[PATCH v3 0/4] new dracut modules

[PATCH v3 0/4] new dracut modules

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 2076 bytes --]

Hi all

i'm reposting the patch set which allows to mount the securityfs filesystem
from the initial ramdisk and introduces three new modules: masterkey,
integrity and ecryptfs.

Changelog from version v2:
* masterkey: added MULTIKERNELMODE configuration variable;
* {masterkey,integrity, ecryptfs}: modified some debug messages for better
  clarity;
* ecryptfs: ECRYPTFS_EXTRA_MOUNT_OPTS configuration variable set to empty;
* ecryptfs: replaced ECRYPTFSDIR with ECRYPTFSSRCDIR and ECRYPTFSDSTDIR.

Roberto Sassu


Roberto Sassu (4):
  base/init: mount the securityfs filesystem
  dracut: added new module masterkey
  dracut: added new module integrity
  dracut: added new module ecryptfs

 dracut.kernel.7.xml                      |   29 +++++++++
 modules.d/97masterkey/README             |   68 ++++++++++++++++++++
 modules.d/97masterkey/masterkey.sh       |   75 ++++++++++++++++++++++
 modules.d/97masterkey/module-setup.sh    |   25 ++++++++
 modules.d/98ecryptfs/README              |   50 +++++++++++++++
 modules.d/98ecryptfs/ecryptfs-mount.sh   |  100 ++++++++++++++++++++++++++++++
 modules.d/98ecryptfs/module-setup.sh     |   20 ++++++
 modules.d/98integrity/README             |   40 ++++++++++++
 modules.d/98integrity/evm-enable.sh      |   91 +++++++++++++++++++++++++++
 modules.d/98integrity/ima-policy-load.sh |   41 ++++++++++++
 modules.d/98integrity/module-setup.sh    |   17 +++++
 modules.d/99base/init                    |    6 ++
 12 files changed, 562 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/97masterkey/README
 create mode 100755 modules.d/97masterkey/masterkey.sh
 create mode 100755 modules.d/97masterkey/module-setup.sh
 create mode 100644 modules.d/98ecryptfs/README
 create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
 create mode 100755 modules.d/98ecryptfs/module-setup.sh
 create mode 100644 modules.d/98integrity/README
 create mode 100755 modules.d/98integrity/evm-enable.sh
 create mode 100755 modules.d/98integrity/ima-policy-load.sh
 create mode 100755 modules.d/98integrity/module-setup.sh

-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v3 1/4] base/init: mount the securityfs filesystem

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 963 bytes --]

Mount the securityfs filesystem and make available its location through the
exported variable SECURITYFSDIR.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 modules.d/99base/init |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/modules.d/99base/init b/modules.d/99base/init
index 5975b25..e2bbf3d 100755
--- a/modules.d/99base/init
+++ b/modules.d/99base/init
@@ -84,6 +84,12 @@ RD_DEBUG=""
 [ ! -d /sys/kernel ] && \
     mount -t sysfs -o nosuid,noexec,nodev sysfs /sys >/dev/null 2>&1
 
+SECURITYFSDIR="/sys/kernel/security"
+export SECURITYFSDIR
+if ! ismounted "${SECURITYFSDIR}"; then
+    mount -t securityfs -o nosuid,noexec,nodev ${SECURITYFSDIR} ${SECURITYFSDIR} >/dev/null 2>&1
+fi
+
 if [ -x /lib/systemd/systemd-timestamp ]; then
     RD_TIMESTAMP=$(/lib/systemd/systemd-timestamp)
 else
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v3 2/4] dracut: added new module masterkey

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 9028 bytes --]

This module initializes a trusted/user kernel master key that will be used
to decrypt other encrypted keys.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 dracut.kernel.7.xml                   |   17 +++++++
 modules.d/97masterkey/README          |   68 +++++++++++++++++++++++++++++
 modules.d/97masterkey/masterkey.sh    |   75 +++++++++++++++++++++++++++++++++
 modules.d/97masterkey/module-setup.sh |   25 +++++++++++
 4 files changed, 185 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/97masterkey/README
 create mode 100755 modules.d/97masterkey/masterkey.sh
 create mode 100755 modules.d/97masterkey/module-setup.sh

diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
index a277c74..3fac18b 100644
--- a/dracut.kernel.7.xml
+++ b/dracut.kernel.7.xml
@@ -703,6 +703,23 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
         </varlistentry>
       </variablelist>
     </refsect2>
+   <refsect2>
+      <title>Kernel keys</title>
+      <variablelist>
+        <varlistentry>
+          <term><envar>masterkey=</envar><replaceable>&lt;kernel master key path name&gt;</replaceable></term>
+          <listitem>
+            <para>Set the path name of the kernel master key. e.g.: <programlisting>masterkey=/etc/keys/kmk-trusted.blob</programlisting></para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><envar>masterkeytype=</envar><replaceable>&lt;kernel master key type&gt;</replaceable></term>
+          <listitem>
+            <para>Set the type of the kernel master key. e.g.: <programlisting>masterkeytype=trusted</programlisting></para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
     <refsect2>
       <title>Deprecated, renamed Options</title>
       <para>Here is a list of options, which were used in dracut prior to version 008, and their new replacement.</para>
diff --git a/modules.d/97masterkey/README b/modules.d/97masterkey/README
new file mode 100644
index 0000000..524ccfc
--- /dev/null
+++ b/modules.d/97masterkey/README
@@ -0,0 +1,68 @@
+# Directions for creating the kernel master key that will be used for
+# encrypting/decrypting other keys.
+
+# A trusted key is a TPM random number, which is only ever exposed to
+# userspace as an encrypted datablob. A trusted key can be sealed to a
+# set of PCR values. For more details on trusted keys, refer to the
+# kernel keys-trusted-encrypted.txt documentation.
+$ keyctl add trusted kmk-trusted "new 32" @u
+801713097
+
+# For those systems which don't have a TPM, but want to experiment with
+# encrypted keys, create a user key of 32 random bytes. Unlike
+# trusted/encrypted keys, user type key data is visible to userspace.
+$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
+144468621
+
+# Save the kernel master key (trusted type):
+$ su -c 'keyctl pipe `keyctl search @u trusted kmk-trusted` > /etc/keys/kmk-trusted.blob'
+
+# or (user type):
+$ su -c 'keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob'
+
+# A useful feature of trusted keys is that it is possible to prevent their
+# unsealing at later time by providing the parameter 'pcrlock=<pcrnum>' when
+# loading it, which causes the PCR #<pcrnum> to be extended with a random value.
+# Actually, the <pcrnum> variable is set to '11' to let users experiment with
+# this feature by using a register that is never extended during the boot,
+# making the re-sealing not necessary. In the future, the kernel master key will
+# be sealed to the PCR #14 which is extended, according to the TrustedGRUB
+# documentation[1], to the measure of the kernel and the initial ramdisk.
+
+# The kernel master key path name and type can be set in one of the following
+# ways (specified in the order in which variables are overwritten):
+
+1) use default values:
+--------------------------------------------------------------------------
+MULTIKERNELMODE="NO"
+MASTERKEYTYPE="trusted"
+MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob"
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/masterkey' to override the
+value of one or all variables;
+
+3) specify these parameters in the kernel command line:
+- masterkey=</kernel/master/key/path>, to override the MASTERKEY variable;
+- masterkeytype=<kernel-master-key-type>, to override the MASTERKEYTYPE variable.
+
+# The variable MULTIKERNELMODE has been introduced to support multi boot
+# configurations, where a trusted/user key is tied to a specific kernel and
+# initial ramdisk. In this case, setting MULTIKERNELMODE to 'YES' will cause the
+# kernel version to be added to the default masterkey path name, so that the
+# MASTERKEY variable should not be overridden each time a different kernel is
+# chosen. The default value of MASTERKEY will be equal to:
+--------------------------------------------------------------------------
+MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}-$(uname -r).blob"
+--------------------------------------------------------------------------
+
+# The masterkey path name also depends on the value of MASTERKEYTYPE, as reported
+# in the default values for defined variables. For example, if only MASTERKEYTYPE
+# is overridden by setting it to 'user' in the configuration file or from the
+# kernel command line, the value of MASTERKEY will be:
+--------------------------------------------------------------------------
+MASTERKEY="/etc/keys/kmk-user.blob"
+--------------------------------------------------------------------------
+
+
+[1] https://projects.sirrix.com/trac/trustedgrub/
diff --git a/modules.d/97masterkey/masterkey.sh b/modules.d/97masterkey/masterkey.sh
new file mode 100755
index 0000000..0cd009a
--- /dev/null
+++ b/modules.d/97masterkey/masterkey.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+MASTERKEYSCONFIG="${NEWROOT}/etc/sysconfig/masterkey"
+MULTIKERNELMODE="NO"
+PCRLOCKNUM=11
+
+load_masterkey()
+{
+    # read the configuration from the config file
+    [ -f "${MASTERKEYSCONFIG}" ] && \
+        . ${MASTERKEYSCONFIG}
+
+    # override the kernel master key path name from the 'masterkey=' parameter
+    # in the kernel command line
+    MASTERKEYARG=$(getarg masterkey=)
+    [ $? -eq 0 ] && \
+        MASTERKEY=${MASTERKEYARG}
+
+    # override the kernel master key type from the 'masterkeytype=' parameter
+    # in the kernel command line
+    MASTERKEYTYPEARG=$(getarg masterkeytype=)
+    [ $? -eq 0 ] && \
+        MASTERKEYTYPE=${MASTERKEYTYPEARG}
+
+    # set default values
+    [ -z "${MASTERKEYTYPE}" ] && \
+        MASTERKEYTYPE="trusted"
+
+    if [ -z "${MASTERKEY}" ]; then
+        # append the kernel version to the default masterkey path name
+        # if MULTIKERNELMODE is set to YES
+        if [ "${MULTIKERNELMODE}" = "YES" ]; then
+            MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}-$(uname -r).blob"
+        else
+            MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob"
+        fi
+    fi
+
+    # set the kernel master key path name
+    MASTERKEYPATH="${NEWROOT}${MASTERKEY}"
+
+    # check for kernel master key's existence
+    if [ ! -f "${MASTERKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "masterkey: kernel master key file not found: ${MASTERKEYPATH}"
+        fi
+        return 1
+    fi
+
+    # read the kernel master key blob
+    KEYBLOB=$(cat ${MASTERKEYPATH})
+
+    # add the 'load' prefix if the key type is 'trusted'
+    [ "${MASTERKEYTYPE}" = "trusted" ] && \
+        KEYBLOB="load ${KEYBLOB} pcrlock=${PCRLOCKNUM}"
+
+    # load the kernel master key
+    info "Loading the kernel master key"
+    keyctl add "${MASTERKEYTYPE}" "kmk-${MASTERKEYTYPE}" "${KEYBLOB}" @u >/dev/null || {
+        info "masterkey: failed to load the kernel master key: kmk-${MASTERKEYTYPE}";
+        return 1;
+    }
+
+    return 0
+}
+
+load_masterkey
diff --git a/modules.d/97masterkey/module-setup.sh b/modules.d/97masterkey/module-setup.sh
new file mode 100755
index 0000000..64f164b
--- /dev/null
+++ b/modules.d/97masterkey/module-setup.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    [ "$1" = "-h" ] && {
+        [ -x "/bin/keyctl" ] || return 1
+    }
+
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+installkernel() {
+    instmods trusted encrypted
+}
+
+install() {
+    inst keyctl
+    inst uname
+    inst_hook pre-pivot 60 "$moddir/masterkey.sh"
+}
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v3 3/4] dracut: added new module integrity

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 7751 bytes --]

This module initializes the EVM software and permits to load a custom IMA
policy.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 dracut.kernel.7.xml                      |    6 ++
 modules.d/98integrity/README             |   40 +++++++++++++
 modules.d/98integrity/evm-enable.sh      |   91 ++++++++++++++++++++++++++++++
 modules.d/98integrity/ima-policy-load.sh |   41 +++++++++++++
 modules.d/98integrity/module-setup.sh    |   17 ++++++
 5 files changed, 195 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/98integrity/README
 create mode 100755 modules.d/98integrity/evm-enable.sh
 create mode 100755 modules.d/98integrity/ima-policy-load.sh
 create mode 100755 modules.d/98integrity/module-setup.sh

diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
index 3fac18b..759871b 100644
--- a/dracut.kernel.7.xml
+++ b/dracut.kernel.7.xml
@@ -718,6 +718,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
             <para>Set the type of the kernel master key. e.g.: <programlisting>masterkeytype=trusted</programlisting></para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term><envar>evmkey=</envar><replaceable>&lt;EVM key path name&gt;</replaceable></term>
+          <listitem>
+            <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect2>
     <refsect2>
diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README
new file mode 100644
index 0000000..d74e063
--- /dev/null
+++ b/modules.d/98integrity/README
@@ -0,0 +1,40 @@
+# Directions for creating the encrypted key that will be used to initialize
+# the EVM software.
+
+# Create the EVM key (encrypted key type)
+#
+# The encrypted key is a random number encrypted/decrypted using the
+# kernel master key.  The encrypted key is only exposed to userspace
+# as an encrypted datablob.
+$ keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
+782117972
+
+# Save the encrypted key
+$ su -c 'keyctl pipe `keyctl search @u encrypted evm_key` > /etc/keys/evm-trusted.blob'
+
+# The EVM key path name can be set in one of the following ways (specified in
+# the order in which the variable is overwritten):
+
+1) use the default value:
+--------------------------------------------------------------------------
+EVMKEY="/etc/keys/evm-trusted.blob"
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/evm' and set the EVMKEY variable;
+
+3) specify the EVM key path name in the 'evmkey=' parameter of the kernel command
+line.
+
+
+# Directions for loading a custom IMA policy.
+
+# Write the policy following the instructions provided in the file
+# 'Documentation/ABI/testing/ima_policy' of the kernel documentation.
+
+# Save the policy in a file.
+
+# Create the configuration file '/etc/sysconfig/ima' to override the path name of
+# the IMA custom policy.
+------------- '/etc/sysconfig/ima' (with the default value) -------------
+IMAPOLICY="/etc/sysconfig/ima-policy"
+-------------------------------------------------------------------------
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
new file mode 100755
index 0000000..a4cdf45
--- /dev/null
+++ b/modules.d/98integrity/evm-enable.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+EVMSECFILE="${SECURITYFSDIR}/evm"
+EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
+EVMKEYDESC="evm-key"
+EVMKEYTYPE="encrypted"
+EVMKEYID=""
+
+load_evm_key()
+{
+    # read the configuration from the config file
+    [ -f "${EVMCONFIG}" ] && \
+        . ${EVMCONFIG}
+
+    # override the EVM key path name from the 'evmkey=' parameter in the kernel
+    # command line
+    EVMKEYARG=$(getarg evmkey=)
+    [ $? -eq 0 ] && \
+        EVMKEY=${EVMKEYARG}
+
+    # set the default value
+    [ -z "${EVMKEY}" ] && \
+        EVMKEY="/etc/keys/evm-trusted.blob";
+
+    # set the EVM key path name
+    EVMKEYPATH="${NEWROOT}${EVMKEY}"
+
+    # check for EVM encrypted key's existence
+    if [ ! -f "${EVMKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: EVM encrypted key file not found: ${EVMKEYPATH}"
+        fi
+        return 1
+    fi
+
+    # read the EVM encrypted key blob
+    KEYBLOB=$(cat ${EVMKEYPATH})
+
+    # load the EVM encrypted key
+    EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)
+    [ $? -eq 0 ] || {
+        info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+unload_evm_key()
+{
+    # unlink the EVM encrypted key
+    keyctl unlink ${EVMKEYID} @u || {
+        info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+enable_evm()
+{
+    # check kernel support for EVM
+    if [ ! -e "${EVMSECFILE}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: EVM kernel support is disabled"
+        fi
+        return 0
+    fi
+
+    # load the EVM encrypted key
+    load_evm_key || return 1
+
+    # initialize EVM
+    info "Enabling EVM"
+    echo 1 > ${EVMSECFILE}
+
+    # unload the EVM encrypted key
+    unload_evm_key || return 1
+
+    return 0
+}
+
+enable_evm
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
new file mode 100755
index 0000000..55c98bb
--- /dev/null
+++ b/modules.d/98integrity/ima-policy-load.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+IMASECDIR="${SECURITYFSDIR}/ima"
+IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
+IMAPOLICY="/etc/sysconfig/ima-policy"
+
+load_ima_policy()
+{
+    # check kernel support for IMA
+    if [ ! -e "${IMASECDIR}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: IMA kernel support is disabled"
+        fi
+        return 0
+    fi
+
+    # override the default configuration
+    [ -f "${IMACONFIG}" ] && \
+        . ${IMACONFIG}
+
+    # set the IMA policy path name
+    IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"
+
+    # check the existence of the IMA policy file
+    [ -f "${IMAPOLICYPATH}" ] && {
+        info "Loading the provided IMA custom policy";
+        cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
+    }
+
+    return 0
+}
+
+load_ima_policy
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
new file mode 100755
index 0000000..f1b97fd
--- /dev/null
+++ b/modules.d/98integrity/module-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 0
+}
+
+depends() {
+    echo masterkey
+    return 0
+}
+
+install() {
+    inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
+    inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
+}
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v3 4/4] dracut: added new module ecryptfs

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 7862 bytes --]

This module mounts an eCryptfs filesystem from the initial ramdisk using an
encrypted key.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 dracut.kernel.7.xml                    |    6 ++
 modules.d/98ecryptfs/README            |   50 ++++++++++++++++
 modules.d/98ecryptfs/ecryptfs-mount.sh |  100 ++++++++++++++++++++++++++++++++
 modules.d/98ecryptfs/module-setup.sh   |   20 ++++++
 4 files changed, 176 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/98ecryptfs/README
 create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
 create mode 100755 modules.d/98ecryptfs/module-setup.sh

diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
index 759871b..c5d74d0 100644
--- a/dracut.kernel.7.xml
+++ b/dracut.kernel.7.xml
@@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
             <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term><envar>ecryptfskey=</envar><replaceable>&lt;eCryptfs key path name&gt;</replaceable></term>
+          <listitem>
+            <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect2>
     <refsect2>
diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README
new file mode 100644
index 0000000..f741c54
--- /dev/null
+++ b/modules.d/98ecryptfs/README
@@ -0,0 +1,50 @@
+# Directions for creating the encrypted key that will be used to mount an
+# eCryptfs filesystem
+
+# Create the eCryptfs key (encrypted key type)
+#
+# The encrypted key type supports two formats: the 'default' format allows
+# to generate a random symmetric key of the length specified, the 'ecryptfs'
+# format generates an authentication token for the eCryptfs filesystem,
+# which contains a randomly generated key. Two requirements for the latter
+# format is that the key description must contain exactly 16 hexadecimal
+# characters and that the encrypted key length must be equal to 64.
+$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u
+782117972
+
+# Save the encrypted key
+$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob'
+
+# The eCryptfs key path name can be set in one of the following ways (specified in
+# the order in which the variable is overwritten):
+
+1) use the default value:
+--------------------------------------------------------------------------
+ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob"
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY
+variable;
+
+3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command
+line.
+
+# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify
+# more options for mounting the eCryptfs filesystem:
+
+ECRYPTFSSRCDIR: existent directory in the lower root filesystem;
+ECRYPTFSDSTDIR: mount point directory for the eCryptfs filesystem (the directory must be
+                created in the root filesystem before rebooting the platform);
+ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig'
+                           option is automatically added by the dracut script).
+
+# Example of the configuration file:
+----------- '/etc/sysconfig/ecryptfs' (with default values) -----------
+ECRYPTFS_KEY="/etc/keys/ecryptfs-trusted.blob"
+ECRYPTFSSRCDIR="/secret"
+ECRYPTFSDSTDIR="${ECRYPTFSSRCDIR}"
+ECRYPTFS_EXTRA_MOUNT_OPTS=""
+-----------------------------------------------------------------------
+
+# If the variable ECRYPTFSDSTDIR is not specified in the configuration file,
+# its value will be equal to that of ECRYPTFSSRCDIR.
diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh
new file mode 100755
index 0000000..2f67716
--- /dev/null
+++ b/modules.d/98ecryptfs/ecryptfs-mount.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs"
+ECRYPTFSKEYTYPE="encrypted"
+ECRYPTFSKEYDESC="1000100010001000"
+ECRYPTFSKEYID=""
+ECRYPTFSSRCDIR="/secret"
+ECRYPTFS_EXTRA_MOUNT_OPTS=""
+
+load_ecryptfs_key()
+{
+    # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel
+    # command line
+    ECRYPTFSKEYARG=$(getarg ecryptfskey=)
+    [ $? -eq 0 ] && \
+        ECRYPTFSKEY=${ECRYPTFSKEYARG}
+
+    # set the default value
+    [ -z "${ECRYPTFSKEY}" ] && \
+        ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob";
+
+    # set the eCryptfs key path name
+    ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}"
+
+    # check for eCryptfs encrypted key's existence
+    if [ ! -f "${ECRYPTFSKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}"
+        fi
+        return 1
+    fi
+
+    # read the eCryptfs encrypted key blob
+    KEYBLOB=$(cat ${ECRYPTFSKEYPATH})
+
+    # load the eCryptfs encrypted key blob
+    ECRYPTFSKEYID=$(keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u)
+    [ $? -eq 0 ] || {
+        info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+unload_ecryptfs_key()
+{
+    # unlink the eCryptfs encrypted key
+    keyctl unlink ${ECRYPTFSKEYID} @u || {
+        info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+mount_ecryptfs()
+{
+    # read the configuration from the config file
+    [ -f "${ECRYPTFSCONFIG}" ] && \
+        . ${ECRYPTFSCONFIG}
+
+    # load the eCryptfs encrypted key
+    load_ecryptfs_key || return 1
+
+    # set the default value for ECRYPTFSDSTDIR
+    [ -z "${ECRYPTFSDSTDIR}" ] && \
+        ECRYPTFSDSTDIR=${ECRYPTFSSRCDIR}
+
+    # set the eCryptfs filesystem mount point
+    ECRYPTFSSRCMNT="${NEWROOT}${ECRYPTFSSRCDIR}"
+    ECRYPTFSDSTMNT="${NEWROOT}${ECRYPTFSDSTDIR}"
+
+    # build the mount options variable
+    ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}"
+    [ ! -z "${ECRYPTFS_EXTRA_MOUNT_OPTS}" ] && \
+        ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}"
+
+    # mount the eCryptfs filesystem
+    info "Mounting the configured eCryptfs filesystem"
+    mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSSRCMNT} ${ECRYPTFSDSTMNT} >/dev/null || {
+        info "eCryptfs: mount of the eCryptfs filesystem failed";
+        return 1;
+    }
+
+    # unload the eCryptfs encrypted key
+    unload_ecryptfs_key || return 1
+
+    return 0
+}
+
+mount_ecryptfs
diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh
new file mode 100755
index 0000000..56c2d41
--- /dev/null
+++ b/modules.d/98ecryptfs/module-setup.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 0
+}
+
+depends() {
+    echo masterkey
+    return 0
+}
+
+installkernel() {
+    instmods ecryptfs
+}
+
+install() {
+    inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh"
+}
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

Re: [PATCH v3 4/4] dracut: added new module ecryptfs

[Tyler Hicks]

On Fri Jul 08, 2011 at 02:11:02PM +0200, Roberto Sassu <roberto.sassu@polito.it> wrote:
> This module mounts an eCryptfs filesystem from the initial ramdisk using an
> encrypted key.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
> Acked-by: Gianluca Ramunno <ramunno@polito.it>

Thanks for the quick update.

Acked-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>

> ---
>  dracut.kernel.7.xml                    |    6 ++
>  modules.d/98ecryptfs/README            |   50 ++++++++++++++++
>  modules.d/98ecryptfs/ecryptfs-mount.sh |  100 ++++++++++++++++++++++++++++++++
>  modules.d/98ecryptfs/module-setup.sh   |   20 ++++++
>  4 files changed, 176 insertions(+), 0 deletions(-)
>  create mode 100644 modules.d/98ecryptfs/README
>  create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
>  create mode 100755 modules.d/98ecryptfs/module-setup.sh
> 
> diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
> index 759871b..c5d74d0 100644
> --- a/dracut.kernel.7.xml
> +++ b/dracut.kernel.7.xml
> @@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
>              <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
>            </listitem>
>          </varlistentry>
> +        <varlistentry>
> +          <term><envar>ecryptfskey=</envar><replaceable>&lt;eCryptfs key path name&gt;</replaceable></term>
> +          <listitem>
> +            <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para>
> +          </listitem>
> +        </varlistentry>
>        </variablelist>
>      </refsect2>
>      <refsect2>
> diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README
> new file mode 100644
> index 0000000..f741c54
> --- /dev/null
> +++ b/modules.d/98ecryptfs/README
> @@ -0,0 +1,50 @@
> +# Directions for creating the encrypted key that will be used to mount an
> +# eCryptfs filesystem
> +
> +# Create the eCryptfs key (encrypted key type)
> +#
> +# The encrypted key type supports two formats: the 'default' format allows
> +# to generate a random symmetric key of the length specified, the 'ecryptfs'
> +# format generates an authentication token for the eCryptfs filesystem,
> +# which contains a randomly generated key. Two requirements for the latter
> +# format is that the key description must contain exactly 16 hexadecimal
> +# characters and that the encrypted key length must be equal to 64.
> +$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u
> +782117972
> +
> +# Save the encrypted key
> +$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob'
> +
> +# The eCryptfs key path name can be set in one of the following ways (specified in
> +# the order in which the variable is overwritten):
> +
> +1) use the default value:
> +--------------------------------------------------------------------------
> +ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob"
> +--------------------------------------------------------------------------
> +
> +2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY
> +variable;
> +
> +3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command
> +line.
> +
> +# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify
> +# more options for mounting the eCryptfs filesystem:
> +
> +ECRYPTFSSRCDIR: existent directory in the lower root filesystem;
> +ECRYPTFSDSTDIR: mount point directory for the eCryptfs filesystem (the directory must be
> +                created in the root filesystem before rebooting the platform);
> +ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig'
> +                           option is automatically added by the dracut script).
> +
> +# Example of the configuration file:
> +----------- '/etc/sysconfig/ecryptfs' (with default values) -----------
> +ECRYPTFS_KEY="/etc/keys/ecryptfs-trusted.blob"
> +ECRYPTFSSRCDIR="/secret"
> +ECRYPTFSDSTDIR="${ECRYPTFSSRCDIR}"
> +ECRYPTFS_EXTRA_MOUNT_OPTS=""
> +-----------------------------------------------------------------------
> +
> +# If the variable ECRYPTFSDSTDIR is not specified in the configuration file,
> +# its value will be equal to that of ECRYPTFSSRCDIR.
> diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh
> new file mode 100755
> index 0000000..2f67716
> --- /dev/null
> +++ b/modules.d/98ecryptfs/ecryptfs-mount.sh
> @@ -0,0 +1,100 @@
> +#!/bin/sh
> +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> +# ex: ts=8 sw=4 sts=4 et filetype=sh
> +
> +# Licensed under the GPLv2
> +#
> +# Copyright (C) 2011 Politecnico di Torino, Italy
> +#                    TORSEC group -- http://security.polito.it
> +# Roberto Sassu <roberto.sassu@polito.it>
> +
> +ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs"
> +ECRYPTFSKEYTYPE="encrypted"
> +ECRYPTFSKEYDESC="1000100010001000"
> +ECRYPTFSKEYID=""
> +ECRYPTFSSRCDIR="/secret"
> +ECRYPTFS_EXTRA_MOUNT_OPTS=""
> +
> +load_ecryptfs_key()
> +{
> +    # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel
> +    # command line
> +    ECRYPTFSKEYARG=$(getarg ecryptfskey=)
> +    [ $? -eq 0 ] && \
> +        ECRYPTFSKEY=${ECRYPTFSKEYARG}
> +
> +    # set the default value
> +    [ -z "${ECRYPTFSKEY}" ] && \
> +        ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob";
> +
> +    # set the eCryptfs key path name
> +    ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}"
> +
> +    # check for eCryptfs encrypted key's existence
> +    if [ ! -f "${ECRYPTFSKEYPATH}" ]; then
> +        if [ "${RD_DEBUG}" = "yes" ]; then
> +            info "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}"
> +        fi
> +        return 1
> +    fi
> +
> +    # read the eCryptfs encrypted key blob
> +    KEYBLOB=$(cat ${ECRYPTFSKEYPATH})
> +
> +    # load the eCryptfs encrypted key blob
> +    ECRYPTFSKEYID=$(keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u)
> +    [ $? -eq 0 ] || {
> +        info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}";
> +        return 1;
> +    }
> +
> +    return 0
> +}
> +
> +unload_ecryptfs_key()
> +{
> +    # unlink the eCryptfs encrypted key
> +    keyctl unlink ${ECRYPTFSKEYID} @u || {
> +        info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}";
> +        return 1;
> +    }
> +
> +    return 0
> +}
> +
> +mount_ecryptfs()
> +{
> +    # read the configuration from the config file
> +    [ -f "${ECRYPTFSCONFIG}" ] && \
> +        . ${ECRYPTFSCONFIG}
> +
> +    # load the eCryptfs encrypted key
> +    load_ecryptfs_key || return 1
> +
> +    # set the default value for ECRYPTFSDSTDIR
> +    [ -z "${ECRYPTFSDSTDIR}" ] && \
> +        ECRYPTFSDSTDIR=${ECRYPTFSSRCDIR}
> +
> +    # set the eCryptfs filesystem mount point
> +    ECRYPTFSSRCMNT="${NEWROOT}${ECRYPTFSSRCDIR}"
> +    ECRYPTFSDSTMNT="${NEWROOT}${ECRYPTFSDSTDIR}"
> +
> +    # build the mount options variable
> +    ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}"
> +    [ ! -z "${ECRYPTFS_EXTRA_MOUNT_OPTS}" ] && \
> +        ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}"
> +
> +    # mount the eCryptfs filesystem
> +    info "Mounting the configured eCryptfs filesystem"
> +    mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSSRCMNT} ${ECRYPTFSDSTMNT} >/dev/null || {
> +        info "eCryptfs: mount of the eCryptfs filesystem failed";
> +        return 1;
> +    }
> +
> +    # unload the eCryptfs encrypted key
> +    unload_ecryptfs_key || return 1
> +
> +    return 0
> +}
> +
> +mount_ecryptfs
> diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh
> new file mode 100755
> index 0000000..56c2d41
> --- /dev/null
> +++ b/modules.d/98ecryptfs/module-setup.sh
> @@ -0,0 +1,20 @@
> +#!/bin/bash
> +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> +# ex: ts=8 sw=4 sts=4 et filetype=sh
> +
> +check() {
> +    return 0
> +}
> +
> +depends() {
> +    echo masterkey
> +    return 0
> +}
> +
> +installkernel() {
> +    instmods ecryptfs
> +}
> +
> +install() {
> +    inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh"
> +}
> -- 
> 1.7.4.4
> 

Re: [PATCH v3 0/4] new dracut modules

[Mimi Zohar]

On Fri, 2011-07-08 at 14:10 +0200, Roberto Sassu wrote:
> Hi all
> 
> i'm reposting the patch set which allows to mount the securityfs filesystem
> from the initial ramdisk and introduces three new modules: masterkey,
> integrity and ecryptfs.
> 
> Changelog from version v2:
> * masterkey: added MULTIKERNELMODE configuration variable;
> * {masterkey,integrity, ecryptfs}: modified some debug messages for better
>   clarity;
> * ecryptfs: ECRYPTFS_EXTRA_MOUNT_OPTS configuration variable set to empty;
> * ecryptfs: replaced ECRYPTFSDIR with ECRYPTFSSRCDIR and ECRYPTFSDSTDIR.
> 
> Roberto Sassu

Nice! For patches 1 - 3,

Acked-by: Mimi Zohar <zohar-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>

thanks,

Mimi

Re: [PATCH v3 0/4] new dracut modules

[Harald Hoyer]

On 08.07.2011 14:10, Roberto Sassu wrote:
> Hi all
> 
> i'm reposting the patch set which allows to mount the securityfs filesystem
> from the initial ramdisk and introduces three new modules: masterkey,
> integrity and ecryptfs.
> 
> Changelog from version v2:
> * masterkey: added MULTIKERNELMODE configuration variable;
> * {masterkey,integrity, ecryptfs}: modified some debug messages for better
>   clarity;
> * ecryptfs: ECRYPTFS_EXTRA_MOUNT_OPTS configuration variable set to empty;
> * ecryptfs: replaced ECRYPTFSDIR with ECRYPTFSSRCDIR and ECRYPTFSDSTDIR.
> 
> Roberto Sassu
> 
> 
> Roberto Sassu (4):
>   base/init: mount the securityfs filesystem
>   dracut: added new module masterkey
>   dracut: added new module integrity
>   dracut: added new module ecryptfs
> 
>  dracut.kernel.7.xml                      |   29 +++++++++
>  modules.d/97masterkey/README             |   68 ++++++++++++++++++++
>  modules.d/97masterkey/masterkey.sh       |   75 ++++++++++++++++++++++
>  modules.d/97masterkey/module-setup.sh    |   25 ++++++++
>  modules.d/98ecryptfs/README              |   50 +++++++++++++++
>  modules.d/98ecryptfs/ecryptfs-mount.sh   |  100 ++++++++++++++++++++++++++++++
>  modules.d/98ecryptfs/module-setup.sh     |   20 ++++++
>  modules.d/98integrity/README             |   40 ++++++++++++
>  modules.d/98integrity/evm-enable.sh      |   91 +++++++++++++++++++++++++++
>  modules.d/98integrity/ima-policy-load.sh |   41 ++++++++++++
>  modules.d/98integrity/module-setup.sh    |   17 +++++
>  modules.d/99base/init                    |    6 ++
>  12 files changed, 562 insertions(+), 0 deletions(-)
>  create mode 100644 modules.d/97masterkey/README
>  create mode 100755 modules.d/97masterkey/masterkey.sh
>  create mode 100755 modules.d/97masterkey/module-setup.sh
>  create mode 100644 modules.d/98ecryptfs/README
>  create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
>  create mode 100755 modules.d/98ecryptfs/module-setup.sh
>  create mode 100644 modules.d/98integrity/README
>  create mode 100755 modules.d/98integrity/evm-enable.sh
>  create mode 100755 modules.d/98integrity/ima-policy-load.sh
>  create mode 100755 modules.d/98integrity/module-setup.sh
> 

pushed