This module initializes a trusted/user kernel master key that will be used
to decrypt other encrypted keys.
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx>
Acked-by: Gianluca Ramunno <ramunno@xxxxxxxxx>
---
dracut.kernel.7.xml | 17 ++++++++
modules.d/97masterkey/README | 59 +++++++++++++++++++++++++++++
modules.d/97masterkey/masterkey.sh | 67 +++++++++++++++++++++++++++++++++
modules.d/97masterkey/module-setup.sh | 25 ++++++++++++
4 files changed, 168 insertions(+), 0 deletions(-)
create mode 100644 modules.d/97masterkey/README
create mode 100755 modules.d/97masterkey/masterkey.sh
create mode 100755 modules.d/97masterkey/module-setup.sh
diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
index a277c74..3fac18b 100644
--- a/dracut.kernel.7.xml
+++ b/dracut.kernel.7.xml
@@ -703,6 +703,23 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
</varlistentry>
</variablelist>
</refsect2>
+ <refsect2>
+ <title>Kernel keys</title>
+ <variablelist>
+ <varlistentry>
+ <term><envar>masterkey=</envar><replaceable><kernel master key path name></replaceable></term>
+ <listitem>
+ <para>Set the path name of the kernel master key. e.g.: <programlisting>masterkey=/etc/keys/kmk-trusted.blob</programlisting></para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><envar>masterkeytype=</envar><replaceable><kernel master key type></replaceable></term>
+ <listitem>
+ <para>Set the type of the kernel master key. e.g.: <programlisting>masterkeytype=trusted</programlisting></para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
<refsect2>
<title>Deprecated, renamed Options</title>
<para>Here is a list of options, which were used in dracut prior to version 008, and their new replacement.</para>
diff --git a/modules.d/97masterkey/README b/modules.d/97masterkey/README
new file mode 100644
index 0000000..c4e0fbd
--- /dev/null
+++ b/modules.d/97masterkey/README
@@ -0,0 +1,59 @@
+# Directions for creating the kernel master key that will be used for
+# encrypting/decrypting other keys.
+
+# A trusted key is a TPM random number, which is only ever exposed to
+# userspace as an encrypted datablob. A trusted key can be sealed to a
+# set of PCR values. For more details on trusted keys, refer to the
+# kernel keys-trusted-encrypted.txt documentation.
+$ keyctl add trusted kmk-trusted "new 32" @u
+801713097
+
+# For those systems which don't have a TPM, but want to experiment with
+# encrypted keys, create a user key of 32 random bytes. Unlike
+# trusted/encrypted keys, user type key data is visible to userspace.
+$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
+144468621
+
+# Save the kernel master key (trusted type):
+$ su -c 'keyctl pipe `keyctl search @u trusted kmk-trusted` > /etc/keys/kmk-trusted.blob'
+
+# or (user type):
+$ su -c 'keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob'
+
+# A useful feature of trusted keys is that it is possible to prevent their
+# unsealing at later time by providing the parameter 'pcrlock=<pcrnum>' when
+# loading it, which causes the PCR #<pcrnum> to be extended with a random value.
+# Actually, the <pcrnum> variable is set to '11' to let users experiment with
+# this feature by using a register that is never extended during the boot,
+# making the re-sealing not necessary. In the future, the kernel master key will
+# be sealed to the PCR #14 which is extended, according to the TrustedGRUB
+# documentation[1], to the measure of the kernel and the initial ramdisk.
+
+# The kernel master key path name and type can be set in one of the following
+# ways (specified in the order in which variables are overwritten):
+
+1) use default values:
+--------------------------------------------------------------------------
+MASTERKEYTYPE=trusted
+MASTERKEY=/etc/keys/kmk-trusted-$(uname -r).blob
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/masterkey' to override the
+value of one or both variables;
+
+3) specify these parameters in the kernel command line:
+- masterkey=</kernel/master/key/path>, to override the MASTERKEY variable;
+- masterkeytype=<kernel-master-key-type>, to override the MASTERKEYTYPE variable.
+
+# If only the MASTERKEYTYPE variable is overridden with the value 'user',
+# the default value of MASTERKEY will be:
+--------------------------------------------------------------------------
+MASTERKEY=/etc/keys/kmk-user-$(uname -r).blob
+--------------------------------------------------------------------------
+
+# If the system is configured to boot multiple kernels and a trusted/user key is
+# tied to each one, the MASTERKEY variable should be not modified to avoid
+# setting the path name each time a different kernel is chosen.
+
+
+[1] https://projects.sirrix.com/trac/trustedgrub/
diff --git a/modules.d/97masterkey/masterkey.sh b/modules.d/97masterkey/masterkey.sh
new file mode 100755
index 0000000..af042a9
--- /dev/null
+++ b/modules.d/97masterkey/masterkey.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+# TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu@xxxxxxxxx>
+
+MASTERKEYSCONFIG="${NEWROOT}/etc/sysconfig/masterkey"
+PCRLOCKNUM=11
+
+load_masterkey()
+{
+ # read the configuration from the config file
+ [ -f "${MASTERKEYSCONFIG}" ] && \
+ . ${MASTERKEYSCONFIG}
+
+ # override the kernel master key path name from the 'masterkey=' parameter
+ # in the kernel command line
+ MASTERKEYARG=$(getarg masterkey=)
+ [ $? -eq 0 ] && \
+ MASTERKEY=$MASTERKEYARG
+
+ # override the kernel master key type from the 'masterkeytype=' parameter
+ # in the kernel command line
+ MASTERKEYTYPEARG=$(getarg masterkeytype=)
+ [ $? -eq 0 ] && \
+ MASTERKEYTYPE=$MASTERKEYTYPEARG
+
+ # set default values
+ [ -z "$MASTERKEYTYPE" ] && \
+ MASTERKEYTYPE="trusted"
+
+ [ -z "$MASTERKEY" ] && \
+ MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}-$(uname -r).blob"
+
+ # set the kernel master key path name
+ MASTERKEYPATH="${NEWROOT}${MASTERKEY}"
+
+ # check for kernel master key's existence
+ if [ ! -f "${MASTERKEYPATH}" ]; then
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ info "masterkey: missing the kernel master key: kmk-${MASTERKEYTYPE}"
+ fi
+ return 1
+ fi
+
+ # read the kernel master key blob
+ KEYBLOB=$(cat ${MASTERKEYPATH})
+
+ # add the 'load' prefix if the key type is 'trusted'
+ [ "${MASTERKEYTYPE}" = "trusted" ] && \
+ KEYBLOB="load ${KEYBLOB} pcrlock=${PCRLOCKNUM}"
+
+ # load the kernel master key
+ info "Loading the kernel master key"
+ keyctl add "${MASTERKEYTYPE}" "kmk-${MASTERKEYTYPE}" "${KEYBLOB}" @u >/dev/null || {
+ info "masterkey: failed to load the kernel master key: kmk-${MASTERKEYTYPE}";
+ return 1;
+ }
+
+ return 0
+}
+
+load_masterkey
diff --git a/modules.d/97masterkey/module-setup.sh b/modules.d/97masterkey/module-setup.sh
new file mode 100755
index 0000000..64f164b
--- /dev/null
+++ b/modules.d/97masterkey/module-setup.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+ [ "$1" = "-h" ] && {
+ [ -x "/bin/keyctl" ] || return 1
+ }
+
+ return 0
+}
+
+depends() {
+ return 0
+}
+
+installkernel() {
+ instmods trusted encrypted
+}
+
+install() {
+ inst keyctl
+ inst uname
+ inst_hook pre-pivot 60 "$moddir/masterkey.sh"
+}
--
1.7.4.4
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
