[RFC PATCH v2 0/8] Clavis LSM

Eric Snowberg eric.snowberg at oracle.com
Thu Jun 20 20:18:26 UTC 2024 


> On Jun 19, 2024, at 9:22 AM, Mimi Zohar <zohar at linux.ibm.com> wrote:
> 
> On Thu, 2024-05-30 at 18:39 -0600, Eric Snowberg wrote:
>> Introduce a new LSM called Clavis (Latin word meaning key).  The motivation
>> behind this LSM is to provide access control for system keys.  Before spending
>> more time on this LSM, I am sending this as an RFC to start a discussion to see
>> if the current direction taken has a possibility of being accepted in the
>> future.
>> 
>> Today the kernel has the following system keyrings: .builtin_trusted_keyring,
>> .secondary_trusted_keyring, and the .machine.  It also has the .platform
>> keyring which has limited capabilities; it can only be used to verify a kernel
>> for kexec.
> 
> Please start the cover letter with the problem description/motivation, not the
> solution.
> 
> From https://docs.kernel.org/process/submitting-patches.html:
> 
> "Describe your problem. Whether your patch is a one-line bug fix or 5000 lines
> of a new feature, there must be an underlying problem that motivated you to do
> this work. Convince the reviewer that there is a problem worth fixing and that
> it makes sense for them to read past the first paragraph."
> 
> For example,
> 
> Additional keys not built into the kernel could originally be loaded onto the
> .secondary_trusted_keyring *only* if they were signed by a key built into the
> kernel or by a key already on the .secondary_trusted_keyring.  The concern for
> using the wrong key for signature verification was minimal.  With the ability of
> loading Machine Owner Keys(MOK) keys onto the .machine keyring, which is linked
> to the .secondary_trusted_keys keyring, key usage is a real concern.
> 
> To limit key usage ...

I'll change this in the next version.

>> 
>> Today the kernel also tracks key usage for verification done with any of these
>> keys. Current verification usage includes: VERIFYING_MODULE_SIGNATURE,
>> VERIFYING_FIRMWARE_SIGNATURE, VERIFYING_KEXEC_PE_SIGNATURE,
>> VERIFYING_KEY_SIGNATURE, VERIFYING_KEY_SELF_SIGNATURE, and
>> VERIFYING_UNSPECIFIED_SIGNATURE. After these usage types were originally
>> introduced, most additions have typically used the
>> VERIFYING_UNSPECIFIED_SIGNATURE.
>> 
>> At the moment, besides the usage enforcement for .platform keys, any key
>> contained within the system keyrings can be used for any verification
>> purpose.  For example, a key that was originally created to sign kernel
>> modules could be used for BPF verification.
>> 
>> This new LSM adds the ability to do access control for all system keys. When
>> enabled, only the .builtin_trusted_keys are available for loading kernel
>> modules and doing a kexec.  Until an ACL entry is added for a specific key, no
>> other system key may be used for any other purpose.
> 
> Keys stored on the .builtin_trusted_keys keyring seem to always be permitted,
> independent of a Clavis rule, which is fine, but the above paragraph needs to be
> re-worded

And this too.

>> 
>> Enabling the LSM is done during initial boot by passing in a single asymmetric
>> key id within a new "clavis=" boot param. The asymmetric key id must match one
>> already contained within any of the system keyrings.  If a match is found, a
>> link is created into the new .clavis keyring.  This key shall be used as the
>> root of trust for any keyring ACL updates afterwards.
>> 
>> On UEFI systems the "clavis" boot param is mirrored into a new UEFI variable
>> within the EFI stub code. This variable will persist until the next power on
>> reset.  This same type of functionality is done within shim. Since this
>> variable is created before ExitBootServices (EBS) it will not have the NVRAM
>> bit set, signifying it was created during the Boot Services phase. This is
>> being used so the "clavis" boot param can not be changed via kexec, thereby
>> preventing a pivot of the root of trust.
> 
> Move this paragraph (and patch) to later.  Defining a new UEFI variable makes it
> more difficult to test.  Consider defering introducing the new UEFI variable
> patch to the end.

I'll move it to the end to help with testing.

>> 
>> As mentioned earlier, this LSM introduces a new .clavis keyring.  Following
>> boot, no new asymmetric keys can be added to this keyring and only the key
>> designated via the initial boot param may be used. This LSM can not be started
>> at any other point in time.  The .clavis keyring also holds the access control
>> list for system keys. A new key type called clavis_key_acl is being introduced.
>> This contains the usage followed by the asymmetric key id. To be added to the
>> clavis keyring, the clavis_key_acl must be S/MIME signed by the sole asymmetric
>> key contained within it. New ACL additions to the .clavis keyring may be added
>> at any time.
> 
> Ok. To summarize, the Clavis policy rules are loaded at runtime onto the .clavis
> keyring.  The Clavis rules must be signed by the key specified on the "clavis="
> boot command line.  The only key on the .clavis keyring is the one specified on
> the boot command line.
> 
> As far as I'm aware, this would be the first time policy rules are stored in a
> keyring.

I believe that is the case, and would like to hear if this could be a potentially 
acceptable solution.  It simplifies things in many aspects. It has fewer dependancies,
current user-space tools work with it already, everything is self contained within this 
keyring, etc.

Thanks for your feedback.

More information about the Linux-security-module-archive mailing list