aboutsummaryrefslogtreecommitdiff
path: root/crypto
diff options
context:
space:
mode:
authorAlexey Krasikov <alex-krasikov@yandex-team.ru>2020-05-25 14:19:12 +0300
committerDaniel P. Berrangé <berrange@redhat.com>2020-06-15 11:33:51 +0100
commit54e7aac0562452e4fcab65ca5001d030eef2de15 (patch)
treeb348bbbee075fad62aaf161e7d32096610d18d4c /crypto
parent4862bd3cd2052f1b48e4d08b1820e70a255c4859 (diff)
crypto/linux_keyring: add 'secret_keyring' secret object.
Add the ability for the secret object to obtain secret data from the Linux in-kernel key managment and retention facility, as an extra option to the existing ones: reading from a file or passing directly as a string. The secret is identified by the key serial number. The upper layers need to instantiate the key and make sure the QEMU process has access permissions to read it. Signed-off-by: Alexey Krasikov <alex-krasikov@yandex-team.ru> - Fixed up detection logic default behaviour in configure Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/Makefile.objs1
-rw-r--r--crypto/secret_keyring.c148
2 files changed, 149 insertions, 0 deletions
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 110dec1b87..707c02ad37 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -20,6 +20,7 @@ crypto-obj-y += tlscredsx509.o
crypto-obj-y += tlssession.o
crypto-obj-y += secret_common.o
crypto-obj-y += secret.o
+crypto-obj-$(CONFIG_SECRET_KEYRING) += secret_keyring.o
crypto-obj-y += pbkdf.o
crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
diff --git a/crypto/secret_keyring.c b/crypto/secret_keyring.c
new file mode 100644
index 0000000000..4f132d6370
--- /dev/null
+++ b/crypto/secret_keyring.c
@@ -0,0 +1,148 @@
+/*
+ * QEMU crypto secret support
+ *
+ * Copyright 2020 Yandex N.V.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include <asm/unistd.h>
+#include <linux/keyctl.h>
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "trace.h"
+#include "crypto/secret_keyring.h"
+
+
+static inline
+long keyctl_read(int32_t key, uint8_t *buffer, size_t buflen)
+{
+ return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen, 0);
+}
+
+
+static void
+qcrypto_secret_keyring_load_data(QCryptoSecretCommon *sec_common,
+ uint8_t **output,
+ size_t *outputlen,
+ Error **errp)
+{
+ QCryptoSecretKeyring *secret = QCRYPTO_SECRET_KEYRING(sec_common);
+ uint8_t *buffer = NULL;
+ long retcode;
+
+ *output = NULL;
+ *outputlen = 0;
+
+ if (!secret->serial) {
+ error_setg(errp, "'serial' parameter must be provided");
+ return;
+ }
+
+ retcode = keyctl_read(secret->serial, NULL, 0);
+ if (retcode <= 0) {
+ goto keyctl_error;
+ }
+
+ buffer = g_new0(uint8_t, retcode);
+
+ retcode = keyctl_read(secret->serial, buffer, retcode);
+ if (retcode < 0) {
+ g_free(buffer);
+ goto keyctl_error;
+ }
+
+ *outputlen = retcode;
+ *output = buffer;
+ return;
+
+keyctl_error:
+ error_setg_errno(errp, errno,
+ "Unable to read serial key %08x",
+ secret->serial);
+}
+
+
+static void
+qcrypto_secret_prop_set_key(Object *obj, Visitor *v,
+ const char *name, void *opaque,
+ Error **errp)
+{
+ QCryptoSecretKeyring *secret = QCRYPTO_SECRET_KEYRING(obj);
+ int32_t value;
+ visit_type_int32(v, name, &value, errp);
+ if (!value) {
+ error_setg(errp, "'serial' should not be equal to 0");
+ }
+ secret->serial = value;
+}
+
+
+static void
+qcrypto_secret_prop_get_key(Object *obj, Visitor *v,
+ const char *name, void *opaque,
+ Error **errp)
+{
+ QCryptoSecretKeyring *secret = QCRYPTO_SECRET_KEYRING(obj);
+ int32_t value = secret->serial;
+ visit_type_int32(v, name, &value, errp);
+}
+
+
+static void
+qcrypto_secret_keyring_complete(UserCreatable *uc, Error **errp)
+{
+ object_property_set_bool(OBJECT(uc), true, "loaded", errp);
+}
+
+
+static void
+qcrypto_secret_keyring_class_init(ObjectClass *oc, void *data)
+{
+ QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
+ sic->load_data = qcrypto_secret_keyring_load_data;
+
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+ ucc->complete = qcrypto_secret_keyring_complete;
+
+ object_class_property_add(oc, "serial", "int32_t",
+ qcrypto_secret_prop_get_key,
+ qcrypto_secret_prop_set_key,
+ NULL, NULL);
+}
+
+
+static const TypeInfo qcrypto_secret_info = {
+ .parent = TYPE_QCRYPTO_SECRET_COMMON,
+ .name = TYPE_QCRYPTO_SECRET_KEYRING,
+ .instance_size = sizeof(QCryptoSecretKeyring),
+ .class_size = sizeof(QCryptoSecretKeyringClass),
+ .class_init = qcrypto_secret_keyring_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+
+static void
+qcrypto_secret_register_types(void)
+{
+ type_register_static(&qcrypto_secret_info);
+}
+
+
+type_init(qcrypto_secret_register_types);