new file mode 100644
@@ -0,0 +1 @@
+/builtin_acl
@@ -9,3 +9,13 @@ config SECURITY_CLAVIS
keyrings (builtin, secondary, or platform). One way to add this key
is during boot by passing in the asymmetric key id within the "clavis=" boot
param. This keyring is required by the Clavis LSM.
+
+config SECURITY_CLAVIS_ACL_LIST
+ string "Clavis ACL list to preload into the clavis keyring"
+ depends on SECURITY_CLAVIS
+ help
+ If set, this option should be the file name of a list of clavis ACL
+ entries. This will be included into a C wrapper to incorporate the
+ acl list into the kernel. The file contents must be in the following
+ format: <two digit key usage number>:<subject key id>. If more than
+ one entry is added, add a carriage return after each entry.
@@ -2,3 +2,19 @@
obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o
obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o
+obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o
+
+ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),)
+quiet_cmd_make_builtin_acl = GEN $@
+ cmd_make_builtin_acl = \
+ echo > $@
+else
+quiet_cmd_make_builtin_acl = GEN $@
+ cmd_make_builtin_acl = \
+ sed 's/^[ \t]*//; s/.*/"&",/' $< | tr '[:upper:]' '[:lower:]' > $@
+endif
+
+$(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE
+ $(call if_changed,make_builtin_acl)
+
+$(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl
@@ -14,6 +14,8 @@ struct asymmetric_setup_kid {
unsigned char data[CLAVIS_BIN_KID_MAX];
};
+extern const char __initconst *const clavis_builtin_acl_list[];
+
#ifndef CONFIG_SYSTEM_TRUSTED_KEYRING
const char __initconst *const clavis_module_acl[] = {
NULL
new file mode 100644
@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "clavis.h"
+
+const char __initconst *const clavis_builtin_acl_list[] = {
+#include "builtin_acl"
+ NULL
+};
@@ -300,6 +300,7 @@ int __init clavis_keyring_init(void)
panic("Can't allocate clavis keyring\n");
clavis_add_acl(clavis_module_acl, clavis_keyring);
+ clavis_add_acl(clavis_builtin_acl_list, clavis_keyring);
return 0;
}
Add a new Kconfig called Security_CLAVIS_ACL_LIST. If set, this option should be the file name of a list of clavis ACL entries. This will be included into a C wrapper to incorporate the acl list into the kernel. The file contents must be in the following format: <two digit key usage number>:<subject key id>. If more than one entry is added, add a carriage return after each entry. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- security/clavis/.gitignore | 1 + security/clavis/Kconfig | 10 ++++++++++ security/clavis/Makefile | 16 ++++++++++++++++ security/clavis/clavis.h | 2 ++ security/clavis/clavis_builtin_acl.c | 7 +++++++ security/clavis/clavis_keyring.c | 1 + 6 files changed, 37 insertions(+) create mode 100644 security/clavis/.gitignore create mode 100644 security/clavis/clavis_builtin_acl.c