Re: [PATCH 3/5] kernel/printk: allow kmsg to be encrypted using public key encryption
From: Randy Dunlap
Date: Sat Dec 30 2017 - 15:39:23 EST
On 12/30/2017 09:58 AM, Dan Aloni wrote:
> From: Dan Aloni <dan@xxxxxxxxxxxx>
>
> This commit enables the kernel to encrypt the free-form text that
> is generated by printk() before it is brought up to `dmesg` in
> userspace.
>
> The encryption is made using one of the trusted public keys which
> are kept built-in inside the kernel. These keys are presently
> also used for verifying kernel modules and userspace-supplied
> firmwares.
>
> Signed-off-by: Dan Aloni <dan@xxxxxxxxxxxx>
> ---
> include/uapi/linux/kmsg.h | 18 ++
> init/Kconfig | 10 ++
> kernel/printk/printk.c | 422 ++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 450 insertions(+)
> create mode 100644 include/uapi/linux/kmsg.h
>
> diff --git a/include/uapi/linux/kmsg.h b/include/uapi/linux/kmsg.h
> new file mode 100644
> index 000000000000..ae74f026d727
> --- /dev/null
> +++ b/include/uapi/linux/kmsg.h
> @@ -0,0 +1,18 @@
> +#ifndef _LINUX_UAPI_KMSG_H
> +#define _LINUX_UAPI_KMSG_H
> +
> +#include <linux/ioctl.h>
> +#include <linux/types.h>
> +
> +struct kmsg_ioctl_get_encrypted_key {
> + void __user *output_buffer;
> + __u64 buffer_size;
> + __u64 key_size;
> +};
> +
> +#define KMSG_IOCTL_BASE 0x42
> +
> +#define KMSG_IOCTL__GET_ENCRYPTED_KEY _IOWR(KMSG_IOCTL_BASE, 0xe1, \
> + struct kmsg_ioctl_get_encrypted_key)
> +
The ioctl info needs to be added to Documentation/ioctl/ioctl-number.txt.
BTW, 0x42 == 'B', with number 0xe1, conflicts with advanced bbus, whatever
that is. But at least it should be added to the doc file.
> +#endif /* _LINUX_DN_H */
> diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
> index b9006617710f..c50b9cb60b82 100644
> --- a/kernel/printk/printk.c
> +++ b/kernel/printk/printk.c
> @@ -744,12 +755,33 @@ static ssize_t msg_print_ext_body(char *buf, size_t size,
> return p - buf;
> }
>
> +#ifdef CONFIG_KMSG_ENCRYPTION
> +static int __ro_after_init kmsg_encrypt = 1;
> +static int __init control_kmsg_encrypt(char *str)
> +{
> + get_option(&str, &kmsg_encrypt);
> + return 0;
> +}
> +__setup("kmsg.encrypt=", control_kmsg_encrypt);
See comment in the documentation patch: please change the parameter name (no dot).
--
~Randy