From: Eric Snowberg <eric.snowberg@oracle.com>
To: linux-security-module@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com,
mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com,
eric.snowberg@oracle.com, ebiggers@kernel.org,
rdunlap@infradead.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [RFC PATCH v2 4/8] clavis: Prevent clavis boot param from changing during kexec
Date: Thu, 30 May 2024 18:39:41 -0600 [thread overview]
Message-ID: <20240531003945.44594-5-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com>
Use the new Clavis EFI RT variable to validate the clavis boot param didn't
change during a reboot. If the boot param is different or missing, use the
one stored in EFI instead. This will prevent a pivot in the root of trust
for the upcoming Clavis LSM.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
security/clavis/Makefile | 3 ++
security/clavis/clavis.h | 16 ++++++++++
security/clavis/clavis_efi.c | 50 ++++++++++++++++++++++++++++++++
security/clavis/clavis_keyring.c | 17 +++++++++--
4 files changed, 84 insertions(+), 2 deletions(-)
create mode 100644 security/clavis/clavis.h
create mode 100644 security/clavis/clavis_efi.c
diff --git a/security/clavis/Makefile b/security/clavis/Makefile
index 16c451f45f37..2b2b3bc8eef4 100644
--- a/security/clavis/Makefile
+++ b/security/clavis/Makefile
@@ -1,3 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o
+ifeq ($(CONFIG_EFI),y)
+obj-$(CONFIG_SECURITY_CLAVIS) += clavis_efi.o
+endif
diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h
new file mode 100644
index 000000000000..708dd0b1cc76
--- /dev/null
+++ b/security/clavis/clavis.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _SECURITY_CLAVIS_H_
+#define _SECURITY_CLAVIS_H_
+
+struct asymmetric_key_id;
+
+#ifdef CONFIG_EFI
+int clavis_efi_param(struct asymmetric_key_id *kid, int len);
+#else
+static inline int __init clavis_efi_param(struct asymmetric_key_id *kid, int len)
+{
+ return -EINVAL;
+}
+#endif
+
+#endif /* _SECURITY_CLAVIS_H_ */
diff --git a/security/clavis/clavis_efi.c b/security/clavis/clavis_efi.c
new file mode 100644
index 000000000000..7bc8ef03794a
--- /dev/null
+++ b/security/clavis/clavis_efi.c
@@ -0,0 +1,50 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <keys/asymmetric-type.h>
+#include <linux/efi.h>
+#include "clavis.h"
+
+static efi_char16_t clavis_param_name[] = L"Clavis";
+static efi_guid_t clavis_guid = LINUX_EFI_CLAVIS_GUID;
+
+int __init clavis_efi_param(struct asymmetric_key_id *kid, int len)
+{
+ unsigned char buf[64];
+ unsigned long ascii_len = sizeof(buf);
+ efi_status_t error;
+ int hex_len;
+ u32 attr;
+
+ if (!efi_enabled(EFI_BOOT)) {
+ pr_info("efi_enabled(EFI_BOOT) not set");
+ return -EPERM;
+ }
+
+ if (!efi_enabled(EFI_RUNTIME_SERVICES)) {
+ pr_info("%s : EFI runtime services are not enabled\n", __func__);
+ return -EPERM;
+ }
+
+ error = efi.get_variable(clavis_param_name, &clavis_guid, &attr, &ascii_len, &buf);
+
+ if (error) {
+ pr_err("Error reading clavis parm\n");
+ return -EINVAL;
+ }
+
+ if (attr & EFI_VARIABLE_NON_VOLATILE) {
+ pr_info("Error: NV access set\n");
+ return -EINVAL;
+ } else if (ascii_len > 0) {
+ hex_len = ascii_len / 2;
+
+ if (hex_len > len) {
+ pr_info("invalid length\n");
+ return -EINVAL;
+ }
+ kid->len = hex_len;
+ return hex2bin(kid->data, buf, kid->len);
+ }
+
+ pr_info("Error: invalid size\n");
+ return -EINVAL;
+}
diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c
index e92b8bd4ad5b..1225a8ee1e5a 100644
--- a/security/clavis/clavis_keyring.c
+++ b/security/clavis/clavis_keyring.c
@@ -4,6 +4,7 @@
#include <linux/integrity.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
+#include "clavis.h"
static struct key *clavis_keyring;
static struct asymmetric_key_id *setup_keyid;
@@ -82,9 +83,21 @@ static int __init clavis_keyring_init(void)
void __init late_init_clavis_setup(void)
{
- if (!setup_keyid)
+ int error;
+ struct {
+ struct asymmetric_key_id id;
+ unsigned char data[MAX_BIN_KID];
+ } efi_keyid;
+ struct asymmetric_key_id *keyid = &efi_keyid.id;
+
+ error = clavis_efi_param(keyid, sizeof(efi_keyid.data));
+
+ if (error && !setup_keyid)
return;
+ if (error)
+ keyid = setup_keyid;
+
clavis_keyring_init();
- system_key_link(clavis_keyring, setup_keyid);
+ system_key_link(clavis_keyring, keyid);
}
--
2.43.0
next prev parent reply other threads:[~2024-05-31 0:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-31 0:39 [RFC PATCH v2 0/8] Clavis LSM Eric Snowberg
2024-05-31 0:39 ` [RFC PATCH v2 1/8] certs: Introduce ability to link to a system key Eric Snowberg
2024-06-04 18:08 ` Jarkko Sakkinen
2024-06-05 20:36 ` Eric Snowberg
2024-05-31 0:39 ` [RFC PATCH v2 2/8] clavis: Introduce a new system keyring called clavis Eric Snowberg
2024-05-31 0:39 ` [RFC PATCH v2 3/8] efi: Make clavis boot param persist across kexec Eric Snowberg
2024-05-31 0:39 ` Eric Snowberg [this message]
2024-05-31 0:39 ` [RFC PATCH v2 5/8] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Eric Snowberg
2024-05-31 0:39 ` [RFC PATCH v2 6/8] keys: Add ability to track intended usage of the public key Eric Snowberg
2024-05-31 0:39 ` [RFC PATCH v2 7/8] clavis: Introduce a new key type called clavis_key_acl Eric Snowberg
2024-05-31 0:39 ` [RFC PATCH v2 8/8] clavis: Introduce new LSM called clavis Eric Snowberg
2024-06-11 2:33 ` Randy Dunlap
2024-06-11 14:36 ` Eric Snowberg
2024-06-04 17:59 ` [RFC PATCH v2 0/8] Clavis LSM Jarkko Sakkinen
2024-06-05 20:41 ` Eric Snowberg
2024-06-19 15:22 ` Mimi Zohar
2024-06-20 20:18 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240531003945.44594-5-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=ardb@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=rdunlap@infradead.org \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).