Add a new Kconfig called Security_CLAVIS_ACL_LIST. If set, this option should be the file name of a list of clavis ACL entries. This will be included into a C wrapper to incorporate the acl list into the kernel. The file contents must be in the following format: <two digit key usage number>:<subject key id>. If more than one entry is added, add a carriage return after each entry.
Signed-off-by: Eric Snowberg <eric.snowb...@oracle.com> --- security/clavis/.gitignore | 1 + security/clavis/Kconfig | 10 ++++++++++ security/clavis/Makefile | 16 ++++++++++++++++ security/clavis/clavis.h | 2 ++ security/clavis/clavis_builtin_acl.c | 7 +++++++ security/clavis/clavis_keyring.c | 1 + 6 files changed, 37 insertions(+) create mode 100644 security/clavis/.gitignore create mode 100644 security/clavis/clavis_builtin_acl.c diff --git a/security/clavis/.gitignore b/security/clavis/.gitignore new file mode 100644 index 000000000000..c1b60bee049e --- /dev/null +++ b/security/clavis/.gitignore @@ -0,0 +1 @@ +/builtin_acl diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig index 04f7565f2e2b..b702311ec905 100644 --- a/security/clavis/Kconfig +++ b/security/clavis/Kconfig @@ -9,3 +9,13 @@ config SECURITY_CLAVIS keyrings (builtin, secondary, or platform). One way to add this key is during boot by passing in the asymmetric key id within the "clavis=" boot param. This keyring is required by the Clavis LSM. + +config SECURITY_CLAVIS_ACL_LIST + string "Clavis ACL list to preload into the clavis keyring" + depends on SECURITY_CLAVIS + help + If set, this option should be the file name of a list of clavis ACL + entries. This will be included into a C wrapper to incorporate the + acl list into the kernel. The file contents must be in the following + format: <two digit key usage number>:<subject key id>. If more than + one entry is added, add a carriage return after each entry. diff --git a/security/clavis/Makefile b/security/clavis/Makefile index a3430dd6bdf9..082e6d3c0934 100644 --- a/security/clavis/Makefile +++ b/security/clavis/Makefile @@ -2,3 +2,19 @@ obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o + +ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),) +quiet_cmd_make_builtin_acl = GEN $@ + cmd_make_builtin_acl = \ + echo > $@ +else +quiet_cmd_make_builtin_acl = GEN $@ + cmd_make_builtin_acl = \ + sed 's/^[ \t]*//; s/.*/"&",/' $< | tr '[:upper:]' '[:lower:]' > $@ +endif + +$(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE + $(call if_changed,make_builtin_acl) + +$(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index b77e4ec8edbe..7099a517b111 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -14,6 +14,8 @@ struct asymmetric_setup_kid { unsigned char data[CLAVIS_BIN_KID_MAX]; }; +extern const char __initconst *const clavis_builtin_acl_list[]; + #ifndef CONFIG_SYSTEM_TRUSTED_KEYRING const char __initconst *const clavis_module_acl[] = { NULL diff --git a/security/clavis/clavis_builtin_acl.c b/security/clavis/clavis_builtin_acl.c new file mode 100644 index 000000000000..c98b6df05413 --- /dev/null +++ b/security/clavis/clavis_builtin_acl.c @@ -0,0 +1,7 @@ +// SPDX-License-Identifier: GPL-2.0 +#include "clavis.h" + +const char __initconst *const clavis_builtin_acl_list[] = { +#include "builtin_acl" + NULL +}; diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 1e1fbb54f6be..a4a95a931b50 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -300,6 +300,7 @@ int __init clavis_keyring_init(void) panic("Can't allocate clavis keyring\n"); clavis_add_acl(clavis_module_acl, clavis_keyring); + clavis_add_acl(clavis_builtin_acl_list, clavis_keyring); return 0; } -- 2.45.0