Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, Mar 21, 2025 at 5:21 PM Eric Snowberg wrote: > > On Mar 21, 2025, at 12:57 PM, Paul Moore wrote: > ... > > , but I will note that I don't recall you offering to step > > up and maintain Lockdown anywhere in this thread. > > I didn't realize that trying to contribute a new LSM and being wi

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, Mar 21, 2025 at 12:37 PM Eric Snowberg wrote: > > On Mar 20, 2025, at 3:36 PM, Paul Moore wrote: > > On Thu, Mar 20, 2025 at 12:29 PM Eric Snowberg > > wrote: > >>> On Mar 6, 2025, at 7:46 PM, Paul Moore wrote: > >>> On March 6, 2025 5:29:36 PM Eric Snowberg > >>> wrote: > > > > ...

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 21, 2025, at 2:53 PM, James Bottomley > wrote: > > On Fri, 2025-03-21 at 20:15 +, Eric Snowberg wrote: >>> On Mar 21, 2025, at 10:55 AM, James Bottomley >>> wrote: > [...] Hopefully that is not the case, since the public key ships on just about every single PC built.

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, Mar 21, 2025 at 1:22 PM Jarkko Sakkinen wrote: > On Thu, Mar 20, 2025 at 05:36:41PM -0400, Paul Moore wrote: ... > > I want to address two things, the first, and most important, is that > > while I am currently employed by Microsoft, I do not speak for > > Microsoft and the decisions and

Re: [RFC PATCH v3 00/13] Clavis LSM

On March 21, 2025 6:56:53 PM Eric Snowberg wrote: On Mar 21, 2025, at 4:13 PM, Paul Moore wrote: On Fri, Mar 21, 2025 at 5:21 PM Eric Snowberg wrote: On Mar 21, 2025, at 12:57 PM, Paul Moore wrote: ... , but I will note that I don't recall you offering to step up and maintain Lockdown any

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 21, 2025, at 4:13 PM, Paul Moore wrote: > > On Fri, Mar 21, 2025 at 5:21 PM Eric Snowberg > wrote: >>> On Mar 21, 2025, at 12:57 PM, Paul Moore wrote: >> ... >>> , but I will note that I don't recall you offering to step >>> up and maintain Lockdown anywhere in this thread. >> >> I

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 21, 2025, at 12:57 PM, Paul Moore wrote: ... > , but I will note that I don't recall you offering to step > up and maintain Lockdown anywhere in this thread. I didn't realize that trying to contribute a new LSM and being willing to be the maintainer of it also involved stepping up t

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, 2025-03-21 at 20:15 +, Eric Snowberg wrote: > > On Mar 21, 2025, at 10:55 AM, James Bottomley > > wrote: [...] > > >   Hopefully that is not the case, since the public  key ships on > > > just about every single PC built. > > > > I don't understand why Microsoft no-longer owning the p

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 21, 2025, at 10:55 AM, James Bottomley > wrote: > > On Fri, 2025-03-21 at 16:40 +, Eric Snowberg wrote: >>> On Mar 20, 2025, at 4:40 PM, James Bottomley >>> wrote: >>> >>> On Thu, 2025-03-20 at 16:24 +, Eric Snowberg wrote: Having lockdown enforcement has always been >

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 20, 2025, at 3:36 PM, Paul Moore wrote: > > On Thu, Mar 20, 2025 at 12:29 PM Eric Snowberg > wrote: >>> On Mar 6, 2025, at 7:46 PM, Paul Moore wrote: >>> On March 6, 2025 5:29:36 PM Eric Snowberg wrote: > > ... > Does this mean Microsoft will begin signing shims in the futur

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, 2025-03-21 at 16:40 +, Eric Snowberg wrote: > > On Mar 20, 2025, at 4:40 PM, James Bottomley > > wrote: > > > > On Thu, 2025-03-20 at 16:24 +, Eric Snowberg wrote: > > > Having lockdown enforcement has always been > > > a requirement to get a shim signed by Microsoft. > > > > Th

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, Mar 20, 2025 at 05:36:41PM -0400, Paul Moore wrote: > On Thu, Mar 20, 2025 at 12:29 PM Eric Snowberg > wrote: > > > On Mar 6, 2025, at 7:46 PM, Paul Moore wrote: > > > On March 6, 2025 5:29:36 PM Eric Snowberg > > > wrote: > > ... > > > >> Does this mean Microsoft will begin signing

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, Mar 20, 2025 at 06:40:55PM -0400, James Bottomley wrote: > On Thu, 2025-03-20 at 16:24 +, Eric Snowberg wrote: > > Having lockdown enforcement has always been > > a requirement to get a shim signed by Microsoft. > > This is factually incorrect. Microsoft transferred shim signing to a

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 20, 2025, at 4:40 PM, James Bottomley > wrote: > > On Thu, 2025-03-20 at 16:24 +, Eric Snowberg wrote: >> Having lockdown enforcement has always been >> a requirement to get a shim signed by Microsoft. > > This is factually incorrect. Microsoft transferred shim signing to an >

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, 2025-03-20 at 16:24 +, Eric Snowberg wrote: > Having lockdown enforcement has always been > a requirement to get a shim signed by Microsoft. This is factually incorrect. Microsoft transferred shim signing to an independent process run by a group of open source maintainers a while ago

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 6, 2025, at 7:46 PM, Paul Moore wrote: > > On March 6, 2025 5:29:36 PM Eric Snowberg wrote: >>> On Mar 5, 2025, at 6:12 PM, Paul Moore wrote: >>> >>> On Wed, Mar 5, 2025 at 4:30 PM Eric Snowberg >>> wrote: > On Mar 4, 2025, at 5:23 PM, Paul Moore wrote: > On Tue, Mar 4, 2

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, Mar 20, 2025 at 12:29 PM Eric Snowberg wrote: > > On Mar 6, 2025, at 7:46 PM, Paul Moore wrote: > > On March 6, 2025 5:29:36 PM Eric Snowberg wrote: ... > >> Does this mean Microsoft will begin signing shims in the future without > >> the lockdown requirement? > > > > That's not a ques

Re: [RFC PATCH v3 00/13] Clavis LSM

On March 6, 2025 5:29:36 PM Eric Snowberg wrote: On Mar 5, 2025, at 6:12 PM, Paul Moore wrote: On Wed, Mar 5, 2025 at 4:30 PM Eric Snowberg wrote: On Mar 4, 2025, at 5:23 PM, Paul Moore wrote: On Tue, Mar 4, 2025 at 9:47 AM Eric Snowberg wrote: On Mar 3, 2025, at 3:40 PM, Paul Moore wrot

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 5, 2025, at 6:12 PM, Paul Moore wrote: > > On Wed, Mar 5, 2025 at 4:30 PM Eric Snowberg wrote: >>> On Mar 4, 2025, at 5:23 PM, Paul Moore wrote: >>> On Tue, Mar 4, 2025 at 9:47 AM Eric Snowberg >>> wrote: > On Mar 3, 2025, at 3:40 PM, Paul Moore wrote: > On Fri, Feb 28, 20

Re: [RFC PATCH v3 00/13] Clavis LSM

On Wed, Mar 5, 2025 at 4:30 PM Eric Snowberg wrote: > > On Mar 4, 2025, at 5:23 PM, Paul Moore wrote: > > On Tue, Mar 4, 2025 at 9:47 AM Eric Snowberg > > wrote: > >>> On Mar 3, 2025, at 3:40 PM, Paul Moore wrote: > >>> On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg > >>> wrote: > > On F

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 4, 2025, at 5:23 PM, Paul Moore wrote: > > On Tue, Mar 4, 2025 at 9:47 AM Eric Snowberg wrote: >>> On Mar 3, 2025, at 3:40 PM, Paul Moore wrote: >>> On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg >>> wrote: > On Feb 28, 2025, at 9:14 AM, Paul Moore wrote: > On Fri, Feb 28,

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, Mar 4, 2025 at 5:25 PM Jarkko Sakkinen wrote: > On Mon, Mar 03, 2025 at 05:40:54PM -0500, Paul Moore wrote: > > On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg > > wrote: > > > > On Feb 28, 2025, at 9:14 AM, Paul Moore wrote: > > > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > >

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, Mar 4, 2025 at 9:20 PM Mimi Zohar wrote: > On Tue, 2025-03-04 at 21:09 -0500, Paul Moore wrote: > > On Tue, Mar 4, 2025 at 8:50 PM Mimi Zohar wrote: > > > On Tue, 2025-03-04 at 19:19 -0500, Paul Moore wrote: > > > > On Tue, Mar 4, 2025 at 7:54 AM Mimi Zohar wrote: > > > > > On Mon, 2025-

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, 2025-03-04 at 21:09 -0500, Paul Moore wrote: > On Tue, Mar 4, 2025 at 8:50 PM Mimi Zohar wrote: > > On Tue, 2025-03-04 at 19:19 -0500, Paul Moore wrote: > > > On Tue, Mar 4, 2025 at 7:54 AM Mimi Zohar wrote: > > > > On Mon, 2025-03-03 at 17:38 -0500, Paul Moore wrote: > > > > > On Fri, Fe

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, Mar 4, 2025 at 8:50 PM Mimi Zohar wrote: > On Tue, 2025-03-04 at 19:19 -0500, Paul Moore wrote: > > On Tue, Mar 4, 2025 at 7:54 AM Mimi Zohar wrote: > > > On Mon, 2025-03-03 at 17:38 -0500, Paul Moore wrote: > > > > On Fri, Feb 28, 2025 at 12:19 PM Mimi Zohar wrote: > > > > > On Fri, 202

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, 2025-03-04 at 19:19 -0500, Paul Moore wrote: > On Tue, Mar 4, 2025 at 7:54 AM Mimi Zohar wrote: > > On Mon, 2025-03-03 at 17:38 -0500, Paul Moore wrote: > > > On Fri, Feb 28, 2025 at 12:19 PM Mimi Zohar wrote: > > > > On Fri, 2025-02-28 at 11:14 -0500, Paul Moore wrote: > > > > > On Fri,

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, Mar 04, 2025 at 07:25:13PM -0500, Paul Moore wrote: > On Tue, Mar 4, 2025 at 5:25 PM Jarkko Sakkinen wrote: > > On Mon, Mar 03, 2025 at 05:40:54PM -0500, Paul Moore wrote: > > > On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg > > > wrote: > > > > > On Feb 28, 2025, at 9:14 AM, Paul Moore

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, Mar 4, 2025 at 9:47 AM Eric Snowberg wrote: > > On Mar 3, 2025, at 3:40 PM, Paul Moore wrote: > > On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg > > wrote: > >>> On Feb 28, 2025, at 9:14 AM, Paul Moore wrote: > >>> On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > On Thu, 2025-

Re: [RFC PATCH v3 00/13] Clavis LSM

On Tue, Mar 4, 2025 at 7:54 AM Mimi Zohar wrote: > On Mon, 2025-03-03 at 17:38 -0500, Paul Moore wrote: > > On Fri, Feb 28, 2025 at 12:19 PM Mimi Zohar wrote: > > > On Fri, 2025-02-28 at 11:14 -0500, Paul Moore wrote: > > > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > > > > > On Thu, 20

Re: [RFC PATCH v3 00/13] Clavis LSM

On Mon, Mar 03, 2025 at 05:40:54PM -0500, Paul Moore wrote: > On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg > wrote: > > > On Feb 28, 2025, at 9:14 AM, Paul Moore wrote: > > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > > >> On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: > > >>>

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Mar 3, 2025, at 3:40 PM, Paul Moore wrote: > > On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg > wrote: >>> On Feb 28, 2025, at 9:14 AM, Paul Moore wrote: >>> On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: > > I'd sti

Re: [RFC PATCH v3 00/13] Clavis LSM

On Mon, 2025-03-03 at 17:38 -0500, Paul Moore wrote: > On Fri, Feb 28, 2025 at 12:19 PM Mimi Zohar wrote: > > On Fri, 2025-02-28 at 11:14 -0500, Paul Moore wrote: > > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > > > > On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: > > ... > > > O

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg wrote: > > On Feb 28, 2025, at 9:14 AM, Paul Moore wrote: > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > >> On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: > >>> > >>> I'd still also like to see some discussion about moving towards the

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, Feb 28, 2025 at 12:19 PM Mimi Zohar wrote: > On Fri, 2025-02-28 at 11:14 -0500, Paul Moore wrote: > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > > > On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: ... > Ok, let's go through different scenarios to see if it would scale. > >

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, Feb 27, 2025 at 03:41:18PM -0500, Mimi Zohar wrote: > On Mon, 2025-01-06 at 17:15 +, Eric Snowberg wrote: > > > > > On Jan 5, 2025, at 8:40 PM, Paul Moore wrote: > > > > > > On Fri, Jan 3, 2025 at 11:48 PM Paul Moore wrote: > > > > > > > > Regardless, back to Clavis ... reading qui

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, Feb 27, 2025 at 05:22:22PM -0500, Paul Moore wrote: > On Thu, Feb 27, 2025 at 3:41 PM Mimi Zohar wrote: > > On Mon, 2025-01-06 at 17:15 +, Eric Snowberg wrote: > > > > On Jan 5, 2025, at 8:40 PM, Paul Moore wrote: > > > > On Fri, Jan 3, 2025 at 11:48 PM Paul Moore wrote: > > > > > >

Re: [RFC PATCH v3 00/13] Clavis LSM

> On Feb 28, 2025, at 9:14 AM, Paul Moore wrote: > > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: >> On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: >>> >>> I'd still also like to see some discussion about moving towards the >>> addition of keyrings oriented towards usage instead of

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, 2025-02-28 at 11:14 -0500, Paul Moore wrote: > On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > > On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: > > > > > > I'd still also like to see some discussion about moving towards the > > > addition of keyrings oriented towards usage inste

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote: > On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: > > > > I'd still also like to see some discussion about moving towards the > > addition of keyrings oriented towards usage instead of limiting > > ourselves to keyrings that are oriented on th

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote: > On Thu, Feb 27, 2025 at 3:41 PM Mimi Zohar wrote: > > On Mon, 2025-01-06 at 17:15 +, Eric Snowberg wrote: > > > > On Jan 5, 2025, at 8:40 PM, Paul Moore wrote: > > > > On Fri, Jan 3, 2025 at 11:48 PM Paul Moore wrote: > > > > > > > > >

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, Feb 27, 2025 at 3:41 PM Mimi Zohar wrote: > On Mon, 2025-01-06 at 17:15 +, Eric Snowberg wrote: > > > On Jan 5, 2025, at 8:40 PM, Paul Moore wrote: > > > On Fri, Jan 3, 2025 at 11:48 PM Paul Moore wrote: > > > > > > > > Regardless, back to Clavis ... reading quickly through the cover

Re: [RFC PATCH v3 00/13] Clavis LSM

On Mon, 2025-01-06 at 17:15 +, Eric Snowberg wrote: > > > On Jan 5, 2025, at 8:40 PM, Paul Moore wrote: > > > > On Fri, Jan 3, 2025 at 11:48 PM Paul Moore wrote: > > > > > > Regardless, back to Clavis ... reading quickly through the cover > > > letter again, I do somewhat wonder if this is

Re: [RFC PATCH v3 00/13] Clavis LSM

On Fri, Jan 3, 2025 at 6:14 PM Eric Snowberg wrote: > > On Dec 23, 2024, at 5:09 AM, Mimi Zohar wrote: ... > > My main concern is not with Clavis per-se, but that the LSM > > infrastructure allows configuring all the LSMs, but enabling at build time > > and > > modifying at runtime a subset of

Re: [RFC PATCH v3 00/13] Clavis LSM

Hi Mimi, > On Dec 23, 2024, at 5:09 AM, Mimi Zohar wrote: > > On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote: >> Motivation: >> >> Each end-user has their own security threat model. What is important to one >> end-user may not be important to another. There is not a right or wrong >> t

Re: [RFC PATCH v3 00/13] Clavis LSM

On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote: > Motivation: > > Each end-user has their own security threat model. What is important to one > end-user may not be important to another. There is not a right or wrong threat > model. > > A common request made when adding new kernel changes

[RFC PATCH v3 00/13] Clavis LSM

Motivation: Each end-user has their own security threat model. What is important to one end-user may not be important to another. There is not a right or wrong threat model. A common request made when adding new kernel changes that could impact the threat model around system kernel keys is to add