Commit 8cf57d72 authored Apr 28, 2023 by Anastasia Eskova Committed by Heiko Carstens Jul 24, 2023

s390: add support for user-defined certificates



Enable receiving the user-defined certificates from the s390x
hypervisor via new diagnose 0x320 calls, and make them available to the
Linux root user as 'cert_store_key' type keys in a so-called
'cert_store' keyring.

New user-space interfaces:

  /sys/firmware/cert_store/refresh

    Writing to this attribute re-fetches certificates via DIAG 0x320

  /sys/firmware/cert_store/cs_status

    Reading from this attribute returns either of:

	  "uninitialized"
	    If no certificate has been retrieved yet
	  "ok"
	    If certificates have been successfully retrieved
	  "failed (<number>)"
	    If certificate retrieval failed with reason code <number>

New debug trace areas:

  /sys/kernel/debug/s390dbf/cert_store_msg

  /sys/kernel/debug/s390dbf/cert_store_hexdump

Usage example:

To initiate request for certificates available to the system as root:

  $ echo 1 > /sys/firmware/cert_store/refresh

Upon success the '/sys/firmware/cert_store/cs_status' contains
the value 'ok'.

  $ cat /sys/firmware/cert_store/cs_status
  ok

Get the ID of the keyring 'cert_store':

  $ keyctl search @us keyring cert_store
OR
  $ keyctl link @us @s; keyctl request keyring cert_store

Obtain list of IDs of certificates:

  $ keyctl rlist <cert_store keyring ID>

Display certificate content as hex-dump:

  $ keyctl read <certificate ID>

Read certificate contents as binary data:

  $ keyctl pipe <certificate ID> >cert_data

Display certificate description:

  $ keyctl describe <certificate ID>

The certificate description has the following format:

  <64 bytes certificate name in EBCDIC> ':'
  <certificate index as obtained from hypervisor> ':'
  <certificate store token obtained from hypervisor>

The certificate description in /proc/keys has certificate name
represented in ASCII.

Users can read but cannot update the content of the certificate.

Signed-off-by: Anastasia Eskova <anastasia.eskova@ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

parent 6eaae198

arch/s390/Kconfig

+10 −0

Original line number	Diff line number	Diff line
		@@ -512,6 +512,16 @@ config KEXEC_SIG
		verification for the corresponding kernel image type being
		loaded in order for this to work.

		config CERT_STORE
		bool "Get user certificates via DIAG320"
		depends on KEYS
		help
		Enable this option if you want to access user-provided secure boot
		certificates via DIAG 0x320.

		These certificates will be made available via the keyring named
		'cert_store'.

		config KERNEL_NOBP
		def_bool n
		prompt "Enable modified branch prediction for the kernel by default"

arch/s390/include/asm/diag.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -36,6 +36,7 @@ enum diag_stat_enum {
		DIAG_STAT_X304,
		DIAG_STAT_X308,
		DIAG_STAT_X318,
		DIAG_STAT_X320,
		DIAG_STAT_X500,
		NR_DIAG_STAT
		};

arch/s390/include/asm/sclp.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -86,6 +86,7 @@ struct sclp_info {
		unsigned char has_kss : 1;
		unsigned char has_gisaf : 1;
		unsigned char has_diag318 : 1;
		unsigned char has_diag320 : 1;
		unsigned char has_sipl : 1;
		unsigned char has_sipl_eckd : 1;
		unsigned char has_dirq : 1;

arch/s390/kernel/Makefile

+1 −1

Original line number	Diff line number	Diff line
		@@ -68,7 +68,7 @@ obj-$(CONFIG_JUMP_LABEL) += jump_label.o

		obj-$(CONFIG_KEXEC_FILE) += machine_kexec_file.o kexec_image.o
		obj-$(CONFIG_KEXEC_FILE) += kexec_elf.o

		obj-$(CONFIG_CERT_STORE) += cert_store.o
		obj-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_arch.o

		obj-$(CONFIG_PERF_EVENTS) += perf_event.o

arch/s390/kernel/cert_store.c

0 → 100644

+810 −0

File added.

Preview size limit exceeded, changes collapsed.