From: Jarkko Sakkinen <jarkko@kernel.org>
To: Eric Snowberg <eric.snowberg@oracle.com>,
linux-security-module@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
ardb@kernel.org, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com,
dmitry.kasatkin@gmail.com, mic@digikod.net,
casey@schaufler-ca.com, stefanb@linux.ibm.com,
ebiggers@kernel.org, rdunlap@infradead.org,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH v3 06/13] clavis: Populate clavis keyring acl with kernel module signature
Date: Thu, 17 Oct 2024 22:27:45 +0300 [thread overview]
Message-ID: <d5be6d8cef1033d1f4b99dc6d15076638fa598ad.camel@kernel.org> (raw)
In-Reply-To: <20241017155516.2582369-7-eric.snowberg@oracle.com>
On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
> If the kernel is built with CONFIG_MODULE_SIG_KEY, get the subject
> key identifier and add an ACL for it within the .clavis keyring.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Super sound splits! Nice to review, have to give credit on this
:-)
> ---
> certs/.gitignore | 1 +
> certs/Makefile | 20 ++++++++++++++++++++
> certs/clavis_module_acl.c | 7 +++++++
> security/clavis/clavis.h | 9 +++++++++
> security/clavis/clavis_keyring.c | 27 +++++++++++++++++++++++++++
> 5 files changed, 64 insertions(+)
> create mode 100644 certs/clavis_module_acl.c
>
> diff --git a/certs/.gitignore b/certs/.gitignore
> index cec5465f31c1..dc99ae5a2585 100644
> --- a/certs/.gitignore
> +++ b/certs/.gitignore
> @@ -3,3 +3,4 @@
> /extract-cert
> /x509_certificate_list
> /x509_revocation_list
> +/module_acl
> diff --git a/certs/Makefile b/certs/Makefile
> index f6fa4d8d75e0..f2555e5296f5 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -6,6 +6,7 @@
> obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o
> system_certificates.o
> obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
> blacklist_hashes.o
> obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
> +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_module_acl.o
>
> $(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list
> CFLAGS_blacklist_hashes.o := -I $(obj)
> @@ -75,6 +76,25 @@ $(obj)/signing_key.x509: $(filter-out
> $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(
>
> targets += signing_key.x509
>
> +ifeq ($(CONFIG_MODULE_SIG_KEY),)
> +quiet_cmd_make_module_acl = GEN $@
> + cmd_make_module_acl = \
> + echo > $@
> +else
> +quiet_cmd_make_module_acl = GEN $@
> + cmd_make_module_acl = \
> + openssl x509 -in $< -inform der -ext subjectKeyIdentifier -
> nocert | \
> + tail -n +2 | cut -f2 -d '='| tr -d ':' | tr '[:upper:]'
> '[:lower:]' | \
> + sed 's/^[ \t]*//; s/.*/"00:&",/' > $@
> +endif
> +
> +$(obj)/module_acl: $(obj)/signing_key.x509 FORCE
> + $(call if_changed,make_module_acl)
> +
> +$(obj)/clavis_module_acl.o: $(obj)/module_acl
> +
> +targets += module_acl
> +
> $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
>
> $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS)
> $(obj)/extract-cert FORCE
> diff --git a/certs/clavis_module_acl.c b/certs/clavis_module_acl.c
> new file mode 100644
> index 000000000000..fc2f694c48f9
> --- /dev/null
> +++ b/certs/clavis_module_acl.c
> @@ -0,0 +1,7 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <linux/kernel.h>
> +
> +const char __initconst *const clavis_module_acl[] = {
> +#include "module_acl"
> + NULL
> +};
> diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h
> index 7b55a6050440..92f77a1939ad 100644
> --- a/security/clavis/clavis.h
> +++ b/security/clavis/clavis.h
> @@ -11,4 +11,13 @@ struct asymmetric_setup_kid {
> struct asymmetric_key_id id;
> unsigned char data[CLAVIS_BIN_KID_MAX];
> };
> +
> +#ifndef CONFIG_SYSTEM_TRUSTED_KEYRING
> +const char __initconst *const clavis_module_acl[] = {
> + NULL
> +};
> +#else
> +extern const char __initconst *const clavis_module_acl[];
> +#endif
> +
> #endif /* _SECURITY_CLAVIS_H_ */
> diff --git a/security/clavis/clavis_keyring.c
> b/security/clavis/clavis_keyring.c
> index 00163e7f0fe9..2a18d0e77189 100644
> --- a/security/clavis/clavis_keyring.c
> +++ b/security/clavis/clavis_keyring.c
> @@ -259,6 +259,31 @@ static struct key_restriction
> *clavis_restriction_alloc(key_restrict_link_func_t
> return restriction;
> }
>
> +static void clavis_add_acl(const char *const *skid_list, struct key
> *keyring)
> +{
> + const char *const *acl;
> + key_ref_t key;
> +
> + for (acl = skid_list; *acl; acl++) {
> + key = key_create(make_key_ref(keyring, true),
> + "clavis_key_acl",
> + *acl,
> + NULL,
> + 0,
> + KEY_POS_SEARCH | KEY_POS_VIEW |
> KEY_USR_SEARCH | KEY_USR_VIEW,
> + KEY_ALLOC_NOT_IN_QUOTA |
> KEY_ALLOC_BUILT_IN |
> + KEY_ALLOC_BYPASS_RESTRICTION);
> + if (IS_ERR(key)) {
> + if (PTR_ERR(key) == -EEXIST)
> + pr_info("Duplicate clavis_key_acl
> %s\n", *acl);
> + else
> + pr_info("Problem with clavis_key_acl
> %s: %pe\n", *acl, key);
> + } else {
> + pr_info("Added clavis_key_acl %s\n", *acl);
> + }
> + }
> +}
> +
> static int __init clavis_keyring_init(void)
> {
> struct key_restriction *restriction;
> @@ -274,6 +299,8 @@ static int __init clavis_keyring_init(void)
> if (IS_ERR(clavis_keyring))
> panic("Can't allocate clavis keyring\n");
>
> + clavis_add_acl(clavis_module_acl, clavis_keyring);
> +
> return 0;
> }
>
Not yet tagging, but neither anything to complain. LGTM
BR, Jarkko
next prev parent reply other threads:[~2024-10-17 19:27 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 15:55 [RFC PATCH v3 00/13] Clavis LSM Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 01/13] certs: Remove CONFIG_INTEGRITY_PLATFORM_KEYRING check Eric Snowberg
2024-10-17 16:13 ` Jarkko Sakkinen
2024-10-17 16:50 ` Eric Snowberg
2024-12-23 13:21 ` Mimi Zohar
2025-01-03 23:15 ` Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 02/13] certs: Introduce ability to link to a system key Eric Snowberg
2024-10-17 16:16 ` Jarkko Sakkinen
2024-10-17 16:53 ` Eric Snowberg
2024-12-23 16:11 ` Mimi Zohar
2024-10-17 15:55 ` [RFC PATCH v3 03/13] clavis: Introduce a new system keyring called clavis Eric Snowberg
2024-10-17 16:50 ` Jarkko Sakkinen
2024-10-17 20:34 ` Eric Snowberg
2024-10-17 21:16 ` Jarkko Sakkinen
2024-12-24 0:01 ` Mimi Zohar
2025-01-03 23:27 ` Eric Snowberg
2025-01-05 11:43 ` Mimi Zohar
2024-10-17 15:55 ` [RFC PATCH v3 04/13] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Eric Snowberg
2024-10-17 19:20 ` Jarkko Sakkinen
2024-10-17 21:42 ` Eric Snowberg
2024-10-17 21:58 ` Jarkko Sakkinen
2024-12-24 0:17 ` Mimi Zohar
2025-01-03 23:28 ` Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 05/13] clavis: Introduce a new key type called clavis_key_acl Eric Snowberg
2024-10-18 5:21 ` Ben Boeckel
2024-10-18 15:42 ` Eric Snowberg
2024-10-18 16:55 ` Ben Boeckel
2024-10-18 21:55 ` Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 06/13] clavis: Populate clavis keyring acl with kernel module signature Eric Snowberg
2024-10-17 19:27 ` Jarkko Sakkinen [this message]
2024-10-17 15:55 ` [RFC PATCH v3 07/13] keys: Add ability to track intended usage of the public key Eric Snowberg
2025-02-06 20:13 ` Jarkko Sakkinen
2025-02-07 23:09 ` Eric Snowberg
2025-02-12 12:42 ` Mimi Zohar
2024-10-17 15:55 ` [RFC PATCH v3 08/13] clavis: Introduce new LSM called clavis Eric Snowberg
2024-10-23 2:25 ` sergeh
2024-10-23 19:25 ` Eric Snowberg
2024-10-24 19:57 ` sergeh
2024-12-24 17:43 ` Mimi Zohar
2025-01-03 23:32 ` Eric Snowberg
2025-01-05 12:59 ` Mimi Zohar
2024-10-17 15:55 ` [RFC PATCH v3 09/13] clavis: Allow user to define acl at build time Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 10/13] efi: Make clavis boot param persist across kexec Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 11/13] clavis: Prevent boot param change during kexec Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 12/13] clavis: Add function redirection for Kunit support Eric Snowberg
2024-10-17 15:55 ` [RFC PATCH v3 13/13] clavis: " Eric Snowberg
2024-12-24 1:11 ` Mimi Zohar
2024-12-23 12:09 ` [RFC PATCH v3 00/13] Clavis LSM Mimi Zohar
2025-01-03 23:14 ` Eric Snowberg
2025-01-04 4:48 ` Paul Moore
2025-01-06 3:40 ` Paul Moore
2025-01-06 17:15 ` Eric Snowberg
2025-02-27 20:41 ` Mimi Zohar
2025-02-27 22:22 ` Paul Moore
2025-02-28 14:08 ` Mimi Zohar
2025-02-28 16:14 ` Paul Moore
2025-02-28 17:18 ` Mimi Zohar
2025-03-03 22:38 ` Paul Moore
2025-03-04 12:53 ` Mimi Zohar
2025-03-05 0:19 ` Paul Moore
2025-03-05 1:49 ` Mimi Zohar
2025-03-05 2:09 ` Paul Moore
2025-03-05 2:20 ` Mimi Zohar
2025-03-05 2:24 ` Paul Moore
2025-02-28 17:51 ` Eric Snowberg
2025-03-03 22:40 ` Paul Moore
2025-03-04 14:46 ` Eric Snowberg
2025-03-05 0:23 ` Paul Moore
2025-03-05 21:29 ` Eric Snowberg
2025-03-06 1:12 ` Paul Moore
2025-03-06 22:28 ` Eric Snowberg
2025-03-07 2:46 ` Paul Moore
2025-03-20 16:24 ` Eric Snowberg
2025-03-20 21:36 ` Paul Moore
2025-03-21 16:37 ` Eric Snowberg
2025-03-21 18:57 ` Paul Moore
2025-03-21 21:20 ` Eric Snowberg
2025-03-21 22:13 ` Paul Moore
2025-03-21 22:56 ` Eric Snowberg
2025-03-22 2:00 ` Paul Moore
2025-03-21 17:22 ` Jarkko Sakkinen
2025-03-21 19:05 ` Paul Moore
2025-03-20 22:40 ` James Bottomley
2025-03-21 16:40 ` Eric Snowberg
2025-03-21 16:55 ` James Bottomley
2025-03-21 20:15 ` Eric Snowberg
2025-03-21 20:53 ` James Bottomley
2025-03-24 17:44 ` Eric Snowberg
2025-03-21 17:08 ` Jarkko Sakkinen
2025-03-04 22:24 ` Jarkko Sakkinen
2025-03-05 0:25 ` Paul Moore
2025-03-05 0:29 ` Jarkko Sakkinen
2025-03-01 2:20 ` Jarkko Sakkinen
2025-03-01 2:19 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d5be6d8cef1033d1f4b99dc6d15076638fa598ad.camel@kernel.org \
--to=jarkko@kernel.org \
--cc=ardb@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@kernel.org \
--cc=eric.snowberg@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=rdunlap@infradead.org \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox