doc: ReSTify keys.txt · tjh.dev/kernel@b68101a

+1 -1

Documentation/crypto/asymmetric-keys.txt

··· 265 265 266 266 The caller passes a pointer to the following struct with all of the fields 267 267 cleared, except for data, datalen and quotalen [see 268 - Documentation/security/keys.txt]. 268 + Documentation/security/keys/core.rst]. 269 269 270 270 struct key_preparsed_payload { 271 271 char *description;

-2

Documentation/security/00-INDEX

··· 6 6 - description of the kernel key request service. 7 7 keys-trusted-encrypted.txt 8 8 - info on the Trusted and Encrypted keys in the kernel key ring service. 9 - keys.txt 10 - - description of the kernel key retention service.

+1

Documentation/security/index.rst

··· 7 7 8 8 credentials 9 9 IMA-templates 10 + keys/index 10 11 LSM 11 12 self-protection 12 13 tpm/index

+151 -163

Documentation/security/keys.txt Documentation/security/keys/core.rst

··· 1 - ============================ 2 - KERNEL KEY RETENTION SERVICE 3 - ============================ 1 + ============================ 2 + Kernel Key Retention Service 3 + ============================ 4 4 5 5 This service allows cryptographic keys, authentication tokens, cross-domain 6 6 user mappings, and similar to be cached in the kernel for the use of ··· 29 29 - Garbage collection 30 30 31 31 32 - ============ 33 - KEY OVERVIEW 32 + Key Overview 34 33 ============ 35 34 36 35 In this context, keys represent units of cryptographic data, authentication ··· 46 47 - State. 47 48 48 49 49 - (*) Each key is issued a serial number of type key_serial_t that is unique for 50 + * Each key is issued a serial number of type key_serial_t that is unique for 50 51 the lifetime of that key. All serial numbers are positive non-zero 32-bit 51 52 integers. 52 53 53 54 Userspace programs can use a key's serial numbers as a way to gain access 54 55 to it, subject to permission checking. 55 56 56 - (*) Each key is of a defined "type". Types must be registered inside the 57 + * Each key is of a defined "type". Types must be registered inside the 57 58 kernel by a kernel service (such as a filesystem) before keys of that type 58 59 can be added or used. Userspace programs cannot define new types directly. 59 60 ··· 63 64 Should a type be removed from the system, all the keys of that type will 64 65 be invalidated. 65 66 66 - (*) Each key has a description. This should be a printable string. The key 67 + * Each key has a description. This should be a printable string. The key 67 68 type provides an operation to perform a match between the description on a 68 69 key and a criterion string. 69 70 70 - (*) Each key has an owner user ID, a group ID and a permissions mask. These 71 + * Each key has an owner user ID, a group ID and a permissions mask. These 71 72 are used to control what a process may do to a key from userspace, and 72 73 whether a kernel service will be able to find the key. 73 74 74 - (*) Each key can be set to expire at a specific time by the key type's 75 + * Each key can be set to expire at a specific time by the key type's 75 76 instantiation function. Keys can also be immortal. 76 77 77 - (*) Each key can have a payload. This is a quantity of data that represent the 78 + * Each key can have a payload. This is a quantity of data that represent the 78 79 actual "key". In the case of a keyring, this is a list of keys to which 79 80 the keyring links; in the case of a user-defined key, it's an arbitrary 80 81 blob of data. ··· 90 91 permitted, another key type operation will be called to convert the key's 91 92 attached payload back into a blob of data. 92 93 93 - (*) Each key can be in one of a number of basic states: 94 + * Each key can be in one of a number of basic states: 94 95 95 - (*) Uninstantiated. The key exists, but does not have any data attached. 96 + * Uninstantiated. The key exists, but does not have any data attached. 96 97 Keys being requested from userspace will be in this state. 97 98 98 - (*) Instantiated. This is the normal state. The key is fully formed, and 99 + * Instantiated. This is the normal state. The key is fully formed, and 99 100 has data attached. 100 101 101 - (*) Negative. This is a relatively short-lived state. The key acts as a 102 + * Negative. This is a relatively short-lived state. The key acts as a 102 103 note saying that a previous call out to userspace failed, and acts as 103 104 a throttle on key lookups. A negative key can be updated to a normal 104 105 state. 105 106 106 - (*) Expired. Keys can have lifetimes set. If their lifetime is exceeded, 107 + * Expired. Keys can have lifetimes set. If their lifetime is exceeded, 107 108 they traverse to this state. An expired key can be updated back to a 108 109 normal state. 109 110 110 - (*) Revoked. A key is put in this state by userspace action. It can't be 111 + * Revoked. A key is put in this state by userspace action. It can't be 111 112 found or operated upon (apart from by unlinking it). 112 113 113 - (*) Dead. The key's type was unregistered, and so the key is now useless. 114 + * Dead. The key's type was unregistered, and so the key is now useless. 114 115 115 116 Keys in the last three states are subject to garbage collection. See the 116 117 section on "Garbage collection". 117 118 118 119 119 - ==================== 120 - KEY SERVICE OVERVIEW 120 + Key Service Overview 121 121 ==================== 122 122 123 123 The key service provides a number of features besides keys: 124 124 125 - (*) The key service defines three special key types: 125 + * The key service defines three special key types: 126 126 127 127 (+) "keyring" 128 128 ··· 147 149 be created and updated from userspace, but the payload is only 148 150 readable from kernel space. 149 151 150 - (*) Each process subscribes to three keyrings: a thread-specific keyring, a 152 + * Each process subscribes to three keyrings: a thread-specific keyring, a 151 153 process-specific keyring, and a session-specific keyring. 152 154 153 155 The thread-specific keyring is discarded from the child when any sort of ··· 168 170 The ownership of the thread keyring changes when the real UID and GID of 169 171 the thread changes. 170 172 171 - (*) Each user ID resident in the system holds two special keyrings: a user 173 + * Each user ID resident in the system holds two special keyrings: a user 172 174 specific keyring and a default user session keyring. The default session 173 175 keyring is initialised with a link to the user-specific keyring. 174 176 ··· 178 180 If a process attempts to access its session key when it doesn't have one, 179 181 it will be subscribed to the default for its current UID. 180 182 181 - (*) Each user has two quotas against which the keys they own are tracked. One 183 + * Each user has two quotas against which the keys they own are tracked. One 182 184 limits the total number of keys and keyrings, the other limits the total 183 185 amount of description and payload space that can be consumed. 184 186 ··· 192 194 If a system call that modifies a key or keyring in some way would put the 193 195 user over quota, the operation is refused and error EDQUOT is returned. 194 196 195 - (*) There's a system call interface by which userspace programs can create and 197 + * There's a system call interface by which userspace programs can create and 196 198 manipulate keys and keyrings. 197 199 198 - (*) There's a kernel interface by which services can register types and search 200 + * There's a kernel interface by which services can register types and search 199 201 for keys. 200 202 201 - (*) There's a way for the a search done from the kernel to call back to 203 + * There's a way for the a search done from the kernel to call back to 202 204 userspace to request a key that can't be found in a process's keyrings. 203 205 204 - (*) An optional filesystem is available through which the key database can be 206 + * An optional filesystem is available through which the key database can be 205 207 viewed and manipulated. 206 208 207 209 208 - ====================== 209 - KEY ACCESS PERMISSIONS 210 + Key Access Permissions 210 211 ====================== 211 212 212 213 Keys have an owner user ID, a group access ID, and a permissions mask. The mask 213 214 has up to eight bits each for possessor, user, group and other access. Only 214 215 six of each set of eight bits are defined. These permissions granted are: 215 216 216 - (*) View 217 + * View 217 218 218 219 This permits a key or keyring's attributes to be viewed - including key 219 220 type and description. 220 221 221 - (*) Read 222 + * Read 222 223 223 224 This permits a key's payload to be viewed or a keyring's list of linked 224 225 keys. 225 226 226 - (*) Write 227 + * Write 227 228 228 229 This permits a key's payload to be instantiated or updated, or it allows a 229 230 link to be added to or removed from a keyring. 230 231 231 - (*) Search 232 + * Search 232 233 233 234 This permits keyrings to be searched and keys to be found. Searches can 234 235 only recurse into nested keyrings that have search permission set. 235 236 236 - (*) Link 237 + * Link 237 238 238 239 This permits a key or keyring to be linked to. To create a link from a 239 240 keyring to a key, a process must have Write permission on the keyring and 240 241 Link permission on the key. 241 242 242 - (*) Set Attribute 243 + * Set Attribute 243 244 244 245 This permits a key's UID, GID and permissions mask to be changed. 245 246 ··· 246 249 the key or having the sysadmin capability is sufficient. 247 250 248 251 249 - =============== 250 - SELINUX SUPPORT 252 + SELinux Support 251 253 =============== 252 254 253 255 The security class "key" has been added to SELinux so that mandatory access ··· 278 282 similarly. 279 283 280 284 281 - ================ 282 - NEW PROCFS FILES 285 + New ProcFS Files 283 286 ================ 284 287 285 288 Two files have been added to procfs by which an administrator can find out 286 289 about the status of the key service: 287 290 288 - (*) /proc/keys 291 + * /proc/keys 289 292 290 293 This lists the keys that are currently viewable by the task reading the 291 294 file, giving information about their type, description and permissions. ··· 296 301 security checks are still performed, and may further filter out keys that 297 302 the current process is not authorised to view. 298 303 299 - The contents of the file look like this: 304 + The contents of the file look like this:: 300 305 301 306 SERIAL FLAGS USAGE EXPY PERM UID GID TYPE DESCRIPTION: SUMMARY 302 307 00000001 I----- 39 perm 1f3f0000 0 0 keyring _uid_ses.0: 1/4 ··· 309 314 00000893 I--Q-N 1 35s 1f3f0000 0 0 user metal:silver: 0 310 315 00000894 I--Q-- 1 10h 003f0000 0 0 user metal:gold: 0 311 316 312 - The flags are: 317 + The flags are:: 313 318 314 319 I Instantiated 315 320 R Revoked ··· 319 324 N Negative key 320 325 321 326 322 - (*) /proc/key-users 327 + * /proc/key-users 323 328 324 329 This file lists the tracking data for each user that has at least one key 325 - on the system. Such data includes quota information and statistics: 330 + on the system. Such data includes quota information and statistics:: 326 331 327 332 [root@andromeda root]# cat /proc/key-users 328 333 0: 46 45/45 1/100 13/10000 ··· 330 335 32: 2 2/2 2/100 40/10000 331 336 38: 2 2/2 2/100 40/10000 332 337 333 - The format of each line is 338 + The format of each line is:: 339 + 334 340 <UID>: User ID to which this applies 335 341 <usage> Structure refcount 336 342 <inst>/<keys> Total number of keys and number instantiated ··· 342 346 Four new sysctl files have been added also for the purpose of controlling the 343 347 quota limits on keys: 344 348 345 - (*) /proc/sys/kernel/keys/root_maxkeys 349 + * /proc/sys/kernel/keys/root_maxkeys 346 350 /proc/sys/kernel/keys/root_maxbytes 347 351 348 352 These files hold the maximum number of keys that root may have and the 349 353 maximum total number of bytes of data that root may have stored in those 350 354 keys. 351 355 352 - (*) /proc/sys/kernel/keys/maxkeys 356 + * /proc/sys/kernel/keys/maxkeys 353 357 /proc/sys/kernel/keys/maxbytes 354 358 355 359 These files hold the maximum number of keys that each non-root user may ··· 360 364 the appropriate file. 361 365 362 366 363 - =============================== 364 - USERSPACE SYSTEM CALL INTERFACE 367 + Userspace System Call Interface 365 368 =============================== 366 369 367 370 Userspace can manipulate keys directly through three new syscalls: add_key, ··· 370 375 When referring to a key directly, userspace programs should use the key's 371 376 serial number (a positive 32-bit integer). However, there are some special 372 377 values available for referring to special keys and keyrings that relate to the 373 - process making the call: 378 + process making the call:: 374 379 375 380 CONSTANT VALUE KEY REFERENCED 376 381 ============================== ====== =========================== ··· 386 391 387 392 The main syscalls are: 388 393 389 - (*) Create a new key of given type, description and payload and add it to the 390 - nominated keyring: 394 + * Create a new key of given type, description and payload and add it to the 395 + nominated keyring:: 391 396 392 397 key_serial_t add_key(const char *type, const char *desc, 393 398 const void *payload, size_t plen, ··· 427 432 The ID of the new or updated key is returned if successful. 428 433 429 434 430 - (*) Search the process's keyrings for a key, potentially calling out to 431 - userspace to create it. 435 + * Search the process's keyrings for a key, potentially calling out to 436 + userspace to create it:: 432 437 433 438 key_serial_t request_key(const char *type, const char *description, 434 439 const char *callout_info, ··· 448 453 449 454 The keyctl syscall functions are: 450 455 451 - (*) Map a special key ID to a real key ID for this process: 456 + * Map a special key ID to a real key ID for this process:: 452 457 453 458 key_serial_t keyctl(KEYCTL_GET_KEYRING_ID, key_serial_t id, 454 459 int create); ··· 461 466 non-zero; and the error ENOKEY will be returned if "create" is zero. 462 467 463 468 464 - (*) Replace the session keyring this process subscribes to with a new one: 469 + * Replace the session keyring this process subscribes to with a new one:: 465 470 466 471 key_serial_t keyctl(KEYCTL_JOIN_SESSION_KEYRING, const char *name); 467 472 ··· 479 484 The ID of the new session keyring is returned if successful. 480 485 481 486 482 - (*) Update the specified key: 487 + * Update the specified key:: 483 488 484 489 long keyctl(KEYCTL_UPDATE, key_serial_t key, const void *payload, 485 490 size_t plen); ··· 493 498 add_key(). 494 499 495 500 496 - (*) Revoke a key: 501 + * Revoke a key:: 497 502 498 503 long keyctl(KEYCTL_REVOKE, key_serial_t key); 499 504 ··· 502 507 be findable. 503 508 504 509 505 - (*) Change the ownership of a key: 510 + * Change the ownership of a key:: 506 511 507 512 long keyctl(KEYCTL_CHOWN, key_serial_t key, uid_t uid, gid_t gid); 508 513 ··· 515 520 its group list members. 516 521 517 522 518 - (*) Change the permissions mask on a key: 523 + * Change the permissions mask on a key:: 519 524 520 525 long keyctl(KEYCTL_SETPERM, key_serial_t key, key_perm_t perm); 521 526 ··· 526 531 error EINVAL will be returned. 527 532 528 533 529 - (*) Describe a key: 534 + * Describe a key:: 530 535 531 536 long keyctl(KEYCTL_DESCRIBE, key_serial_t key, char *buffer, 532 537 size_t buflen); ··· 542 547 A process must have view permission on the key for this function to be 543 548 successful. 544 549 545 - If successful, a string is placed in the buffer in the following format: 550 + If successful, a string is placed in the buffer in the following format:: 546 551 547 552 <type>;<uid>;<gid>;<perm>;<description> 548 553 ··· 550 555 is hexadecimal. A NUL character is included at the end of the string if 551 556 the buffer is sufficiently big. 552 557 553 - This can be parsed with 558 + This can be parsed with:: 554 559 555 560 sscanf(buffer, "%[^;];%d;%d;%o;%s", type, &uid, &gid, &mode, desc); 556 561 557 562 558 - (*) Clear out a keyring: 563 + * Clear out a keyring:: 559 564 560 565 long keyctl(KEYCTL_CLEAR, key_serial_t keyring); 561 566 ··· 568 573 DNS resolver cache keyring is an example of this. 569 574 570 575 571 - (*) Link a key into a keyring: 576 + * Link a key into a keyring:: 572 577 573 578 long keyctl(KEYCTL_LINK, key_serial_t keyring, key_serial_t key); 574 579 ··· 587 592 added. 588 593 589 594 590 - (*) Unlink a key or keyring from another keyring: 595 + * Unlink a key or keyring from another keyring:: 591 596 592 597 long keyctl(KEYCTL_UNLINK, key_serial_t keyring, key_serial_t key); 593 598 ··· 599 604 is not present, error ENOENT will be the result. 600 605 601 606 602 - (*) Search a keyring tree for a key: 607 + * Search a keyring tree for a key:: 603 608 604 609 key_serial_t keyctl(KEYCTL_SEARCH, key_serial_t keyring, 605 610 const char *type, const char *description, ··· 623 628 fails. On success, the resulting key ID will be returned. 624 629 625 630 626 - (*) Read the payload data from a key: 631 + * Read the payload data from a key:: 627 632 628 633 long keyctl(KEYCTL_READ, key_serial_t keyring, char *buffer, 629 634 size_t buflen); ··· 645 650 available rather than the amount copied. 646 651 647 652 648 - (*) Instantiate a partially constructed key. 653 + * Instantiate a partially constructed key:: 649 654 650 655 long keyctl(KEYCTL_INSTANTIATE, key_serial_t key, 651 656 const void *payload, size_t plen, ··· 672 677 array instead of a single buffer. 673 678 674 679 675 - (*) Negatively instantiate a partially constructed key. 680 + * Negatively instantiate a partially constructed key:: 676 681 677 682 long keyctl(KEYCTL_NEGATE, key_serial_t key, 678 683 unsigned timeout, key_serial_t keyring); ··· 695 700 as rejecting the key with ENOKEY as the error code. 696 701 697 702 698 - (*) Set the default request-key destination keyring. 703 + * Set the default request-key destination keyring:: 699 704 700 705 long keyctl(KEYCTL_SET_REQKEY_KEYRING, int reqkey_defl); 701 706 702 707 This sets the default keyring to which implicitly requested keys will be 703 - attached for this thread. reqkey_defl should be one of these constants: 708 + attached for this thread. reqkey_defl should be one of these constants:: 704 709 705 710 CONSTANT VALUE NEW DEFAULT KEYRING 706 711 ====================================== ====== ======================= ··· 726 731 there is one, otherwise the user default session keyring. 727 732 728 733 729 - (*) Set the timeout on a key. 734 + * Set the timeout on a key:: 730 735 731 736 long keyctl(KEYCTL_SET_TIMEOUT, key_serial_t key, unsigned timeout); 732 737 ··· 739 744 or expired keys. 740 745 741 746 742 - (*) Assume the authority granted to instantiate a key 747 + * Assume the authority granted to instantiate a key:: 743 748 744 749 long keyctl(KEYCTL_ASSUME_AUTHORITY, key_serial_t key); 745 750 ··· 761 766 The assumed authoritative key is inherited across fork and exec. 762 767 763 768 764 - (*) Get the LSM security context attached to a key. 769 + * Get the LSM security context attached to a key:: 765 770 766 771 long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer, 767 772 size_t buflen) ··· 782 787 successful. 783 788 784 789 785 - (*) Install the calling process's session keyring on its parent. 790 + * Install the calling process's session keyring on its parent:: 786 791 787 792 long keyctl(KEYCTL_SESSION_TO_PARENT); 788 793 ··· 802 807 kernel and resumes executing userspace. 803 808 804 809 805 - (*) Invalidate a key. 810 + * Invalidate a key:: 806 811 807 812 long keyctl(KEYCTL_INVALIDATE, key_serial_t key); 808 813 ··· 818 823 A process must have search permission on the key for this function to be 819 824 successful. 820 825 821 - (*) Compute a Diffie-Hellman shared secret or public key 826 + * Compute a Diffie-Hellman shared secret or public key:: 822 827 823 - long keyctl(KEYCTL_DH_COMPUTE, struct keyctl_dh_params *params, 824 - char *buffer, size_t buflen, 825 - struct keyctl_kdf_params *kdf); 828 + long keyctl(KEYCTL_DH_COMPUTE, struct keyctl_dh_params *params, 829 + char *buffer, size_t buflen, struct keyctl_kdf_params *kdf); 826 830 827 - The params struct contains serial numbers for three keys: 831 + The params struct contains serial numbers for three keys:: 828 832 829 833 - The prime, p, known to both parties 830 834 - The local private key 831 835 - The base integer, which is either a shared generator or the 832 836 remote public key 833 837 834 - The value computed is: 838 + The value computed is:: 835 839 836 840 result = base ^ private (mod prime) 837 841 ··· 852 858 of the KDF is returned to the caller. The KDF is characterized with 853 859 struct keyctl_kdf_params as follows: 854 860 855 - - char *hashname specifies the NUL terminated string identifying 861 + - ``char *hashname`` specifies the NUL terminated string identifying 856 862 the hash used from the kernel crypto API and applied for the KDF 857 863 operation. The KDF implemenation complies with SP800-56A as well 858 864 as with SP800-108 (the counter KDF). 859 865 860 - - char *otherinfo specifies the OtherInfo data as documented in 866 + - ``char *otherinfo`` specifies the OtherInfo data as documented in 861 867 SP800-56A section 5.8.1.2. The length of the buffer is given with 862 868 otherinfolen. The format of OtherInfo is defined by the caller. 863 869 The otherinfo pointer may be NULL if no OtherInfo shall be used. ··· 869 875 and either the buffer length or the OtherInfo length exceeds the 870 876 allowed length. 871 877 872 - (*) Restrict keyring linkage 878 + * Restrict keyring linkage:: 873 879 874 - long keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring, 875 - const char *type, const char *restriction); 880 + long keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring, 881 + const char *type, const char *restriction); 876 882 877 883 An existing keyring can restrict linkage of additional keys by evaluating 878 884 the contents of the key according to a restriction scheme. ··· 894 900 To apply a keyring restriction the process must have Set Attribute 895 901 permission and the keyring must not be previously restricted. 896 902 897 - =============== 898 - KERNEL SERVICES 903 + Kernel Services 899 904 =============== 900 905 901 906 The kernel services for key management are fairly simple to deal with. They can ··· 908 915 two different users opening the same file is left to the filesystem author to 909 916 solve. 910 917 911 - To access the key manager, the following header must be #included: 918 + To access the key manager, the following header must be #included:: 912 919 913 920 <linux/key.h> 914 921 915 922 Specific key types should have a header file under include/keys/ that should be 916 - used to access that type. For keys of type "user", for example, that would be: 923 + used to access that type. For keys of type "user", for example, that would be:: 917 924 918 925 <keys/user-type.h> 919 926 920 927 Note that there are two different types of pointers to keys that may be 921 928 encountered: 922 929 923 - (*) struct key * 930 + * struct key * 924 931 925 932 This simply points to the key structure itself. Key structures will be at 926 933 least four-byte aligned. 927 934 928 - (*) key_ref_t 935 + * key_ref_t 929 936 930 - This is equivalent to a struct key *, but the least significant bit is set 937 + This is equivalent to a ``struct key *``, but the least significant bit is set 931 938 if the caller "possesses" the key. By "possession" it is meant that the 932 939 calling processes has a searchable link to the key from one of its 933 - keyrings. There are three functions for dealing with these: 940 + keyrings. There are three functions for dealing with these:: 934 941 935 942 key_ref_t make_key_ref(const struct key *key, bool possession); 936 943 ··· 948 955 prevent access vs modification races. See the section "Notes on accessing 949 956 payload contents" for more information. 950 957 951 - (*) To search for a key, call: 958 + * To search for a key, call:: 952 959 953 960 struct key *request_key(const struct key_type *type, 954 961 const char *description, ··· 970 977 See also Documentation/security/keys-request-key.txt. 971 978 972 979 973 - (*) To search for a key, passing auxiliary data to the upcaller, call: 980 + * To search for a key, passing auxiliary data to the upcaller, call:: 974 981 975 982 struct key *request_key_with_auxdata(const struct key_type *type, 976 983 const char *description, ··· 983 990 is a blob of length callout_len, if given (the length may be 0). 984 991 985 992 986 - (*) A key can be requested asynchronously by calling one of: 993 + * A key can be requested asynchronously by calling one of:: 987 994 988 995 struct key *request_key_async(const struct key_type *type, 989 996 const char *description, 990 997 const void *callout_info, 991 998 size_t callout_len); 992 999 993 - or: 1000 + or:: 994 1001 995 1002 struct key *request_key_async_with_auxdata(const struct key_type *type, 996 1003 const char *description, ··· 1003 1010 1004 1011 These two functions return with the key potentially still under 1005 1012 construction. To wait for construction completion, the following should be 1006 - called: 1013 + called:: 1007 1014 1008 1015 int wait_for_key_construction(struct key *key, bool intr); 1009 1016 ··· 1015 1022 case error ERESTARTSYS will be returned. 1016 1023 1017 1024 1018 - (*) When it is no longer required, the key should be released using: 1025 + * When it is no longer required, the key should be released using:: 1019 1026 1020 1027 void key_put(struct key *key); 1021 1028 1022 - Or: 1029 + Or:: 1023 1030 1024 1031 void key_ref_put(key_ref_t key_ref); 1025 1032 ··· 1027 1034 the argument will not be parsed. 1028 1035 1029 1036 1030 - (*) Extra references can be made to a key by calling one of the following 1031 - functions: 1037 + * Extra references can be made to a key by calling one of the following 1038 + functions:: 1032 1039 1033 1040 struct key *__key_get(struct key *key); 1034 1041 struct key *key_get(struct key *key); ··· 1040 1047 then the key will not be dereferenced and no increment will take place. 1041 1048 1042 1049 1043 - (*) A key's serial number can be obtained by calling: 1050 + * A key's serial number can be obtained by calling:: 1044 1051 1045 1052 key_serial_t key_serial(struct key *key); 1046 1053 ··· 1048 1055 latter case without parsing the argument). 1049 1056 1050 1057 1051 - (*) If a keyring was found in the search, this can be further searched by: 1058 + * If a keyring was found in the search, this can be further searched by:: 1052 1059 1053 1060 key_ref_t keyring_search(key_ref_t keyring_ref, 1054 1061 const struct key_type *type, ··· 1063 1070 reference pointer if successful. 1064 1071 1065 1072 1066 - (*) A keyring can be created by: 1073 + * A keyring can be created by:: 1067 1074 1068 1075 struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, 1069 1076 const struct cred *cred, ··· 1102 1109 -EPERM to in this case. 1103 1110 1104 1111 1105 - (*) To check the validity of a key, this function can be called: 1112 + * To check the validity of a key, this function can be called:: 1106 1113 1107 1114 int validate_key(struct key *key); 1108 1115 ··· 1112 1119 returned (in the latter case without parsing the argument). 1113 1120 1114 1121 1115 - (*) To register a key type, the following function should be called: 1122 + * To register a key type, the following function should be called:: 1116 1123 1117 1124 int register_key_type(struct key_type *type); 1118 1125 ··· 1120 1127 present. 1121 1128 1122 1129 1123 - (*) To unregister a key type, call: 1130 + * To unregister a key type, call:: 1124 1131 1125 1132 void unregister_key_type(struct key_type *type); 1126 1133 1127 1134 1128 1135 Under some circumstances, it may be desirable to deal with a bundle of keys. 1129 - The facility provides access to the keyring type for managing such a bundle: 1136 + The facility provides access to the keyring type for managing such a bundle:: 1130 1137 1131 1138 struct key_type key_type_keyring; 1132 1139 ··· 1136 1143 search a specific keyring, so using keyrings in this way is of limited utility. 1137 1144 1138 1145 1139 - =================================== 1140 - NOTES ON ACCESSING PAYLOAD CONTENTS 1146 + Notes On Accessing Payload Contents 1141 1147 =================================== 1142 1148 1143 1149 The simplest payload is just data stored in key->payload directly. In this ··· 1146 1154 key->payload.data[] array. One of the following ways must be selected to 1147 1155 access the data: 1148 1156 1149 - (1) Unmodifiable key type. 1157 + 1) Unmodifiable key type. 1150 1158 1151 1159 If the key type does not have a modify method, then the key's payload can 1152 1160 be accessed without any form of locking, provided that it's known to be 1153 1161 instantiated (uninstantiated keys cannot be "found"). 1154 1162 1155 - (2) The key's semaphore. 1163 + 2) The key's semaphore. 1156 1164 1157 1165 The semaphore could be used to govern access to the payload and to control 1158 1166 the payload pointer. It must be write-locked for modifications and would 1159 1167 have to be read-locked for general access. The disadvantage of doing this 1160 1168 is that the accessor may be required to sleep. 1161 1169 1162 - (3) RCU. 1170 + 3) RCU. 1163 1171 1164 1172 RCU must be used when the semaphore isn't already held; if the semaphore 1165 1173 is held then the contents can't change under you unexpectedly as the 1166 1174 semaphore must still be used to serialise modifications to the key. The 1167 1175 key management code takes care of this for the key type. 1168 1176 1169 - However, this means using: 1177 + However, this means using:: 1170 1178 1171 1179 rcu_read_lock() ... rcu_dereference() ... rcu_read_unlock() 1172 1180 1173 - to read the pointer, and: 1181 + to read the pointer, and:: 1174 1182 1175 1183 rcu_dereference() ... rcu_assign_pointer() ... call_rcu() 1176 1184 ··· 1186 1194 usage. This is called key->payload.rcu_data0. The following accessors 1187 1195 wrap the RCU calls to this element: 1188 1196 1189 - (a) Set or change the first payload pointer: 1197 + a) Set or change the first payload pointer:: 1190 1198 1191 1199 rcu_assign_keypointer(struct key *key, void *data); 1192 1200 1193 - (b) Read the first payload pointer with the key semaphore held: 1201 + b) Read the first payload pointer with the key semaphore held:: 1194 1202 1195 1203 [const] void *dereference_key_locked([const] struct key *key); 1196 1204 ··· 1198 1206 parameter. Static analysis will give an error if it things the lock 1199 1207 isn't held. 1200 1208 1201 - (c) Read the first payload pointer with the RCU read lock held: 1209 + c) Read the first payload pointer with the RCU read lock held:: 1202 1210 1203 1211 const void *dereference_key_rcu(const struct key *key); 1204 1212 1205 1213 1206 - =================== 1207 - DEFINING A KEY TYPE 1214 + Defining a Key Type 1208 1215 =================== 1209 1216 1210 1217 A kernel service may want to define its own key type. For instance, an AFS 1211 1218 filesystem might want to define a Kerberos 5 ticket key type. To do this, it 1212 1219 author fills in a key_type struct and registers it with the system. 1213 1220 1214 - Source files that implement key types should include the following header file: 1221 + Source files that implement key types should include the following header file:: 1215 1222 1216 1223 <linux/key-type.h> 1217 1224 1218 1225 The structure has a number of fields, some of which are mandatory: 1219 1226 1220 - (*) const char *name 1227 + * ``const char *name`` 1221 1228 1222 1229 The name of the key type. This is used to translate a key type name 1223 1230 supplied by userspace into a pointer to the structure. 1224 1231 1225 1232 1226 - (*) size_t def_datalen 1233 + * ``size_t def_datalen`` 1227 1234 1228 1235 This is optional - it supplies the default payload data length as 1229 1236 contributed to the quota. If the key type's payload is always or almost 1230 1237 always the same size, then this is a more efficient way to do things. 1231 1238 1232 1239 The data length (and quota) on a particular key can always be changed 1233 - during instantiation or update by calling: 1240 + during instantiation or update by calling:: 1234 1241 1235 1242 int key_payload_reserve(struct key *key, size_t datalen); 1236 1243 ··· 1237 1246 viable. 1238 1247 1239 1248 1240 - (*) int (*vet_description)(const char *description); 1249 + * ``int (*vet_description)(const char *description);`` 1241 1250 1242 1251 This optional method is called to vet a key description. If the key type 1243 1252 doesn't approve of the key description, it may return an error, otherwise 1244 1253 it should return 0. 1245 1254 1246 1255 1247 - (*) int (*preparse)(struct key_preparsed_payload *prep); 1256 + * ``int (*preparse)(struct key_preparsed_payload *prep);`` 1248 1257 1249 1258 This optional method permits the key type to attempt to parse payload 1250 1259 before a key is created (add key) or the key semaphore is taken (update or 1251 - instantiate key). The structure pointed to by prep looks like: 1260 + instantiate key). The structure pointed to by prep looks like:: 1252 1261 1253 1262 struct key_preparsed_payload { 1254 1263 char *description; ··· 1276 1285 otherwise. 1277 1286 1278 1287 1279 - (*) void (*free_preparse)(struct key_preparsed_payload *prep); 1288 + * ``void (*free_preparse)(struct key_preparsed_payload *prep);`` 1280 1289 1281 1290 This method is only required if the preparse() method is provided, 1282 1291 otherwise it is unused. It cleans up anything attached to the description ··· 1285 1294 successfully, even if instantiate() or update() succeed. 1286 1295 1287 1296 1288 - (*) int (*instantiate)(struct key *key, struct key_preparsed_payload *prep); 1297 + * ``int (*instantiate)(struct key *key, struct key_preparsed_payload *prep);`` 1289 1298 1290 1299 This method is called to attach a payload to a key during construction. 1291 1300 The payload attached need not bear any relation to the data passed to this ··· 1309 1318 free_preparse method doesn't release the data. 1310 1319 1311 1320 1312 - (*) int (*update)(struct key *key, const void *data, size_t datalen); 1321 + * ``int (*update)(struct key *key, const void *data, size_t datalen);`` 1313 1322 1314 1323 If this type of key can be updated, then this method should be provided. 1315 1324 It is called to update a key's payload from the blob of data provided. ··· 1334 1343 It is safe to sleep in this method. 1335 1344 1336 1345 1337 - (*) int (*match_preparse)(struct key_match_data *match_data); 1346 + * ``int (*match_preparse)(struct key_match_data *match_data);`` 1338 1347 1339 1348 This method is optional. It is called when a key search is about to be 1340 - performed. It is given the following structure: 1349 + performed. It is given the following structure:: 1341 1350 1342 1351 struct key_match_data { 1343 1352 bool (*cmp)(const struct key *key, ··· 1348 1357 }; 1349 1358 1350 1359 On entry, raw_data will be pointing to the criteria to be used in matching 1351 - a key by the caller and should not be modified. (*cmp)() will be pointing 1360 + a key by the caller and should not be modified. ``(*cmp)()`` will be pointing 1352 1361 to the default matcher function (which does an exact description match 1353 1362 against raw_data) and lookup_type will be set to indicate a direct lookup. 1354 1363 1355 1364 The following lookup_type values are available: 1356 1365 1357 - [*] KEYRING_SEARCH_LOOKUP_DIRECT - A direct lookup hashes the type and 1366 + * KEYRING_SEARCH_LOOKUP_DIRECT - A direct lookup hashes the type and 1358 1367 description to narrow down the search to a small number of keys. 1359 1368 1360 - [*] KEYRING_SEARCH_LOOKUP_ITERATE - An iterative lookup walks all the 1369 + * KEYRING_SEARCH_LOOKUP_ITERATE - An iterative lookup walks all the 1361 1370 keys in the keyring until one is matched. This must be used for any 1362 1371 search that's not doing a simple direct match on the key description. 1363 1372 1364 1373 The method may set cmp to point to a function of its choice that does some 1365 1374 other form of match, may set lookup_type to KEYRING_SEARCH_LOOKUP_ITERATE 1366 - and may attach something to the preparsed pointer for use by (*cmp)(). 1367 - (*cmp)() should return true if a key matches and false otherwise. 1375 + and may attach something to the preparsed pointer for use by ``(*cmp)()``. 1376 + ``(*cmp)()`` should return true if a key matches and false otherwise. 1368 1377 1369 1378 If preparsed is set, it may be necessary to use the match_free() method to 1370 1379 clean it up. ··· 1372 1381 The method should return 0 if successful or a negative error code 1373 1382 otherwise. 1374 1383 1375 - It is permitted to sleep in this method, but (*cmp)() may not sleep as 1384 + It is permitted to sleep in this method, but ``(*cmp)()`` may not sleep as 1376 1385 locks will be held over it. 1377 1386 1378 1387 If match_preparse() is not provided, keys of this type will be matched 1379 1388 exactly by their description. 1380 1389 1381 1390 1382 - (*) void (*match_free)(struct key_match_data *match_data); 1391 + * ``void (*match_free)(struct key_match_data *match_data);`` 1383 1392 1384 1393 This method is optional. If given, it called to clean up 1385 1394 match_data->preparsed after a successful call to match_preparse(). 1386 1395 1387 1396 1388 - (*) void (*revoke)(struct key *key); 1397 + * ``void (*revoke)(struct key *key);`` 1389 1398 1390 1399 This method is optional. It is called to discard part of the payload 1391 1400 data upon a key being revoked. The caller will have the key semaphore ··· 1395 1404 a deadlock against the key semaphore. 1396 1405 1397 1406 1398 - (*) void (*destroy)(struct key *key); 1407 + * ``void (*destroy)(struct key *key);`` 1399 1408 1400 1409 This method is optional. It is called to discard the payload data on a key 1401 1410 when it is being destroyed. ··· 1407 1416 It is not safe to sleep in this method; the caller may hold spinlocks. 1408 1417 1409 1418 1410 - (*) void (*describe)(const struct key *key, struct seq_file *p); 1419 + * ``void (*describe)(const struct key *key, struct seq_file *p);`` 1411 1420 1412 1421 This method is optional. It is called during /proc/keys reading to 1413 1422 summarise a key's description and payload in text form. ··· 1423 1432 caller. 1424 1433 1425 1434 1426 - (*) long (*read)(const struct key *key, char __user *buffer, size_t buflen); 1435 + * ``long (*read)(const struct key *key, char __user *buffer, size_t buflen);`` 1427 1436 1428 1437 This method is optional. It is called by KEYCTL_READ to translate the 1429 1438 key's payload into something a blob of data for userspace to deal with. ··· 1439 1448 as might happen when the userspace buffer is accessed. 1440 1449 1441 1450 1442 - (*) int (*request_key)(struct key_construction *cons, const char *op, 1443 - void *aux); 1451 + * ``int (*request_key)(struct key_construction *cons, const char *op, void *aux);`` 1444 1452 1445 1453 This method is optional. If provided, request_key() and friends will 1446 1454 invoke this function rather than upcalling to /sbin/request-key to operate ··· 1453 1463 This method is permitted to return before the upcall is complete, but the 1454 1464 following function must be called under all circumstances to complete the 1455 1465 instantiation process, whether or not it succeeds, whether or not there's 1456 - an error: 1466 + an error:: 1457 1467 1458 1468 void complete_request_key(struct key_construction *cons, int error); 1459 1469 ··· 1469 1479 The key under construction and the authorisation key can be found in the 1470 1480 key_construction struct pointed to by cons: 1471 1481 1472 - (*) struct key *key; 1482 + * ``struct key *key;`` 1473 1483 1474 1484 The key under construction. 1475 1485 1476 - (*) struct key *authkey; 1486 + * ``struct key *authkey;`` 1477 1487 1478 1488 The authorisation key. 1479 1489 1480 1490 1481 - (*) struct key_restriction *(*lookup_restriction)(const char *params); 1491 + * ``struct key_restriction *(*lookup_restriction)(const char *params);`` 1482 1492 1483 1493 This optional method is used to enable userspace configuration of keyring 1484 1494 restrictions. The restriction parameter string (not including the key type ··· 1487 1497 attempted key link operation. If there is no match, -EINVAL is returned. 1488 1498 1489 1499 1490 - ============================ 1491 - REQUEST-KEY CALLBACK SERVICE 1500 + Request-Key Callback Service 1492 1501 ============================ 1493 1502 1494 1503 To create a new key, the kernel will attempt to execute the following command 1495 - line: 1504 + line:: 1496 1505 1497 1506 /sbin/request-key create <key> <uid> <gid> \ 1498 1507 <threadring> <processring> <sessionring> <callout_info> ··· 1500 1511 keyrings from the process that caused the search to be issued. These are 1501 1512 included for two reasons: 1502 1513 1503 - (1) There may be an authentication token in one of the keyrings that is 1514 + 1 There may be an authentication token in one of the keyrings that is 1504 1515 required to obtain the key, eg: a Kerberos Ticket-Granting Ticket. 1505 1516 1506 - (2) The new key should probably be cached in one of these rings. 1517 + 2 The new key should probably be cached in one of these rings. 1507 1518 1508 1519 This program should set it UID and GID to those specified before attempting to 1509 1520 access any more keys. It may then look around for a user specific process to ··· 1528 1539 1529 1540 1530 1541 Similarly, the kernel may attempt to update an expired or a soon to expire key 1531 - by executing: 1542 + by executing:: 1532 1543 1533 1544 /sbin/request-key update <key> <uid> <gid> \ 1534 1545 <threadring> <processring> <sessionring> ··· 1537 1548 the rings are provided for reference. 1538 1549 1539 1550 1540 - ================== 1541 - GARBAGE COLLECTION 1551 + Garbage Collection 1542 1552 ================== 1543 1553 1544 1554 Dead keys (for which the type has been removed) will be automatically unlinked ··· 1545 1557 background garbage collector. 1546 1558 1547 1559 Similarly, revoked and expired keys will be garbage collected, but only after a 1548 - certain amount of time has passed. This time is set as a number of seconds in: 1560 + certain amount of time has passed. This time is set as a number of seconds in:: 1549 1561 1550 1562 /proc/sys/kernel/keys/gc_delay

+8

Documentation/security/keys/index.rst

··· 1 + =========== 2 + Kernel Keys 3 + =========== 4 + 5 + .. toctree:: 6 + :maxdepth: 1 7 + 8 + core

+1 -1

MAINTAINERS

··· 7342 7342 M: David Howells <dhowells@redhat.com> 7343 7343 L: keyrings@vger.kernel.org 7344 7344 S: Maintained 7345 - F: Documentation/security/keys.txt 7345 + F: Documentation/security/keys/core.rst 7346 7346 F: include/linux/key.h 7347 7347 F: include/linux/key-type.h 7348 7348 F: include/linux/keyctl.h

+1 -1

include/linux/key.h

··· 9 9 * 2 of the License, or (at your option) any later version. 10 10 * 11 11 * 12 - * See Documentation/security/keys.txt for information on keys/keyrings. 12 + * See Documentation/security/keys/core.rst for information on keys/keyrings. 13 13 */ 14 14 15 15 #ifndef _LINUX_KEY_H