mirror of
https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
synced 2025-10-27 17:05:49 +10:00
8cf57d7217
Enable receiving the user-defined certificates from the s390x
hypervisor via new diagnose 0x320 calls, and make them available to the
Linux root user as 'cert_store_key' type keys in a so-called
'cert_store' keyring.
New user-space interfaces:
/sys/firmware/cert_store/refresh
Writing to this attribute re-fetches certificates via DIAG 0x320
/sys/firmware/cert_store/cs_status
Reading from this attribute returns either of:
"uninitialized"
If no certificate has been retrieved yet
"ok"
If certificates have been successfully retrieved
"failed (<number>)"
If certificate retrieval failed with reason code <number>
New debug trace areas:
/sys/kernel/debug/s390dbf/cert_store_msg
/sys/kernel/debug/s390dbf/cert_store_hexdump
Usage example:
To initiate request for certificates available to the system as root:
$ echo 1 > /sys/firmware/cert_store/refresh
Upon success the '/sys/firmware/cert_store/cs_status' contains
the value 'ok'.
$ cat /sys/firmware/cert_store/cs_status
ok
Get the ID of the keyring 'cert_store':
$ keyctl search @us keyring cert_store
OR
$ keyctl link @us @s; keyctl request keyring cert_store
Obtain list of IDs of certificates:
$ keyctl rlist <cert_store keyring ID>
Display certificate content as hex-dump:
$ keyctl read <certificate ID>
Read certificate contents as binary data:
$ keyctl pipe <certificate ID> >cert_data
Display certificate description:
$ keyctl describe <certificate ID>
The certificate description has the following format:
<64 bytes certificate name in EBCDIC> ':'
<certificate index as obtained from hypervisor> ':'
<certificate store token obtained from hypervisor>
The certificate description in /proc/keys has certificate name
represented in ASCII.
Users can read but cannot update the content of the certificate.
Signed-off-by: Anastasia Eskova <anastasia.eskova@ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
|
||
|---|---|---|
| .. | ||
| con3215.c | ||
| con3270.c | ||
| ctrlchar.c | ||
| ctrlchar.h | ||
| defkeymap.c | ||
| defkeymap.map | ||
| diag_ftp.c | ||
| diag_ftp.h | ||
| fs3270.c | ||
| hmcdrv_cache.c | ||
| hmcdrv_cache.h | ||
| hmcdrv_dev.c | ||
| hmcdrv_dev.h | ||
| hmcdrv_ftp.c | ||
| hmcdrv_ftp.h | ||
| hmcdrv_mod.c | ||
| Kconfig | ||
| keyboard.c | ||
| keyboard.h | ||
| Makefile | ||
| monreader.c | ||
| monwriter.c | ||
| raw3270.c | ||
| raw3270.h | ||
| sclp_ap.c | ||
| sclp_cmd.c | ||
| sclp_con.c | ||
| sclp_config.c | ||
| sclp_cpi_sys.c | ||
| sclp_cpi_sys.h | ||
| sclp_ctl.c | ||
| sclp_diag.h | ||
| sclp_early_core.c | ||
| sclp_early.c | ||
| sclp_ftp.c | ||
| sclp_ftp.h | ||
| sclp_ocf.c | ||
| sclp_pci.c | ||
| sclp_quiesce.c | ||
| sclp_rw.c | ||
| sclp_rw.h | ||
| sclp_sd.c | ||
| sclp_sdias.c | ||
| sclp_sdias.h | ||
| sclp_tty.c | ||
| sclp_tty.h | ||
| sclp_vt220.c | ||
| sclp.c | ||
| sclp.h | ||
| tape_34xx.c | ||
| tape_3590.c | ||
| tape_3590.h | ||
| tape_char.c | ||
| tape_class.c | ||
| tape_class.h | ||
| tape_core.c | ||
| tape_proc.c | ||
| tape_std.c | ||
| tape_std.h | ||
| tape.h | ||
| uvdevice.c | ||
| vmcp.c | ||
| vmlogrdr.c | ||
| vmur.c | ||
| vmur.h | ||
| zcore.c | ||