[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241017155516.2582369-10-eric.snowberg@oracle.com>
Date: Thu, 17 Oct 2024 09:55:12 -0600
From: Eric Snowberg <eric.snowberg@...cle.com>
To: linux-security-module@...r.kernel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org, herbert@...dor.apana.org.au,
davem@...emloft.net, ardb@...nel.org, jarkko@...nel.org,
paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
zohar@...ux.ibm.com, roberto.sassu@...wei.com,
dmitry.kasatkin@...il.com, mic@...ikod.net, casey@...aufler-ca.com,
stefanb@...ux.ibm.com, eric.snowberg@...cle.com, ebiggers@...nel.org,
rdunlap@...radead.org, linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-efi@...r.kernel.org, linux-integrity@...r.kernel.org
Subject: [RFC PATCH v3 09/13] clavis: Allow user to define acl at build time
Add a new Kconfig called Security_CLAVIS_ACL_LIST. If set, this option
should be the file name of a list of clavis ACL entries. This will be
included into a C wrapper to incorporate the acl list into the kernel.
The file contents must be in the following format: <two digit key usage
number>:<subject key id>. If more than one entry is added, add a carriage
return after each entry.
Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
security/clavis/.gitignore | 1 +
security/clavis/Kconfig | 10 ++++++++++
security/clavis/Makefile | 16 ++++++++++++++++
security/clavis/clavis.h | 2 ++
security/clavis/clavis_builtin_acl.c | 7 +++++++
security/clavis/clavis_keyring.c | 1 +
6 files changed, 37 insertions(+)
create mode 100644 security/clavis/.gitignore
create mode 100644 security/clavis/clavis_builtin_acl.c
diff --git a/security/clavis/.gitignore b/security/clavis/.gitignore
new file mode 100644
index 000000000000..c1b60bee049e
--- /dev/null
+++ b/security/clavis/.gitignore
@@ -0,0 +1 @@
+/builtin_acl
diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig
index 04f7565f2e2b..b702311ec905 100644
--- a/security/clavis/Kconfig
+++ b/security/clavis/Kconfig
@@ -9,3 +9,13 @@ config SECURITY_CLAVIS
keyrings (builtin, secondary, or platform). One way to add this key
is during boot by passing in the asymmetric key id within the "clavis=" boot
param. This keyring is required by the Clavis LSM.
+
+config SECURITY_CLAVIS_ACL_LIST
+ string "Clavis ACL list to preload into the clavis keyring"
+ depends on SECURITY_CLAVIS
+ help
+ If set, this option should be the file name of a list of clavis ACL
+ entries. This will be included into a C wrapper to incorporate the
+ acl list into the kernel. The file contents must be in the following
+ format: <two digit key usage number>:<subject key id>. If more than
+ one entry is added, add a carriage return after each entry.
diff --git a/security/clavis/Makefile b/security/clavis/Makefile
index a3430dd6bdf9..082e6d3c0934 100644
--- a/security/clavis/Makefile
+++ b/security/clavis/Makefile
@@ -2,3 +2,19 @@
obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o
obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o
+obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o
+
+ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),)
+quiet_cmd_make_builtin_acl = GEN $@
+ cmd_make_builtin_acl = \
+ echo > $@
+else
+quiet_cmd_make_builtin_acl = GEN $@
+ cmd_make_builtin_acl = \
+ sed 's/^[ \t]*//; s/.*/"&",/' $< | tr '[:upper:]' '[:lower:]' > $@
+endif
+
+$(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE
+ $(call if_changed,make_builtin_acl)
+
+$(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl
diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h
index b77e4ec8edbe..7099a517b111 100644
--- a/security/clavis/clavis.h
+++ b/security/clavis/clavis.h
@@ -14,6 +14,8 @@ struct asymmetric_setup_kid {
unsigned char data[CLAVIS_BIN_KID_MAX];
};
+extern const char __initconst *const clavis_builtin_acl_list[];
+
#ifndef CONFIG_SYSTEM_TRUSTED_KEYRING
const char __initconst *const clavis_module_acl[] = {
NULL
diff --git a/security/clavis/clavis_builtin_acl.c b/security/clavis/clavis_builtin_acl.c
new file mode 100644
index 000000000000..c98b6df05413
--- /dev/null
+++ b/security/clavis/clavis_builtin_acl.c
@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "clavis.h"
+
+const char __initconst *const clavis_builtin_acl_list[] = {
+#include "builtin_acl"
+ NULL
+};
diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c
index 1e1fbb54f6be..a4a95a931b50 100644
--- a/security/clavis/clavis_keyring.c
+++ b/security/clavis/clavis_keyring.c
@@ -300,6 +300,7 @@ int __init clavis_keyring_init(void)
panic("Can't allocate clavis keyring\n");
clavis_add_acl(clavis_module_acl, clavis_keyring);
+ clavis_add_acl(clavis_builtin_acl_list, clavis_keyring);
return 0;
}
--
2.45.0
Powered by blists - more mailing lists