-
Anastasia Eskova authored
Enable receiving the user-defined certificates from the s390x hypervisor via new diagnose 0x320 calls, and make them available to the Linux root user as 'cert_store_key' type keys in a so-called 'cert_store' keyring. New user-space interfaces: /sys/firmware/cert_store/refresh Writing to this attribute re-fetches certificates via DIAG 0x320 /sys/firmware/cert_store/cs_status Reading from this attribute returns either of: "uninitialized" If no certificate has been retrieved yet "ok" If certificates have been successfully retrieved "failed (<number>)" If certificate retrieval failed with reason code <number> New debug trace areas: /sys/kernel/debug/s390dbf/cert_store_msg /sys/kernel/debug/s390dbf/cert_store_hexdump Usage example: To initiate request for certificates available to the system as root: $ echo 1 > /sys/firmware/cert_store/refresh Upon success the '/sys/firmware/cert_store/cs_status' contains the value 'ok'. $ cat /sys/firmware/cert_store/cs_status ok Get the ID of the keyring 'cert_store': $ keyctl search @us keyring cert_store OR $ keyctl link @us @s; keyctl request keyring cert_store Obtain list of IDs of certificates: $ keyctl rlist <cert_store keyring ID> Display certificate content as hex-dump: $ keyctl read <certificate ID> Read certificate contents as binary data: $ keyctl pipe <certificate ID> >cert_data Display certificate description: $ keyctl describe <certificate ID> The certificate description has the following format: <64 bytes certificate name in EBCDIC> ':' <certificate index as obtained from hypervisor> ':' <certificate store token obtained from hypervisor> The certificate description in /proc/keys has certificate name represented in ASCII. Users can read but cannot update the content of the certificate. Signed-off-by:Anastasia Eskova <anastasia.eskova@ibm.com> Reviewed-by:
Peter Oberparleiter <oberpar@linux.ibm.com> Acked-by:
Heiko Carstens <hca@linux.ibm.com> Signed-off-by:
8cf57d72
