  It
> could be that creating a new filesystem that can't be namespaced is the
> right thing to do here, but at least ask the question: would we ever
> want any of these files to be presented selectively inside containers? 
> If the answer is "yes" then simple_pin_... is the wrong interface.

Greg, the securityfs changes James is referring to are part of the IMA
namespacing patch set:
https://lore.kernel.org/linux-integrity/20220420140633.753772-1-stefanb@linux.ibm.com/

I'd really appreciate your reviewing the first two patches:
[PATCH v12 01/26] securityfs: rework dentry creation
[PATCH v12 02/26] securityfs: Extend securityfs with namespacing
support

thanks,

Mimi
Greg Kroah-Hartman June 27, 2022, 7:37 a.m. UTC | #6
On Sun, Jun 26, 2022 at 11:48:06AM -0400, Mimi Zohar wrote:
> On Thu, 2022-06-23 at 09:23 -0400, James Bottomley wrote:
> > On Thu, 2022-06-23 at 10:54 +0200, Greg Kroah-Hartman wrote:
> > [...]
> > > > diff --git a/fs/fwsecurityfs/inode.c b/fs/fwsecurityfs/inode.c
> > > > new file mode 100644
> > > > index 000000000000..5d06dc0de059
> > > > --- /dev/null
> > > > +++ b/fs/fwsecurityfs/inode.c
> > > > @@ -0,0 +1,159 @@
> > > > +// SPDX-License-Identifier: GPL-2.0-only
> > > > +/*
> > > > + * Copyright (C) 2022 IBM Corporation
> > > > + * Author: Nayna Jain <nayna@linux.ibm.com>
> > > > + */
> > > > +
> > > > +#include <linux/sysfs.h>
> > > > +#include <linux/kobject.h>
> > > > +#include <linux/fs.h>
> > > > +#include <linux/fs_context.h>
> > > > +#include <linux/mount.h>
> > > > +#include <linux/pagemap.h>
> > > > +#include <linux/init.h>
> > > > +#include <linux/namei.h>
> > > > +#include <linux/security.h>
> > > > +#include <linux/lsm_hooks.h>
> > > > +#include <linux/magic.h>
> > > > +#include <linux/ctype.h>
> > > > +#include <linux/fwsecurityfs.h>
> > > > +
> > > > +#include "internal.h"
> > > > +
> > > > +int fwsecurityfs_remove_file(struct dentry *dentry)
> > > > +{
> > > > +	drop_nlink(d_inode(dentry));
> > > > +	dput(dentry);
> > > > +	return 0;
> > > > +};
> > > > +EXPORT_SYMBOL_GPL(fwsecurityfs_remove_file);
> > > > +
> > > > +int fwsecurityfs_create_file(const char *name, umode_t mode,
> > > > +					u16 filesize, struct dentry
> > > > *parent,
> > > > +					struct dentry *dentry,
> > > > +					const struct file_operations
> > > > *fops)
> > > > +{
> > > > +	struct inode *inode;
> > > > +	int error;
> > > > +	struct inode *dir;
> > > > +
> > > > +	if (!parent)
> > > > +		return -EINVAL;
> > > > +
> > > > +	dir = d_inode(parent);
> > > > +	pr_debug("securityfs: creating file '%s'\n", name);
> > > 
> > > Did you forget to call simple_pin_fs() here or anywhere else?
> > > 
> > > And this can be just one function with the directory creation file,
> > > just check the mode and you will be fine.  Look at securityfs as an
> > > example of how to make this simpler.
> > 
> > Actually, before you go down this route can you consider the namespace
> > ramifications.  In fact we're just having to rework securityfs to pull
> > out all the simple_pin_... calls because simple_pin_... is completely
> > inimical to namespaces.
> > 
> > The first thing to consider is if you simply use securityfs you'll
> > inherit all the simple_pin_... removal work and be namespace ready.  It
> > could be that creating a new filesystem that can't be namespaced is the
> > right thing to do here, but at least ask the question: would we ever
> > want any of these files to be presented selectively inside containers? 
> > If the answer is "yes" then simple_pin_... is the wrong interface.
> 
> Greg, the securityfs changes James is referring to are part of the IMA
> namespacing patch set:
> https://lore.kernel.org/linux-integrity/20220420140633.753772-1-stefanb@linux.ibm.com/
> 
> I'd really appreciate your reviewing the first two patches:
> [PATCH v12 01/26] securityfs: rework dentry creation
> [PATCH v12 02/26] securityfs: Extend securityfs with namespacing
> support

Looks like others have already reviewed them, they seem sane to me if
they past testing.

thanks,

greg k-h
Christian Brauner June 28, 2022, 1:25 p.m. UTC | #7
On Mon, Jun 27, 2022 at 09:37:28AM +0200, Greg Kroah-Hartman wrote:
> On Sun, Jun 26, 2022 at 11:48:06AM -0400, Mimi Zohar wrote:
> > On Thu, 2022-06-23 at 09:23 -0400, James Bottomley wrote:
> > > On Thu, 2022-06-23 at 10:54 +0200, Greg Kroah-Hartman wrote:
> > > [...]
> > > > > diff --git a/fs/fwsecurityfs/inode.c b/fs/fwsecurityfs/inode.c
> > > > > new file mode 100644
> > > > > index 000000000000..5d06dc0de059
> > > > > --- /dev/null
> > > > > +++ b/fs/fwsecurityfs/inode.c
> > > > > @@ -0,0 +1,159 @@
> > > > > +// SPDX-License-Identifier: GPL-2.0-only
> > > > > +/*
> > > > > + * Copyright (C) 2022 IBM Corporation
> > > > > + * Author: Nayna Jain <nayna@linux.ibm.com>
> > > > > + */
> > > > > +
> > > > > +#include <linux/sysfs.h>
> > > > > +#include <linux/kobject.h>
> > > > > +#include <linux/fs.h>
> > > > > +#include <linux/fs_context.h>
> > > > > +#include <linux/mount.h>
> > > > > +#include <linux/pagemap.h>
> > > > > +#include <linux/init.h>
> > > > > +#include <linux/namei.h>
> > > > > +#include <linux/security.h>
> > > > > +#include <linux/lsm_hooks.h>
> > > > > +#include <linux/magic.h>
> > > > > +#include <linux/ctype.h>
> > > > > +#include <linux/fwsecurityfs.h>
> > > > > +
> > > > > +#include "internal.h"
> > > > > +
> > > > > +int fwsecurityfs_remove_file(struct dentry *dentry)
> > > > > +{
> > > > > +	drop_nlink(d_inode(dentry));
> > > > > +	dput(dentry);
> > > > > +	return 0;
> > > > > +};
> > > > > +EXPORT_SYMBOL_GPL(fwsecurityfs_remove_file);
> > > > > +
> > > > > +int fwsecurityfs_create_file(const char *name, umode_t mode,
> > > > > +					u16 filesize, struct dentry
> > > > > *parent,
> > > > > +					struct dentry *dentry,
> > > > > +					const struct file_operations
> > > > > *fops)
> > > > > +{
> > > > > +	struct inode *inode;
> > > > > +	int error;
> > > > > +	struct inode *dir;
> > > > > +
> > > > > +	if (!parent)
> > > > > +		return -EINVAL;
> > > > > +
> > > > > +	dir = d_inode(parent);
> > > > > +	pr_debug("securityfs: creating file '%s'\n", name);
> > > > 
> > > > Did you forget to call simple_pin_fs() here or anywhere else?
> > > > 
> > > > And this can be just one function with the directory creation file,
> > > > just check the mode and you will be fine.  Look at securityfs as an
> > > > example of how to make this simpler.
> > > 
> > > Actually, before you go down this route can you consider the namespace
> > > ramifications.  In fact we're just having to rework securityfs to pull
> > > out all the simple_pin_... calls because simple_pin_... is completely
> > > inimical to namespaces.

I described this at length in the securityfs namespacing thread at
various points. simple_pin_*() should be avoided if possible. Ideally
the filesystem will just be cleaned up on umount. There might be a
reason to make it survive umounts if you have state that stays around
and somehow is intimately tied to that filesystem.

> > > 
> > > The first thing to consider is if you simply use securityfs you'll
> > > inherit all the simple_pin_... removal work and be namespace ready.  It
> > > could be that creating a new filesystem that can't be namespaced is the
> > > right thing to do here, but at least ask the question: would we ever
> > > want any of these files to be presented selectively inside containers? 
> > > If the answer is "yes" then simple_pin_... is the wrong interface.
> > 
> > Greg, the securityfs changes James is referring to are part of the IMA
> > namespacing patch set:
> > https://lore.kernel.org/linux-integrity/20220420140633.753772-1-stefanb@linux.ibm.com/
> > 
> > I'd really appreciate your reviewing the first two patches:
> > [PATCH v12 01/26] securityfs: rework dentry creation
> > [PATCH v12 02/26] securityfs: Extend securityfs with namespacing
> > support
> 
> Looks like others have already reviewed them, they seem sane to me if
> they past testing.

Thanks for taking a look.
diff mbox series

Patch

diff --git a/fs/Kconfig b/fs/Kconfig
index 5976eb33535f..19ea28143428 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -276,6 +276,7 @@  config ARCH_HAS_GIGANTIC_PAGE
 
 source "fs/configfs/Kconfig"
 source "fs/efivarfs/Kconfig"
+source "fs/fwsecurityfs/Kconfig"
 
 endmenu
 
diff --git a/fs/Makefile b/fs/Makefile
index 208a74e0b00e..5792cd0443cb 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -137,6 +137,7 @@  obj-$(CONFIG_F2FS_FS)		+= f2fs/
 obj-$(CONFIG_CEPH_FS)		+= ceph/
 obj-$(CONFIG_PSTORE)		+= pstore/
 obj-$(CONFIG_EFIVAR_FS)		+= efivarfs/
+obj-$(CONFIG_FWSECURITYFS)		+= fwsecurityfs/
 obj-$(CONFIG_EROFS_FS)		+= erofs/
 obj-$(CONFIG_VBOXSF_FS)		+= vboxsf/
 obj-$(CONFIG_ZONEFS_FS)		+= zonefs/
diff --git a/fs/fwsecurityfs/Kconfig b/fs/fwsecurityfs/Kconfig
new file mode 100644
index 000000000000..f1665511eeb9
--- /dev/null
+++ b/fs/fwsecurityfs/Kconfig
@@ -0,0 +1,14 @@ 
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022 IBM Corporation
+# Author: Nayna Jain <nayna@linux.ibm.com>
+#
+
+config FWSECURITYFS
+	bool "Enable the fwsecurityfs filesystem"
+	help
+	  This will build the fwsecurityfs file system which is recommended
+	  to be mounted on /sys/firmware/security. This can be used by
+	  platforms to expose their variables which are managed by firmware.
+
+	  If you are unsure how to answer this question, answer N.
diff --git a/fs/fwsecurityfs/Makefile b/fs/fwsecurityfs/Makefile
new file mode 100644
index 000000000000..b9931d180178
--- /dev/null
+++ b/fs/fwsecurityfs/Makefile
@@ -0,0 +1,10 @@ 
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022 IBM Corporation
+# Author: Nayna Jain <nayna@linux.ibm.com>
+#
+# Makefile for the firmware security filesystem
+
+obj-$(CONFIG_FWSECURITYFS)		+= fwsecurityfs.o
+
+fwsecurityfs-objs			:= inode.o super.o
diff --git a/fs/fwsecurityfs/inode.c b/fs/fwsecurityfs/inode.c
new file mode 100644
index 000000000000..5d06dc0de059
--- /dev/null
+++ b/fs/fwsecurityfs/inode.c
@@ -0,0 +1,159 @@ 
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ */
+
+#include <linux/sysfs.h>
+#include <linux/kobject.h>
+#include <linux/fs.h>
+#include <linux/fs_context.h>
+#include <linux/mount.h>
+#include <linux/pagemap.h>
+#include <linux/init.h>
+#include <linux/namei.h>
+#include <linux/security.h>
+#include <linux/lsm_hooks.h>
+#include <linux/magic.h>
+#include <linux/ctype.h>
+#include <linux/fwsecurityfs.h>
+
+#include "internal.h"
+
+int fwsecurityfs_remove_file(struct dentry *dentry)
+{
+	drop_nlink(d_inode(dentry));
+	dput(dentry);
+	return 0;
+};
+EXPORT_SYMBOL_GPL(fwsecurityfs_remove_file);
+
+int fwsecurityfs_create_file(const char *name, umode_t mode,
+					u16 filesize, struct dentry *parent,
+					struct dentry *dentry,
+					const struct file_operations *fops)
+{
+	struct inode *inode;
+	int error;
+	struct inode *dir;
+
+	if (!parent)
+		return -EINVAL;
+
+	dir = d_inode(parent);
+	pr_debug("securityfs: creating file '%s'\n", name);
+
+	inode = new_inode(dir->i_sb);
+	if (!inode) {
+		error = -ENOMEM;
+		goto out1;
+	}
+
+	inode->i_ino = get_next_ino();
+	inode->i_mode = mode;
+	inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
+
+	if (fops)
+		inode->i_fop = fops;
+	else
+		inode->i_fop = &simple_dir_operations;
+
+	if (!dentry) {
+		dentry = fwsecurityfs_alloc_dentry(parent, name);
+		if (IS_ERR(dentry)) {
+			error = PTR_ERR(dentry);
+			goto out;
+		}
+	}
+
+	inode_lock(inode);
+	i_size_write(inode, filesize);
+	d_instantiate(dentry, inode);
+	dget(dentry);
+	d_add(dentry, inode);
+	inode_unlock(inode);
+	return 0;
+
+out1:
+	if (dentry)
+		dput(dentry);
+out:
+	return error;
+}
+EXPORT_SYMBOL_GPL(fwsecurityfs_create_file);
+
+struct dentry *fwsecurityfs_create_dir(const char *name, umode_t mode,
+				       struct dentry *parent,
+				       const struct inode_operations *iops)
+{
+	struct dentry *dentry;
+	struct inode *inode;
+	int error;
+	struct inode *dir;
+	struct super_block *fwsecsb;
+
+	if (!parent) {
+		fwsecsb = fwsecurityfs_get_superblock();
+		if (!fwsecsb)
+			return ERR_PTR(-EIO);
+		parent = fwsecsb->s_root;
+	}
+
+	dir = d_inode(parent);
+
+	inode_lock(dir);
+	dentry = lookup_one_len(name, parent, strlen(name));
+	if (IS_ERR(dentry))
+		goto out;
+
+	inode = new_inode(dir->i_sb);
+	if (!inode) {
+		error = -ENOMEM;
+		goto out1;
+	}
+
+	inode->i_ino = get_next_ino();
+	inode->i_mode = mode;
+	inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
+	if (iops)
+		inode->i_op = iops;
+	else
+		inode->i_op = &simple_dir_inode_operations;
+	inode->i_fop = &simple_dir_operations;
+	inc_nlink(inode);
+	inc_nlink(dir);
+	d_instantiate(dentry, inode);
+	dget(dentry);
+	inode_unlock(dir);
+	return dentry;
+
+out1:
+	dput(dentry);
+	dentry = ERR_PTR(error);
+out:
+	inode_unlock(dir);
+	return dentry;
+}
+EXPORT_SYMBOL_GPL(fwsecurityfs_create_dir);
+
+int fwsecurityfs_remove_dir(struct dentry *dentry)
+{
+	struct inode *dir;
+
+	if (!dentry || IS_ERR(dentry))
+		return -EINVAL;
+
+	if (!d_is_dir(dentry))
+		return -EPERM;
+
+	dir = d_inode(dentry->d_parent);
+	inode_lock(dir);
+	if (simple_positive(dentry)) {
+		simple_rmdir(dir, dentry);
+		dput(dentry);
+	}
+	inode_unlock(dir);
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(fwsecurityfs_remove_dir);
diff --git a/fs/fwsecurityfs/internal.h b/fs/fwsecurityfs/internal.h
new file mode 100644
index 000000000000..b73f6d4b9504
--- /dev/null
+++ b/fs/fwsecurityfs/internal.h
@@ -0,0 +1,13 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ */
+
+#ifndef __FWSECURITYFS_INTERNAL_H
+#define __FWSECURITYFS_INTERNAL_H
+
+struct dentry *fwsecurityfs_alloc_dentry(struct dentry *parent,
+					 const char *name);
+
+#endif
diff --git a/fs/fwsecurityfs/super.c b/fs/fwsecurityfs/super.c
new file mode 100644
index 000000000000..9930889c22a5
--- /dev/null
+++ b/fs/fwsecurityfs/super.c
@@ -0,0 +1,154 @@ 
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ */
+
+#include <linux/sysfs.h>
+#include <linux/kobject.h>
+#include <linux/fs.h>
+#include <linux/fs_context.h>
+#include <linux/mount.h>
+#include <linux/pagemap.h>
+#include <linux/init.h>
+#include <linux/namei.h>
+#include <linux/security.h>
+#include <linux/lsm_hooks.h>
+#include <linux/magic.h>
+#include <linux/ctype.h>
+#include <linux/fwsecurityfs.h>
+
+#include "internal.h"
+
+static struct super_block *fwsecsb;
+
+struct super_block *fwsecurityfs_get_superblock(void)
+{
+	return fwsecsb;
+}
+
+static int fwsecurityfs_d_hash(const struct dentry *dir, struct qstr *this)
+{
+	unsigned long hash;
+	int i;
+
+	hash = init_name_hash(dir);
+	for (i = 0; i < this->len; i++)
+		hash = partial_name_hash(tolower(this->name[i]), hash);
+	this->hash = end_name_hash(hash);
+
+	return 0;
+}
+
+static int fwsecurityfs_d_compare(const struct dentry *dentry,
+				  unsigned int len, const char *str,
+				  const struct qstr *name)
+{
+	int i;
+	int result = 1;
+
+	if (len != name->len)
+		goto out;
+	for (i = 0; i < len; i++) {
+		if (tolower(str[i]) != tolower(name->name[i]))
+			goto out;
+	}
+	result = 0;
+out:
+	return result;
+}
+
+struct dentry *fwsecurityfs_alloc_dentry(struct dentry *parent, const char *name)
+{
+	struct dentry *d;
+	struct qstr q;
+	int err;
+
+	q.name = name;
+	q.len = strlen(name);
+
+	err = fwsecurityfs_d_hash(parent, &q);
+	if (err)
+		return ERR_PTR(err);
+
+	d = d_alloc(parent, &q);
+	if (d)
+		return d;
+
+	return ERR_PTR(-ENOMEM);
+}
+
+static const struct dentry_operations fwsecurityfs_d_ops = {
+	.d_compare = fwsecurityfs_d_compare,
+	.d_hash = fwsecurityfs_d_hash,
+	.d_delete = always_delete_dentry,
+};
+
+static const struct super_operations securityfs_super_operations = {
+	.statfs = simple_statfs,
+	.drop_inode = generic_delete_inode,
+};
+
+static int fwsecurityfs_fill_super(struct super_block *sb,
+				   struct fs_context *fc)
+{
+	static const struct tree_descr files[] = {{""}};
+	int error;
+
+	error = simple_fill_super(sb, FWSECURITYFS_MAGIC, files);
+	if (error)
+		return error;
+
+	sb->s_d_op = &fwsecurityfs_d_ops;
+
+	fwsecsb = sb;
+
+	error = arch_fwsecurity_init();
+	if (error)
+		pr_err("arch specific firmware initialization failed\n");
+
+	return 0;
+}
+
+static int fwsecurityfs_get_tree(struct fs_context *fc)
+{
+	return get_tree_single(fc, fwsecurityfs_fill_super);
+}
+
+static const struct fs_context_operations fwsecurityfs_context_ops = {
+	.get_tree	= fwsecurityfs_get_tree,
+};
+
+static int fwsecurityfs_init_fs_context(struct fs_context *fc)
+{
+	fc->ops = &fwsecurityfs_context_ops;
+	return 0;
+}
+
+static struct file_system_type fs_type = {
+	.owner =	THIS_MODULE,
+	.name =		"fwsecurityfs",
+	.init_fs_context = fwsecurityfs_init_fs_context,
+	.kill_sb =	kill_litter_super,
+};
+
+static int __init fwsecurityfs_init(void)
+{
+	int retval;
+
+	retval = sysfs_create_mount_point(firmware_kobj, "security");
+	if (retval)
+		return retval;
+
+	retval = register_filesystem(&fs_type);
+	if (retval) {
+		sysfs_remove_mount_point(firmware_kobj, "security");
+		return retval;
+	}
+
+	return 0;
+}
+core_initcall(fwsecurityfs_init);
+MODULE_DESCRIPTION("Firmware Security Filesystem");
+MODULE_AUTHOR("Nayna Jain");
+MODULE_LICENSE("GPL");
diff --git a/include/linux/fwsecurityfs.h b/include/linux/fwsecurityfs.h
new file mode 100644
index 000000000000..c079ce939f42
--- /dev/null
+++ b/include/linux/fwsecurityfs.h
@@ -0,0 +1,29 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna@linux.ibm.com>
+ */
+
+#ifndef _FWSECURITYFS_H_
+#define _FWSECURITYFS_H_
+
+#include <linux/ctype.h>
+#include <linux/fs.h>
+
+struct super_block *fwsecurityfs_get_superblock(void);
+int fwsecurityfs_create_file(const char *name, umode_t mode,
+					u16 filesize, struct dentry *parent,
+					struct dentry *dentry,
+					const struct file_operations *fops);
+int fwsecurityfs_remove_file(struct dentry *dentry);
+struct dentry *fwsecurityfs_create_dir(const char *name, umode_t mode,
+				       struct dentry *parent,
+				       const struct inode_operations *iops);
+int fwsecurityfs_remove_dir(struct dentry *dentry);
+
+static int arch_fwsecurity_init(void)
+{
+	return 0;
+}
+
+#endif /* _FWSECURITYFS_H_ */
diff --git a/include/uapi/linux/magic.h b/include/uapi/linux/magic.h
index f724129c0425..3c6754937e15 100644
--- a/include/uapi/linux/magic.h
+++ b/include/uapi/linux/magic.h
@@ -53,6 +53,7 @@ 
 #define QNX4_SUPER_MAGIC	0x002f		/* qnx4 fs detection */
 #define QNX6_SUPER_MAGIC	0x68191122	/* qnx6 fs detection */
 #define AFS_FS_MAGIC		0x6B414653
+#define FWSECURITYFS_MAGIC         0x5345434e      /* "SECM" */
 
 
 #define REISERFS_SUPER_MAGIC	0x52654973	/* used by gcc */