lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 24 May 2021 17:02:07 +0800
From:   Chunxin Zang <zangchunxin@...edance.com>
To:     dhowells@...hat.com, dwmw2@...radead.org, corbet@....net
Cc:     keyrings@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Documentation/admin-guide/module-signing.rst: Does the function of adding a key to ‘Builtin_trusted_key’ work?

Recently, I am learning how to use module signature.
But I got 'Permission denied' when I trying to add a 
public key to the 'builtin_trusted_keys' keyring.

root@:~# cat /proc/keys
3471e123 I------     1 perm 1f030000     0     0 asymmetri Build time autogenerated kernel key: xxxx: X509.rsa xxxx []
37e8db03 I------     1 perm 1f0b0000     0     0 keyring   .builtin_trusted_keys: 1
root@:~# keyctl padd asymmetric "" 0x37e8db03  < ./signing_key_test_sign.x509
add_key: Permission denied

The reason is the 'builtin_trusted_keys'  keyring's perm was set 
'1f0b0000' by below operate when kernel starting. 

builtin_trusted_keys =
                keyring_alloc(".builtin_trusted_keys",
                              KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
                              ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 
                              KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
                              KEY_ALLOC_NOT_IN_QUOTA,
                              NULL, NULL);

And,  'add_key' interface pass the KEY_NEED_WRITE
perm to lookup_user_key. 
So -EACCES returned in key_task_permission check.

Is there something wrong in  module-signing.rst ?
Or I missed some information about it.

Best wishes
Chunxin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ