[RFC PATCH v3 08/13] clavis: Introduce new LSM called clavis

sergeh at kernel.org sergeh at kernel.org
Wed Oct 23 02:25:56 UTC 2024


On Thu, Oct 17, 2024 at 09:55:11AM -0600, Eric Snowberg wrote:
> Introduce a new LSM called clavis.  The motivation behind this LSM is to
> provide access control for system keys.  The access control list is
> contained within a keyring call .clavis.  During boot if the clavis= boot
> arg is supplied with a key id contained within any of the current system
> keyrings (builtin, secondary, machine, or platform) it shall be used as
> the root of trust for validating anything that is added to the ACL list.
> 
> The first restriction introduced with this LSM is the ability to enforce
> key usage.  The kernel already has a notion of tracking key usage.  This
> LSM adds the ability to enforce this usage based on the system owners
> configuration.
> 
> Each system key may have one or more uses defined within the ACL list.
> Until an entry is added to the .clavis keyring, no other system key may
> be used for any other purpose.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
> ---
>  Documentation/admin-guide/LSM/clavis.rst      | 191 ++++++++++++++++++
>  MAINTAINERS                                   |   7 +
>  crypto/asymmetric_keys/signature.c            |   4 +
>  include/linux/lsm_count.h                     |   8 +-
>  include/linux/lsm_hook_defs.h                 |   2 +
>  include/linux/security.h                      |   7 +
>  include/uapi/linux/lsm.h                      |   1 +
>  security/Kconfig                              |  10 +-
>  security/clavis/Makefile                      |   1 +
>  security/clavis/clavis.c                      |  26 +++
>  security/clavis/clavis.h                      |   4 +
>  security/clavis/clavis_keyring.c              |  78 ++++++-
>  security/security.c                           |  13 ++
>  .../selftests/lsm/lsm_list_modules_test.c     |   3 +
>  14 files changed, 346 insertions(+), 9 deletions(-)
>  create mode 100644 Documentation/admin-guide/LSM/clavis.rst
>  create mode 100644 security/clavis/clavis.c
> 
> diff --git a/Documentation/admin-guide/LSM/clavis.rst b/Documentation/admin-guide/LSM/clavis.rst
> new file mode 100644
> index 000000000000..0e924f638a86
> --- /dev/null
> +++ b/Documentation/admin-guide/LSM/clavis.rst
> @@ -0,0 +1,191 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +======
> +Clavis
> +======
> +
> +Clavis is a Linux Security Module that provides mandatory access control to
> +system kernel keys (i.e. builtin, secondary, machine and platform). These
> +restrictions will prohibit keys from being used for validation. Upon boot, the
> +Clavis LSM is provided a key id as a boot parameter.  This single key is then
> +used as the root of trust for any access control modifications made going
> +forward. Access control updates must be signed and validated by this key.
> +
> +Clavis has its own keyring.  All ACL updates are applied through this keyring.
> +The update must be signed by the single root of trust key.
> +
> +When enabled, all system keys are prohibited from being used until an ACL is
> +added for them.
> +
> +On UEFI platforms, the root of trust key shall survive a kexec. Trying to
> +defeat or change it from the command line is not allowed.  The original boot
> +parameter is stored in UEFI and will always be referenced following a kexec.

Does this mean someone can reboot the host, boot another OS, store a key
id in UEFI, and force the root of trust key to be one other than what
the user lists in clavis= boot argument?

Never mind!  Saw the answer in patches 10 and 11, thanks.

> +The Clavis LSM contains a system keyring call .clavis.  It contains a single

s/call/called/

> +asymmetric key that is used to validate anything added to it.  This key can
> +be added during boot and must be a preexisting system kernel key.  If the
> +``clavis=`` boot parameter is not used, any asymmetric key the user owns

Who is "the user", and precisely what does "owns' mean here?  Is it just
restating that it must be a key already in one of the builtin or secondary
or platform keyrings?

And this is done by simply loading it into the clavis keyring, right?

-serge



More information about the Linux-security-module-archive mailing list