Hi Eric, On Fri, 2025-01-03 at 23:27 +0000, Eric Snowberg wrote: > > > +config SECURITY_CLAVIS > > > + bool "Clavis keyring" > > > > Isn't SECURITY_CLAVIS the new LSM? Why is the bool defined as just "Clavis > > keyring"? > > > > > + depends on SECURITY > > > + select SYSTEM_DATA_VERIFICATION > > > + select CRYPTO_SHA256 > > > + help > > > + Enable the clavis keyring. This keyring shall contain a single > > > asymmetric key. > > > + This key shall be linked to a key already contained in one of the > > > system > > > + keyrings (builtin, secondary, or platform). One way to add this key > > > + is during boot by passing in the asymmetric key id within the > > > "clavis=" boot > > > + param. This keyring is required by the Clavis LSM. > > > > If SECURITY_CLAVIS is a new LSM, the 'help' shouldn't be limited to just the > > clavis keyring, but written at a higher level describing the new LSM. For > > example, > > > > This option enables the Clavis LSM, which provides the ability to configure > > and > > enforce the usage of keys contained on the system keyrings - > > .builtin_trusted_keys, .secondary_trusted_keys, .machine, and .platform > > keyrings. The clavis LSM defines a keyring named "clavis", which contains a > > single asymmetric key and the key usage rules. > > > > The single asymmetric key may be specified on the boot command line ... > > > > [The patch that introduces the key usage rules would add additional info > > here.] > > > > [The patch that adds the Documentatoin would add a reference here.] > > I went the route of creating the keyring in this patch and then introducing > the > LSM which uses it in a later patch. My reasoning was it can be tested > independently. Also, I thought it would make it easier to review, since > everything isn't contained within a single patch. I could look at combining > them together if you think that would be better.
SECURITY_CLAVIS is not just about the CLAVIS keyring, right? The Kconfig can be defined and used here, but eventually the SECURITY_CLAVIS "help" needs to be updated to describe the new LSM. thanks, Mimi
