Bug#850339: [PATCH 1/3] initramfs-tools: add script for loading kernel masterkey
From: Stefan Berger <stefanb@us.ibm.com>
We are adding a script for loading the kernel master key,
which is a symmetric key that is used to decrypt other keys
in the system. The kernel master key can either be a trusted
or a user key.
A config file /etc/default/masterkey allows to configure
the type of key and its location. By default it is expected
to be found under /etc/keys/kmk-trusted.blob.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
hooks/masterkey | 19 ++++++++
scripts/init-top/masterkey | 105 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 124 insertions(+)
create mode 100755 hooks/masterkey
create mode 100755 scripts/init-top/masterkey
diff --git a/hooks/masterkey b/hooks/masterkey
new file mode 100755
index 0000000..b32a936
--- /dev/null
+++ b/hooks/masterkey
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_exec /bin/keyctl
+copy_exec /bin/uname
diff --git a/scripts/init-top/masterkey b/scripts/init-top/masterkey
new file mode 100755
index 0000000..62f4cdf
--- /dev/null
+++ b/scripts/init-top/masterkey
@@ -0,0 +1,105 @@
+#!/bin/sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+# TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu@polito.it>
+#
+# (c) Copyright IBM Corporation 2016,2017
+#
+# Stefan Berger <stefanb@linux.vnet.ibm.com>
+#
+# This file has been derived from Dracut's 97masterkey/masterkey.sh
+#
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /scripts/functions
+
+NEWROOT="${rootmnt}"
+MASTERKEYSCONFIG="${NEWROOT}/etc/default/masterkey"
+MULTIKERNELMODE="NO"
+PCRLOCKNUM=11
+
+getarg()
+{
+ att=$1
+
+ sed -n 's/.*'${att}'\([^ ]\+\).*/\1/p' /proc/cmdline
+}
+
+load_masterkey()
+{
+ # read the configuration from the config file
+ [ -f "${MASTERKEYSCONFIG}" ] && \
+ . ${MASTERKEYSCONFIG}
+
+ # override the kernel master key path name from the 'masterkey=' parameter
+ # in the kernel command line
+ MASTERKEYARG=$(getarg masterkey=)
+ [ -n "${MASTERKEYARG}" ] && \
+ MASTERKEY=${MASTERKEYARG}
+
+ # override the kernel master key type from the 'masterkeytype=' parameter
+ # in the kernel command line
+ MASTERKEYTYPEARG=$(getarg masterkeytype=)
+ [ -n "${MASTERKEYTYPEARG}" ] && \
+ MASTERKEYTYPE=${MASTERKEYTYPEARG}
+
+ # set default values
+ [ -z "${MASTERKEYTYPE}" ] && \
+ MASTERKEYTYPE="trusted"
+
+ if [ -z "${MASTERKEY}" ]; then
+ # append the kernel version to the default masterkey path name
+ # if MULTIKERNELMODE is set to YES
+ if [ "${MULTIKERNELMODE}" = "YES" ]; then
+ MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}-$(uname -r).blob"
+ else
+ MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob"
+ fi
+ fi
+
+ # set the kernel master key path name
+ MASTERKEYPATH="${NEWROOT}${MASTERKEY}"
+
+ # check for kernel master key's existence
+ if [ ! -f "${MASTERKEYPATH}" ]; then
+ [ "$quiet" != "y" ] && _log_msg "masterkey: kernel master key file not found: ${MASTERKEYPATH}\n"
+ return 1
+ fi
+
+ # read the kernel master key blob
+ KEYBLOB=$(cat ${MASTERKEYPATH})
+
+ # add the 'load' prefix if the key type is 'trusted'
+ [ "${MASTERKEYTYPE}" = "trusted" ] && \
+ KEYBLOB="load ${KEYBLOB} pcrlock=${PCRLOCKNUM}"
+
+ # load the kernel master key
+ _log_msg "masterkey: Loading the kernel master key\n"
+ keyctl add "${MASTERKEYTYPE}" "kmk-${MASTERKEYTYPE}" "${KEYBLOB}" @u >/dev/null
+ if [ $? -ne 0 ]; then
+ _log_msg "masterkey: failed to load the kernel master key: kmk-${MASTERKEYTYPE}\n"
+ return 1
+ fi
+
+ _log_msg "masterkey: Loaded masterkey ${MASTERKEYPATH}\n"
+
+ return 0
+}
+
+load_masterkey
--
2.8.3
Reply to: