> On Jun 4, 2024, at 11:59 AM, Jarkko Sakkinen <jar...@kernel.org> wrote: > > On Fri May 31, 2024 at 3:39 AM EEST, Eric Snowberg wrote: >> Introduce a new LSM called Clavis (Latin word meaning key). The motivation >> behind this LSM is to provide access control for system keys. Before >> spending >> more time on this LSM, I am sending this as an RFC to start a discussion to >> see >> if the current direction taken has a possibility of being accepted in the >> future. >> >> Today the kernel has the following system keyrings: .builtin_trusted_keyring, >> .secondary_trusted_keyring, and the .machine. It also has the .platform >> keyring which has limited capabilities; it can only be used to verify a >> kernel >> for kexec. > > Would be nice to have a reminder of applications for secondary keyrings > use cases of today [1]. It is not entirely clear for me, given that I > need personally just the builtin and machine keyring. This is not the > same as saying that it would not be useful, but it would clarity to > scope it a bit in the current state of the art. > >> >> Today the kernel also tracks key usage for verification done with any of >> these >> keys. Current verification usage includes: VERIFYING_MODULE_SIGNATURE, >> VERIFYING_FIRMWARE_SIGNATURE, VERIFYING_KEXEC_PE_SIGNATURE, >> VERIFYING_KEY_SIGNATURE, VERIFYING_KEY_SELF_SIGNATURE, and >> VERIFYING_UNSPECIFIED_SIGNATURE. After these usage types were originally >> introduced, most additions have typically used the >> VERIFYING_UNSPECIFIED_SIGNATURE. > > Since there are so many why not just format them as a list here? > > Maybe start the whole cover letter with exactly two lists: > > 1. All possible keyrings that are below described as "system keys", > and their purpose and scope (briefly). > 2. The above verification methods and exact same level of detail > for each. > > There's so much text here that maybe even subsections like: > > Background > ========== > > <Those two lists> > > Motivation > ========== > > <Motivation behind Clavis> > > Solution > ======== > > <Mechanics of Clavis> > > Would make reviewing this heck a lot easier as you can then focus in one > of these three parts. And I guess I have a brain of a goldfish ;-)
If you think that would make reviewing easier, I'll make these changes to the cover letter in the next round. Thanks.