From: Eric Snowberg <eric.snowberg@oracle.com>
To: linux-security-module@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com,
mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com,
eric.snowberg@oracle.com, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH RFC 2/8] clavis: Introduce a new system keyring called clavis
Date: Mon, 11 Mar 2024 12:11:05 -0400 [thread overview]
Message-ID: <20240311161111.3268190-3-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20240311161111.3268190-1-eric.snowberg@oracle.com>
Introduce a new system keyring called clavis. This keyring shall contain a
single asymmetric key. This key shall be a linked to a key already
contained in one of the system keyrings (builtin, secondary, or platform).
The only way to add this key is during boot by passing in the asymmetric
key id within the new "clavis=" boot param. If a matching key is found in
one of the system keyrings, a link shall be created. This keyring will be
used in the future by the new Clavis LSM.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
include/linux/security.h | 4 ++
security/Kconfig | 1 +
security/Makefile | 1 +
security/clavis/Kconfig | 9 ++++
security/clavis/Makefile | 3 ++
security/clavis/clavis_keyring.c | 90 ++++++++++++++++++++++++++++++++
security/integrity/iint.c | 2 +
7 files changed, 110 insertions(+)
create mode 100644 security/clavis/Kconfig
create mode 100644 security/clavis/Makefile
create mode 100644 security/clavis/clavis_keyring.c
diff --git a/include/linux/security.h b/include/linux/security.h
index 8436f9abf43d..94661398708a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -508,6 +508,7 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len,
void *val, size_t val_len, u64 id, u64 flags);
+void late_init_clavis_setup(void);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -2223,6 +2224,9 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
{
return 0;
}
+static inline void late_init_clavis_setup(void)
+{
+}
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_IO_URING */
diff --git a/security/Kconfig b/security/Kconfig
index 52c9af08ad35..7f5a52b7cefd 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -194,6 +194,7 @@ source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
+source "security/clavis/Kconfig"
source "security/integrity/Kconfig"
diff --git a/security/Makefile b/security/Makefile
index 59f238490665..01eb82bdd74f 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
+obj-$(CONFIG_SECURITY_CLAVIS_KEYRING) += clavis/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig
new file mode 100644
index 000000000000..ca72a9e43089
--- /dev/null
+++ b/security/clavis/Kconfig
@@ -0,0 +1,9 @@
+config SECURITY_CLAVIS_KEYRING
+ bool "Clavis keyring"
+ depends on SECURITY
+ help
+ Enable the clavis keyring. This keyring shall contain a single asymmetric key.
+ This key shall be linked to a key already contained in one of the system
+ keyrings (builtin, secondary, or platform). The only way to add this key
+ is during boot by passing in the asymmetric key id within the "clavis=" boot
+ param. This keyring is used by the Clavis LSM.
diff --git a/security/clavis/Makefile b/security/clavis/Makefile
new file mode 100644
index 000000000000..ff19c1e240fd
--- /dev/null
+++ b/security/clavis/Makefile
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: GPL-2.0
+
+obj-$(CONFIG_SECURITY_CLAVIS_KEYRING) += clavis_keyring.o
diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c
new file mode 100644
index 000000000000..9f1aede81992
--- /dev/null
+++ b/security/clavis/clavis_keyring.c
@@ -0,0 +1,90 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/security.h>
+#include <keys/asymmetric-type.h>
+#include <keys/system_keyring.h>
+
+static struct key *clavis_keyring;
+static struct asymmetric_key_id *setup_keyid;
+
+#define MAX_BIN_KID 32
+
+static struct {
+ struct asymmetric_key_id id;
+ unsigned char data[MAX_BIN_KID];
+} setup_key;
+
+static int restrict_link_for_clavis(struct key *dest_keyring,
+ const struct key_type *type, const union key_payload *payload,
+ struct key *restrict_key)
+{
+ static bool first_pass = true;
+
+ /*
+ * Allow a single asymmetric key into this keyring. This key is used as the
+ * root of trust for anything added afterwards.
+ */
+ if (type == &key_type_asymmetric && dest_keyring == clavis_keyring && first_pass) {
+ first_pass = false;
+ return 0;
+ }
+
+ return -EOPNOTSUPP;
+}
+
+static int __init clavis_param(char *kid)
+{
+ struct asymmetric_key_id *p = &setup_key.id;
+ int error, hex_len, ascii_len = strlen(kid);
+
+ if (!kid)
+ return 1;
+
+ hex_len = ascii_len / 2;
+
+ if (hex_len > sizeof(setup_key.data))
+ return 1;
+
+ p->len = hex_len;
+ error = hex2bin(p->data, kid, p->len);
+
+ if (error < 0)
+ pr_err("Unparsable clavis key id\n");
+ else {
+ setup_keyid = p;
+ pr_info("clavis key id: %s\n", kid);
+ }
+
+ return 1;
+}
+__setup("clavis=", clavis_param);
+
+static int __init clavis_keyring_init(void)
+{
+ struct key_restriction *restriction;
+
+ restriction = kzalloc(sizeof(*restriction), GFP_KERNEL);
+ if (!restriction)
+ panic("Can't allocate clavis keyring restriction\n");
+ restriction->check = restrict_link_for_clavis;
+ clavis_keyring = keyring_alloc(".clavis",
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), KEY_POS_VIEW |
+ KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_WRITE | KEY_USR_VIEW |
+ KEY_USR_READ | KEY_USR_SEARCH | KEY_USR_WRITE,
+ KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_SET_KEEP,
+ restriction, NULL);
+
+ if (IS_ERR(clavis_keyring))
+ panic("Can't allocate clavis keyring\n");
+
+ return 0;
+}
+
+void __init late_init_clavis_setup(void)
+{
+ if (!setup_keyid)
+ return;
+
+ clavis_keyring_init();
+ system_key_link(clavis_keyring, setup_keyid);
+}
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 068ac6c2ae1e..87a8bfc0662f 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -36,6 +36,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
*/
void __init integrity_load_keys(void)
{
+ late_init_clavis_setup();
+
ima_load_x509();
if (!IS_ENABLED(CONFIG_IMA_LOAD_X509))
--
2.39.3
next prev parent reply other threads:[~2024-03-11 16:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 16:11 [PATCH RFC 0/8] Clavis LSM Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 1/8] certs: Introduce ability to link to a system key Eric Snowberg
2024-03-11 19:16 ` Jarkko Sakkinen
2024-03-11 21:29 ` Eric Snowberg
2024-03-11 19:18 ` Jarkko Sakkinen
2024-03-11 21:31 ` Eric Snowberg
2024-03-12 15:18 ` Jarkko Sakkinen
2024-03-12 6:00 ` [EXTERNAL] " Bharat Bhushan
2024-03-12 8:55 ` kernel test robot
2024-04-04 22:40 ` Mimi Zohar
2024-04-05 12:56 ` Eric Snowberg
2024-03-11 16:11 ` Eric Snowberg [this message]
2024-03-12 10:49 ` [PATCH RFC 2/8] clavis: Introduce a new system keyring called clavis kernel test robot
2024-03-11 16:11 ` [PATCH RFC 3/8] efi: Make clavis boot param persist across kexec Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 4/8] clavis: Prevent clavis boot param from changing during kexec Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 5/8] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 6/8] keys: Add ability to track intended usage of the public key Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 7/8] clavis: Introduce a new key type called clavis_key_acl Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 8/8] clavis: Introduce new LSM called clavis Eric Snowberg
2024-03-12 2:45 ` Randy Dunlap
2024-03-12 14:04 ` Eric Snowberg
2024-03-12 8:10 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240311161111.3268190-3-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=ardb@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.