On Thu, Sep 05, 2013 at 06:50:05AM -0400, Josh Boyer wrote:
On Wed, Sep 4, 2013 at 10:07 PM, Vivek Goyal
<vgoyal(a)redhat.com> wrote:
> On Wed, Sep 04, 2013 at 09:37:47PM -0400, Josh Boyer wrote:
>
> [..]
>> > +config BINFMT_ELF_SIG
>> > + bool "ELF binary signature verification"
>> > + depends on BINFMT_ELF
>> > + select INTEGRITY
>> > + select INTEGRITY_SIGNATURE
>> > + select INTEGRITY_ASYMMETRIC_KEYS
>> > + select IMA
>> > + select IMA_APPRAISE
>> > + select SYSTEM_TRUSTED_KEYRING
>> > + default n
>> > + ---help---
>> > + Check ELF binary signature verfication.
>>
>> Please don't do this. Yes, it's technically viable to select all the
>> things you need, but this turns on entire subsystems we don't have
>> enabled. In months when the maintainers have long forgotten about
>> this, we have to go figure out what turned on INTEGRITY and IMA
>> because they aren't explicitly set in the config-* fragments. It's
>> really frustrating.
>>
>> Instead, please make BINFMT_ELF_SIG depend on
>> INTEGRITY_ASYMMETRIC_KEYS and IMA_APPRAISE, then explicitly enable the
>> options you need in config-x86-generic. Lump them together and
>> include a comment at the top about what piece of functionality needs
>> them.
>
> Josh,
>
> I don't think that will make lot of sense. When a user wants to enable
> a feature, I think it is better that anything that feature depends on
> is selected automatically.
There are very few users that are going to want this feature. Why
would they?
It does not matter how many users are going to use it. Thing is, if
I run make menuconfig and If I enable elf binary signature verifitcaion,
it should automatically select all the dependcies.
The Kconfig help text doesn't say anything at all about
what this is, it doesn't list the limitations present (no shared
libraries, etc), and it doesn't explain that is adds in entire
subsystems. The help text could use additions to cover all that.
That more about help text improvement. But that's not an argument to
not do it this way. I can improve the help text, that's not a problem.
> I have had very frustating expriences when I do "make menuconfig" and
> the options I want to enable are not there in menu because they are
> depenedent on something else which is not enabled.
If you knew about the option before you ran "make menuconfig", then
you clearly saw it in the Kconfig file and should have been able to
read what it depends on.
> How on the earth a user is supposed to know that BINFMT_ELF_SIG is
> dependent on IMA, IMA_APPRAISE, SYSTEM_TRUSTED_KEYRING
> INTEGRITY_SIGNATURE, INTEGRITY_ASYMMETRIC_KEYS etc.
Frankly, an end user won't care. This isn't a general purpose signed
binary option. It's limited to statically linked, no interpreted ELF
binaries. Also, this is the Fedora kernel list. We'll enable this
either way and a user gets what we build.
I think you are doing it reverse. I am really not a fan of making
this feature *depend* on all the obsecure options and leave it an
exercise for developer to figure out all dependencies. I find it
much more intutive to automatically select dependencies.
And if you disable this feature in fedora, I think all the automatically
selected dependencies will automatically be deselected? So you don't
have to worry either.
Thanks
Vivek