Hi all
i think we should have two separate dracut modules: one for
the loading of a trusted or an user key and another for the
initialization of EVM, so that other modules which need to load
an encrypted key will depend only on the former.
Roberto Sassu
On Tuesday, May 24, 2011 03:18:22 PM Mimi Zohar wrote:
> EVM verifies file metadata integrity based on a keyed HMAC. The key
> should be loaded in the initramfs before pivoting root. This patch
> loads the trusted and encrypted EVM keys onto root's keyring before
> enabling EVM.
>
> --- /dev/null 2011-05-24 06:19:53.737797039 -0400
> +++ modules.d/98evm/install 2011-05-23 08:47:39.859250064 -0400
> @@ -0,0 +1,4 @@
> +#!/bin/bash
> +
> +dracut_install keyctl
> +inst_hook pre-pivot 60 "$moddir/evm-enable.sh"
> --- /dev/null 2011-05-24 06:19:53.737797039 -0400
> +++ modules.d/98evm/check 2011-05-23 07:49:31.839983246 -0400
> @@ -0,0 +1,9 @@
> +#!/bin/bash
> +
> +[[ $1 = '-h' ]] && {
> + [ -x "/bin/keyctl" ] || exit 1
> + exit 0
> +}
> +
> +exit 0
> +
> --- /dev/null 2011-05-24 06:19:53.737797039 -0400
> +++ modules.d/98evm/evm-enable.sh 2011-05-23 06:59:27.786421196 -0400
> @@ -0,0 +1,65 @@
> +#!/bin/sh
> +
> +security_evm_exists()
> +{
> + RC=0
> +
> + if [ ! -d "/security" ]; then
> + mkdir /security
> + fi
> + mount -t securityfs /security /security >/dev/null 2>&1
> + if [ ! -e "/security/evm" ]; then
> + RC=1
> + fi
> + umount /security
> + return $RC
> +}
> +
> +enable_evm()
> +{
> + if [ ! -d "/security" ]; then
> + mkdir /security
> + fi
> + mount -t securityfs /security /security >/dev/null 2>&1
> + if [ -e "/security/evm" ]; then
> + echo 1 > /security/evm
> + fi
> + umount /security
> +}
> +
> +load_keys()
> +{
> + RC=0
> +
> + MASTERKEY=$(getarg masterkey=)
> + if [ $? -ne 0 ]; then
> + MASTERKEY='kmk-trusted.blob'
> + fi
> +
> + EVMKEY=$(getarg evmkey=)
> + if [ $? -ne 0 ]; then
> + EVMKEY='evm-trusted.blob'
> + fi
> +
> + if [ ! -f "$NEWROOT/etc/keys/$MASTERKEY" ]; then
> + info "EVM: missing master key"
> + RC=1
> + elif [ ! -f "$NEWROOT/etc/keys/$EVMKEY" ]; then
> + info "EVM: missing EVM key"
> + RC=1
> + else
> + keyctl add trusted kmk-trusted "load `cat $NEWROOT/etc/keys/$MASTERKEY`" @u
> + keyctl add encrypted evm-key "load `cat $NEWROOT/etc/keys/$EVMKEY`" @u
> + fi
> + return $RC
> +}
> +
> +security_evm_exists
> +RC=$?
> +if [ $RC -eq 0 ]; then
> + load_keys
> + RC=$?
> +fi
> +if [ $RC -eq 0 ]; then
> + enable_evm
> +fi
> --- /dev/null 2011-05-24 06:19:53.737797039 -0400
> +++ modules.d/98evm/README 2011-05-24 07:37:43.467948636 -0400
> @@ -0,0 +1,47 @@
> +# Directions for creating an EVM key, encrypted/decrypted using a trusted key.
> +
> +# Create the kernel master key (trusted key type) for encrypting/decrypting
> +# other keys, including the EVM key.
> +
> +# A trusted key is a TPM random number, which is only ever exposed to
> +# userspace as an encrypted datablob. A trusted key can be sealed to a
> +# set of PCR values. For more details on trusted keys, refer to the
> +# kernel keys-trusted-encrypted.txt documentation.
> +$ keyctl add trusted kmk-trusted "new 32" @u
> +801713097
> +
> +# Save the kernel master key
> +$ su -c 'keyctl pipe 801713097 > /etc/keys/kmk-trusted.blob'
> +
> +# Create the EVM key (encrypted key type)
> +#
> +# The encrypted key is a random number encrypted/decrypted using the
> +# kernel master key. The encrypted key is only exposed to userspace
> +# as an encrypted datablob.
> +$ keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
> +782117972
> +
> +# Save the encrypted key
> +$ su -c 'keyctl pipe 782117972 > /etc/keys/evm-trusted.blob'
> +
> +------------------------------------------------------------------
> +# Directions for creating an EVM key, encrypted/decrypted using a user key.
> +# (Dracut support for encrypting/decrypting the EVM key using a user key is
> +# not provided.)
> +
> +# For those systems which don't have a TPM, create a user key of 32
> +# random bytes. Unlike trusted/encrypted keys, user type key data is
> +# visible to userspace.
> +$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
> +144468621
> +
> +# Save the user key
> +$ su -c 'keyctl pipe 144468621 > /etc/keys/kmk-user.blob'
> +
> +# Create the EVM key (encrypted key type), using the user key to
> +# encrypt/decrypt it.
> +$ keyctl add encrypted evm-key "new user:kmk-user 32" @u
> +432095285
> +
> +# Save the encrypted key
> +$ su -c 'keyctl pipe 432095285 > /etc/keys/evm-user.blob'
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe initramfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
