1. Patchew
  2. QEMU
  3. View series

[RFC PATCH] crypto/secret: support fetching secrets from Linux keyring

Alexey Krasikov posted 1 patch 4 years ago
Test docker-mingw@fedora failed
Test docker-quick@centos7 passed
Test checkpatch passed
Test FreeBSD passed
Test asan passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20200328114014.6362-1-alex-krasikov@yandex-team.ru
Maintainers: "Daniel P. Berrangé" <berrange@redhat.com>
crypto/secret.c         | 88 +++++++++++++++++++++++++++++++++++++++--
include/crypto/secret.h |  3 ++
2 files changed, 88 insertions(+), 3 deletions(-)
[RFC PATCH] crypto/secret: support fetching secrets from Linux keyring
Posted by Alexey Krasikov 4 years ago 
Add the ability for the secret object to obtain secret data from the
Linux in-kernel key managment and retention facility, as an extra option
to the existing ones: reading from a file or passing directly as a
string.

The secret is identified by the key serial number.  The upper layers
need to instantiate the key and make sure the QEMU process has access
rights to read it.

Signed-off-by: Alexey Krasikov <alex-krasikov@yandex-team.ru>
---
 crypto/secret.c         | 88 +++++++++++++++++++++++++++++++++++++++--
 include/crypto/secret.h |  3 ++
 2 files changed, 88 insertions(+), 3 deletions(-)

diff --git a/crypto/secret.c b/crypto/secret.c
index 1cf0ad0ce8..2e8be6241c 100644
--- a/crypto/secret.c
+++ b/crypto/secret.c
@@ -19,6 +19,8 @@
  */
 
 #include "qemu/osdep.h"
+#include <asm/unistd.h>
+#include <linux/keyctl.h>
 #include "crypto/secret.h"
 #include "crypto/cipher.h"
 #include "qapi/error.h"
@@ -28,6 +30,40 @@
 #include "trace.h"
 
 
+static inline
+long keyctl_read(key_serial_t key, uint8_t *buffer, size_t buflen)
+{
+#ifdef __NR_keyctl
+    return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen, 0);
+#else
+    errno = ENOSYS;
+    return -1;
+#endif
+}
+
+static
+long keyctl_read_alloc(key_serial_t key, uint8_t **buffer)
+{
+    uint8_t *loc_buf;
+    long retcode = keyctl_read(key, NULL, 0);
+    if (retcode < 0) {
+        return retcode;
+    }
+    loc_buf = g_malloc(retcode + 1);
+    retcode = keyctl_read(key, loc_buf, retcode + 1);
+   /*
+    * We don't have key operations locks between syscalls.
+    * For example, the key could have been removed or expired.
+    */
+    if (retcode >= 0) {
+        loc_buf[retcode] = '\0';
+        *buffer = loc_buf;
+    } else {
+        g_free(loc_buf);
+    }
+    return retcode;
+}
+
 static void
 qcrypto_secret_load_data(QCryptoSecret *secret,
                          uint8_t **output,
@@ -41,10 +77,28 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
     *output = NULL;
     *outputlen = 0;
 
-    if (secret->file) {
+    if (secret->syskey) {
+        uint8_t *buffer = NULL;
+        long retcode;
+        if (secret->data || secret->file) {
+            error_setg(errp,
+                       "'syskey', 'file' and 'data' are mutually exclusive");
+            return;
+        }
+        retcode = keyctl_read_alloc(secret->syskey, &buffer);
+        if (retcode < 0) {
+            error_setg_errno(errp, errno,
+                       "Unable to read serial key %08x",
+                       secret->syskey);
+            return;
+        } else {
+            *outputlen = retcode;
+            *output = buffer;
+        }
+    } else if (secret->file) {
         if (secret->data) {
             error_setg(errp,
-                       "'file' and 'data' are mutually exclusive");
+                       "'syskey', 'file' and 'data' are mutually exclusive");
             return;
         }
         if (!g_file_get_contents(secret->file, &data, &length, &gerr)) {
@@ -60,7 +114,8 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
         *outputlen = strlen(secret->data);
         *output = (uint8_t *)g_strdup(secret->data);
     } else {
-        error_setg(errp, "Either 'file' or 'data' must be provided");
+        error_setg(errp,
+                   "Either 'syskey' or 'file' or 'data' must be provided");
     }
 }
 
@@ -298,6 +353,29 @@ qcrypto_secret_prop_get_file(Object *obj,
 }
 
 
+static void
+qcrypto_secret_prop_set_syskey(Object *obj, Visitor *v,
+                               const char *name, void *opaque,
+                               Error **errp)
+{
+    QCryptoSecret *secret = QCRYPTO_SECRET(obj);
+    int32_t value;
+    visit_type_int32(v, name, &value, errp);
+    secret->syskey = value;
+}
+
+
+static void
+qcrypto_secret_prop_get_syskey(Object *obj, Visitor *v,
+                               const char *name, void *opaque,
+                               Error **errp)
+{
+    QCryptoSecret *secret = QCRYPTO_SECRET(obj);
+    int32_t value = secret->syskey;
+    visit_type_int32(v, name, &value, errp);
+}
+
+
 static void
 qcrypto_secret_prop_set_iv(Object *obj,
                            const char *value,
@@ -384,6 +462,10 @@ qcrypto_secret_class_init(ObjectClass *oc, void *data)
                                   qcrypto_secret_prop_get_file,
                                   qcrypto_secret_prop_set_file,
                                   NULL);
+    object_class_property_add(oc, "syskey", "key_serial_t",
+                                  qcrypto_secret_prop_get_syskey,
+                                  qcrypto_secret_prop_set_syskey,
+                                  NULL, NULL, NULL);
     object_class_property_add_str(oc, "keyid",
                                   qcrypto_secret_prop_get_keyid,
                                   qcrypto_secret_prop_set_keyid,
diff --git a/include/crypto/secret.h b/include/crypto/secret.h
index 5e07e29bae..9d350e35ed 100644
--- a/include/crypto/secret.h
+++ b/include/crypto/secret.h
@@ -31,6 +31,8 @@
 typedef struct QCryptoSecret QCryptoSecret;
 typedef struct QCryptoSecretClass QCryptoSecretClass;
 
+typedef int32_t key_serial_t;
+
 /**
  * QCryptoSecret:
  *
@@ -125,6 +127,7 @@ struct QCryptoSecret {
     QCryptoSecretFormat format;
     char *data;
     char *file;
+    key_serial_t syskey;
     char *keyid;
     char *iv;
 };
-- 
2.17.1
Re: [RFC PATCH] crypto/secret: support fetching secrets from Linux keyring
Posted by no-reply@patchew.org 4 years ago 
Patchew URL: https://patchew.org/QEMU/20200328114014.6362-1-alex-krasikov@yandex-team.ru/



Hi,

This series failed the docker-mingw@fedora build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#! /bin/bash
export ARCH=x86_64
make docker-image-fedora V=1 NETWORK=1
time make docker-test-mingw@fedora J=14 NETWORK=1
=== TEST SCRIPT END ===

  CC      chardev/char-ringbuf.o
  CC      chardev/char-serial.o
  CC      chardev/char-socket.o
/tmp/qemu-test/src/crypto/secret.c:22:10: fatal error: asm/unistd.h: No such file or directory
 #include <asm/unistd.h>
          ^~~~~~~~~~~~~~
compilation terminated.
make: *** [/tmp/qemu-test/src/rules.mak:69: crypto/secret.o] Error 1
make: *** Waiting for unfinished jobs....
Traceback (most recent call last):
  File "./tests/docker/docker.py", line 664, in <module>
---
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', '--label', 'com.qemu.instance.uuid=4961116ada114c5d93e518eb1e9d8685', '-u', '1003', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 'SHOW_ENV=', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', '/home/patchew2/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', '/var/tmp/patchew-tester-tmp-rgq6jw7h/src/docker-src.2020-03-28-11.34.05.19902:/var/tmp/qemu:z,ro', 'qemu:fedora', '/var/tmp/qemu/run', 'test-mingw']' returned non-zero exit status 2.
filter=--filter=label=com.qemu.instance.uuid=4961116ada114c5d93e518eb1e9d8685
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-rgq6jw7h/src'
make: *** [docker-run-test-mingw@fedora] Error 2

real    1m49.176s
user    0m7.677s


The full log is available at
http://patchew.org/logs/20200328114014.6362-1-alex-krasikov@yandex-team.ru/testing.docker-mingw@fedora/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com
Re: [RFC PATCH] crypto/secret: support fetching secrets from Linux keyring
Posted by Daniel P. Berrangé 4 years ago 
On Sat, Mar 28, 2020 at 02:40:14PM +0300, Alexey Krasikov wrote:
> Add the ability for the secret object to obtain secret data from the
> Linux in-kernel key managment and retention facility, as an extra option
> to the existing ones: reading from a file or passing directly as a
> string.
> 
> The secret is identified by the key serial number.  The upper layers
> need to instantiate the key and make sure the QEMU process has access
> rights to read it.

This looks like a generally useful concept to me, however, I think
it highlights a mistake in the original secrets design. We should
have had TYPE_QCRYPTO_SECRET be an abstract interface, and then
had subclasses  TYPE_QCRYPTO_SECRET_FILE, TYPE_QCRYPTO_SECRET_INLINE
Then we could add TYPE_QCRYPTO_SECRET_LINUX.

We can still mostly fix that mistake now though.

We can introduce a TYPE_QCRYPTO_SECRET_INTERFACE which defines
the generic interface. This interface just needs to define one
API entry point

    "char *get_data(QCryptoSecretInterface *secret)"

The current TYPE_QCRYPTO_SECRET can be the current impl of that
interface that returns the rawdata field.

Then we can add the new TYPE_QCRYPTO_SECRET_LINUX for the keyring
implementation that does the Linux specific magic. This will let
us easily compile out the Linux impl on platforms where it is not
available too.



> 
> Signed-off-by: Alexey Krasikov <alex-krasikov@yandex-team.ru>
> ---
>  crypto/secret.c         | 88 +++++++++++++++++++++++++++++++++++++++--
>  include/crypto/secret.h |  3 ++
>  2 files changed, 88 insertions(+), 3 deletions(-)
> 
> diff --git a/crypto/secret.c b/crypto/secret.c
> index 1cf0ad0ce8..2e8be6241c 100644
> --- a/crypto/secret.c
> +++ b/crypto/secret.c
> @@ -19,6 +19,8 @@
>   */
>  
>  #include "qemu/osdep.h"
> +#include <asm/unistd.h>
> +#include <linux/keyctl.h>
>  #include "crypto/secret.h"
>  #include "crypto/cipher.h"
>  #include "qapi/error.h"
> @@ -28,6 +30,40 @@
>  #include "trace.h"
>  
>  
> +static inline
> +long keyctl_read(key_serial_t key, uint8_t *buffer, size_t buflen)
> +{
> +#ifdef __NR_keyctl
> +    return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen, 0);
> +#else
> +    errno = ENOSYS;
> +    return -1;
> +#endif
> +}
> +
> +static
> +long keyctl_read_alloc(key_serial_t key, uint8_t **buffer)
> +{
> +    uint8_t *loc_buf;
> +    long retcode = keyctl_read(key, NULL, 0);
> +    if (retcode < 0) {
> +        return retcode;
> +    }
> +    loc_buf = g_malloc(retcode + 1);
> +    retcode = keyctl_read(key, loc_buf, retcode + 1);
> +   /*
> +    * We don't have key operations locks between syscalls.
> +    * For example, the key could have been removed or expired.
> +    */
> +    if (retcode >= 0) {
> +        loc_buf[retcode] = '\0';
> +        *buffer = loc_buf;
> +    } else {
> +        g_free(loc_buf);
> +    }
> +    return retcode;
> +}
> +
>  static void
>  qcrypto_secret_load_data(QCryptoSecret *secret,
>                           uint8_t **output,
> @@ -41,10 +77,28 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
>      *output = NULL;
>      *outputlen = 0;
>  
> -    if (secret->file) {
> +    if (secret->syskey) {
> +        uint8_t *buffer = NULL;
> +        long retcode;
> +        if (secret->data || secret->file) {
> +            error_setg(errp,
> +                       "'syskey', 'file' and 'data' are mutually exclusive");
> +            return;
> +        }
> +        retcode = keyctl_read_alloc(secret->syskey, &buffer);
> +        if (retcode < 0) {
> +            error_setg_errno(errp, errno,
> +                       "Unable to read serial key %08x",
> +                       secret->syskey);
> +            return;
> +        } else {
> +            *outputlen = retcode;
> +            *output = buffer;
> +        }
> +    } else if (secret->file) {
>          if (secret->data) {
>              error_setg(errp,
> -                       "'file' and 'data' are mutually exclusive");
> +                       "'syskey', 'file' and 'data' are mutually exclusive");
>              return;
>          }
>          if (!g_file_get_contents(secret->file, &data, &length, &gerr)) {
> @@ -60,7 +114,8 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
>          *outputlen = strlen(secret->data);
>          *output = (uint8_t *)g_strdup(secret->data);
>      } else {
> -        error_setg(errp, "Either 'file' or 'data' must be provided");
> +        error_setg(errp,
> +                   "Either 'syskey' or 'file' or 'data' must be provided");
>      }
>  }
>  
> @@ -298,6 +353,29 @@ qcrypto_secret_prop_get_file(Object *obj,
>  }
>  
>  
> +static void
> +qcrypto_secret_prop_set_syskey(Object *obj, Visitor *v,
> +                               const char *name, void *opaque,
> +                               Error **errp)
> +{
> +    QCryptoSecret *secret = QCRYPTO_SECRET(obj);
> +    int32_t value;
> +    visit_type_int32(v, name, &value, errp);
> +    secret->syskey = value;
> +}
> +
> +
> +static void
> +qcrypto_secret_prop_get_syskey(Object *obj, Visitor *v,
> +                               const char *name, void *opaque,
> +                               Error **errp)
> +{
> +    QCryptoSecret *secret = QCRYPTO_SECRET(obj);
> +    int32_t value = secret->syskey;
> +    visit_type_int32(v, name, &value, errp);
> +}
> +
> +
>  static void
>  qcrypto_secret_prop_set_iv(Object *obj,
>                             const char *value,
> @@ -384,6 +462,10 @@ qcrypto_secret_class_init(ObjectClass *oc, void *data)
>                                    qcrypto_secret_prop_get_file,
>                                    qcrypto_secret_prop_set_file,
>                                    NULL);
> +    object_class_property_add(oc, "syskey", "key_serial_t",
> +                                  qcrypto_secret_prop_get_syskey,
> +                                  qcrypto_secret_prop_set_syskey,
> +                                  NULL, NULL, NULL);
>      object_class_property_add_str(oc, "keyid",
>                                    qcrypto_secret_prop_get_keyid,
>                                    qcrypto_secret_prop_set_keyid,
> diff --git a/include/crypto/secret.h b/include/crypto/secret.h
> index 5e07e29bae..9d350e35ed 100644
> --- a/include/crypto/secret.h
> +++ b/include/crypto/secret.h
> @@ -31,6 +31,8 @@
>  typedef struct QCryptoSecret QCryptoSecret;
>  typedef struct QCryptoSecretClass QCryptoSecretClass;
>  
> +typedef int32_t key_serial_t;
> +
>  /**
>   * QCryptoSecret:
>   *
> @@ -125,6 +127,7 @@ struct QCryptoSecret {
>      QCryptoSecretFormat format;
>      char *data;
>      char *file;
> +    key_serial_t syskey;
>      char *keyid;
>      char *iv;
>  };
> -- 
> 2.17.1
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.