Add a new Kconfig called Security_CLAVIS_ACL_LIST. If set, this option
should be the file name of a list of clavis ACL entries. This will be
included into a C wrapper to incorporate the acl list into the kernel.
The file contents must be in the following format: <two digit key usage
number>:<subject key id>. If more than one entry is added, add a carriage
return after each entry.

Signed-off-by: Eric Snowberg <eric.snowb...@oracle.com>
---
 security/clavis/.gitignore           |  1 +
 security/clavis/Kconfig              | 10 ++++++++++
 security/clavis/Makefile             | 16 ++++++++++++++++
 security/clavis/clavis.h             |  2 ++
 security/clavis/clavis_builtin_acl.c |  7 +++++++
 security/clavis/clavis_keyring.c     |  1 +
 6 files changed, 37 insertions(+)
 create mode 100644 security/clavis/.gitignore
 create mode 100644 security/clavis/clavis_builtin_acl.c

diff --git a/security/clavis/.gitignore b/security/clavis/.gitignore
new file mode 100644
index 000000000000..c1b60bee049e
--- /dev/null
+++ b/security/clavis/.gitignore
@@ -0,0 +1 @@
+/builtin_acl
diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig
index 04f7565f2e2b..b702311ec905 100644
--- a/security/clavis/Kconfig
+++ b/security/clavis/Kconfig
@@ -9,3 +9,13 @@ config SECURITY_CLAVIS
          keyrings (builtin, secondary, or platform).  One way to add this key
          is during boot by passing in the asymmetric key id within the 
"clavis=" boot
          param.  This keyring is required by the Clavis LSM.
+
+config SECURITY_CLAVIS_ACL_LIST
+       string "Clavis ACL list to preload into the clavis keyring"
+       depends on SECURITY_CLAVIS
+       help
+         If set, this option should be the file name of a list of clavis ACL
+         entries. This will be included into a C wrapper to incorporate the
+         acl list into the kernel. The file contents must be in the following
+         format: <two digit key usage number>:<subject key id>.  If more than
+         one entry is added, add a carriage return after each entry.
diff --git a/security/clavis/Makefile b/security/clavis/Makefile
index a3430dd6bdf9..082e6d3c0934 100644
--- a/security/clavis/Makefile
+++ b/security/clavis/Makefile
@@ -2,3 +2,19 @@
 
 obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o
 obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o
+obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o
+
+ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),)
+quiet_cmd_make_builtin_acl = GEN     $@
+      cmd_make_builtin_acl = \
+       echo > $@
+else
+quiet_cmd_make_builtin_acl = GEN     $@
+      cmd_make_builtin_acl = \
+       sed 's/^[ \t]*//; s/.*/"&",/' $< | tr '[:upper:]' '[:lower:]' > $@
+endif
+
+$(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE
+       $(call if_changed,make_builtin_acl)
+
+$(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl
diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h
index b77e4ec8edbe..7099a517b111 100644
--- a/security/clavis/clavis.h
+++ b/security/clavis/clavis.h
@@ -14,6 +14,8 @@ struct asymmetric_setup_kid {
        unsigned char data[CLAVIS_BIN_KID_MAX];
 };
 
+extern const char __initconst *const clavis_builtin_acl_list[];
+
 #ifndef CONFIG_SYSTEM_TRUSTED_KEYRING
 const char __initconst *const clavis_module_acl[] = {
         NULL
diff --git a/security/clavis/clavis_builtin_acl.c 
b/security/clavis/clavis_builtin_acl.c
new file mode 100644
index 000000000000..c98b6df05413
--- /dev/null
+++ b/security/clavis/clavis_builtin_acl.c
@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "clavis.h"
+
+const char __initconst *const clavis_builtin_acl_list[] = {
+#include "builtin_acl"
+       NULL
+};
diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c
index 1e1fbb54f6be..a4a95a931b50 100644
--- a/security/clavis/clavis_keyring.c
+++ b/security/clavis/clavis_keyring.c
@@ -300,6 +300,7 @@ int __init clavis_keyring_init(void)
                panic("Can't allocate clavis keyring\n");
 
        clavis_add_acl(clavis_module_acl, clavis_keyring);
+       clavis_add_acl(clavis_builtin_acl_list, clavis_keyring);
 
        return 0;
 }
-- 
2.45.0


Reply via email to