projects / platform / kernel / linux-starfive.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6eaae19) | patch
s390: add support for user-defined certificates
authorAnastasia Eskova <anastasia.eskova@ibm.com>
Fri, 28 Apr 2023 10:42:42 +0000 (06:42 -0400)
committerHeiko Carstens <hca@linux.ibm.com>
Mon, 24 Jul 2023 10:12:21 +0000 (12:12 +0200)
commit8cf57d7217c32133d25615324c0ab4aaacf4d9c4
tree7625a540aaf7d1e854a09fca5d528f867c51a961tree | snapshot
parent6eaae198076080886b9e7d57f4ae06fa782f90efcommit | diff
s390: add support for user-defined certificates

Enable receiving the user-defined certificates from the s390x
hypervisor via new diagnose 0x320 calls, and make them available to the
Linux root user as 'cert_store_key' type keys in a so-called
'cert_store' keyring.

New user-space interfaces:

  /sys/firmware/cert_store/refresh

    Writing to this attribute re-fetches certificates via DIAG 0x320

  /sys/firmware/cert_store/cs_status

    Reading from this attribute returns either of:

  "uninitialized"
    If no certificate has been retrieved yet
  "ok"
    If certificates have been successfully retrieved
  "failed (<number>)"
    If certificate retrieval failed with reason code <number>

New debug trace areas:

  /sys/kernel/debug/s390dbf/cert_store_msg

  /sys/kernel/debug/s390dbf/cert_store_hexdump

Usage example:

To initiate request for certificates available to the system as root:

  $ echo 1 > /sys/firmware/cert_store/refresh

Upon success the '/sys/firmware/cert_store/cs_status' contains
the value 'ok'.

  $ cat /sys/firmware/cert_store/cs_status
  ok

Get the ID of the keyring 'cert_store':

  $ keyctl search @us keyring cert_store
OR
  $ keyctl link @us @s; keyctl request keyring cert_store

Obtain list of IDs of certificates:

  $ keyctl rlist <cert_store keyring ID>

Display certificate content as hex-dump:

  $ keyctl read <certificate ID>

Read certificate contents as binary data:

  $ keyctl pipe <certificate ID> >cert_data

Display certificate description:

  $ keyctl describe <certificate ID>

The certificate description has the following format:

  <64 bytes certificate name in EBCDIC> ':'
  <certificate index as obtained from hypervisor> ':'
  <certificate store token obtained from hypervisor>

The certificate description in /proc/keys has certificate name
represented in ASCII.

Users can read but cannot update the content of the certificate.

Signed-off-by: Anastasia Eskova <anastasia.eskova@ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
arch/s390/Kconfig diff | blob | history
arch/s390/include/asm/diag.h diff | blob | history
arch/s390/include/asm/sclp.h diff | blob | history
arch/s390/kernel/Makefile diff | blob | history
arch/s390/kernel/cert_store.c [new file with mode: 0644] blob
arch/s390/kernel/diag.c diff | blob | history
drivers/s390/char/sclp_early.c diff | blob | history
Domain: System / Kernel;