iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/arch/s390
History
Anastasia Eskova 8cf57d7217 s390: add support for user-defined certificates 
Enable receiving the user-defined certificates from the s390x
hypervisor via new diagnose 0x320 calls, and make them available to the
Linux root user as 'cert_store_key' type keys in a so-called
'cert_store' keyring.

New user-space interfaces:

  /sys/firmware/cert_store/refresh

    Writing to this attribute re-fetches certificates via DIAG 0x320

  /sys/firmware/cert_store/cs_status

    Reading from this attribute returns either of:

	  "uninitialized"
	    If no certificate has been retrieved yet
	  "ok"
	    If certificates have been successfully retrieved
	  "failed (<number>)"
	    If certificate retrieval failed with reason code <number>

New debug trace areas:

  /sys/kernel/debug/s390dbf/cert_store_msg

  /sys/kernel/debug/s390dbf/cert_store_hexdump

Usage example:

To initiate request for certificates available to the system as root:

  $ echo 1 > /sys/firmware/cert_store/refresh

Upon success the '/sys/firmware/cert_store/cs_status' contains
the value 'ok'.

  $ cat /sys/firmware/cert_store/cs_status
  ok

Get the ID of the keyring 'cert_store':

  $ keyctl search @us keyring cert_store
OR
  $ keyctl link @us @s; keyctl request keyring cert_store

Obtain list of IDs of certificates:

  $ keyctl rlist <cert_store keyring ID>

Display certificate content as hex-dump:

  $ keyctl read <certificate ID>

Read certificate contents as binary data:

  $ keyctl pipe <certificate ID> >cert_data

Display certificate description:

  $ keyctl describe <certificate ID>

The certificate description has the following format:

  <64 bytes certificate name in EBCDIC> ':'
  <certificate index as obtained from hypervisor> ':'
  <certificate store token obtained from hypervisor>

The certificate description in /proc/keys has certificate name
represented in ASCII.

Users can read but cannot update the content of the certificate.

Signed-off-by: Anastasia Eskova <anastasia.eskova@ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
2023-07-24 12:12:21 +02:00
..
appldata
s390: include linux/io.h instead of asm/io.h
2023-07-03 11:19:40 +02:00
boot
s390 updates for 6.5 merge window part 2
2023-07-06 13:18:30 -07:00
configs
s390/defconfigs: set CONFIG_NET_TC_SKB_EXT=y
2023-06-22 15:02:01 +02:00
crypto
s390/crypto: use kfree_sensitive() instead of kfree()
2023-07-20 16:48:56 +02:00
hypfs
s390/hypfs: remove unused info_blk_hdr__pcpus() function
2022-11-23 16:24:07 +01:00
include
s390: add support for user-defined certificates
2023-07-24 12:12:21 +02:00
kernel
s390: add support for user-defined certificates
2023-07-24 12:12:21 +02:00
kvm
KVM: s390: pv: simplify shutdown and fix race
2023-07-18 11:21:51 +02:00
lib
s390: include linux/io.h instead of asm/io.h
2023-07-03 11:19:40 +02:00
mm
ARM:
2023-07-23 10:44:38 -07:00
net
s390: consistently use .balign instead of .align
2023-06-28 13:57:09 +02:00
pci
s390: fix various typos
2023-07-03 11:19:42 +02:00
purgatory
s390 updates for 6.5 merge window part 2
2023-07-06 13:18:30 -07:00
tools
KVM: s390: Add facility 197 to the allow list
2022-07-13 15:25:25 +02:00
Kbuild
kbuild: use more subdir- for visiting subdirectories while cleaning
2021-10-24 13:49:46 +09:00
Kconfig
s390: add support for user-defined certificates
2023-07-24 12:12:21 +02:00
Kconfig.debug
s390/Kconfig.debug: fix indentation
2022-06-01 12:03:15 +02:00
Makefile
s390/decompressor: fix misaligned symbol build error
2023-06-28 13:57:09 +02:00