| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <49DB247F-F485-45D5-87F9-4FCB85CB7767@bytedance.com>
Date: Mon, 24 May 2021 17:02:07 +0800
From: Chunxin Zang <zangchunxin@...edance.com>
To: dhowells@...hat.com, dwmw2@...radead.org, corbet@....net
Cc: keyrings@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Documentation/admin-guide/module-signing.rst: Does the function of adding a key to ‘Builtin_trusted_key’ work?
Recently, I am learning how to use module signature.
But I got 'Permission denied' when I trying to add a
public key to the 'builtin_trusted_keys' keyring.
root@:~# cat /proc/keys
3471e123 I------ 1 perm 1f030000 0 0 asymmetri Build time autogenerated kernel key: xxxx: X509.rsa xxxx []
37e8db03 I------ 1 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 1
root@:~# keyctl padd asymmetric "" 0x37e8db03 < ./signing_key_test_sign.x509
add_key: Permission denied
The reason is the 'builtin_trusted_keys' keyring's perm was set
'1f0b0000' by below operate when kernel starting.
builtin_trusted_keys =
keyring_alloc(".builtin_trusted_keys",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA,
NULL, NULL);
And, 'add_key' interface pass the KEY_NEED_WRITE
perm to lookup_user_key.
So -EACCES returned in key_task_permission check.
Is there something wrong in module-signing.rst ?
Or I missed some information about it.
Best wishes
Chunxin
Powered by blists - more mailing lists