~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/security/keys/core.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 ============================
  2 Kernel Key Retention Service
  3 ============================
  4 
  5 This service allows cryptographic keys, authentication tokens, cross-domain
  6 user mappings, and similar to be cached in the kernel for the use of
  7 filesystems and other kernel services.
  8 
  9 Keyrings are permitted; these are a special type of key that can hold links to
 10 other keys. Processes each have three standard keyring subscriptions that a
 11 kernel service can search for relevant keys.
 12 
 13 The key service can be configured on by enabling:
 14 
 15         "Security options"/"Enable access key retention support" (CONFIG_KEYS)
 16 
 17 This document has the following sections:
 18 
 19 .. contents:: :local:
 20 
 21 
 22 Key Overview
 23 ============
 24 
 25 In this context, keys represent units of cryptographic data, authentication
 26 tokens, keyrings, etc.. These are represented in the kernel by struct key.
 27 
 28 Each key has a number of attributes:
 29 
 30         - A serial number.
 31         - A type.
 32         - A description (for matching a key in a search).
 33         - Access control information.
 34         - An expiry time.
 35         - A payload.
 36         - State.
 37 
 38 
 39   *  Each key is issued a serial number of type key_serial_t that is unique for
 40      the lifetime of that key. All serial numbers are positive non-zero 32-bit
 41      integers.
 42 
 43      Userspace programs can use a key's serial numbers as a way to gain access
 44      to it, subject to permission checking.
 45 
 46   *  Each key is of a defined "type". Types must be registered inside the
 47      kernel by a kernel service (such as a filesystem) before keys of that type
 48      can be added or used. Userspace programs cannot define new types directly.
 49 
 50      Key types are represented in the kernel by struct key_type. This defines a
 51      number of operations that can be performed on a key of that type.
 52 
 53      Should a type be removed from the system, all the keys of that type will
 54      be invalidated.
 55 
 56   *  Each key has a description. This should be a printable string. The key
 57      type provides an operation to perform a match between the description on a
 58      key and a criterion string.
 59 
 60   *  Each key has an owner user ID, a group ID and a permissions mask. These
 61      are used to control what a process may do to a key from userspace, and
 62      whether a kernel service will be able to find the key.
 63 
 64   *  Each key can be set to expire at a specific time by the key type's
 65      instantiation function. Keys can also be immortal.
 66 
 67   *  Each key can have a payload. This is a quantity of data that represent the
 68      actual "key". In the case of a keyring, this is a list of keys to which
 69      the keyring links; in the case of a user-defined key, it's an arbitrary
 70      blob of data.
 71 
 72      Having a payload is not required; and the payload can, in fact, just be a
 73      value stored in the struct key itself.
 74 
 75      When a key is instantiated, the key type's instantiation function is
 76      called with a blob of data, and that then creates the key's payload in
 77      some way.
 78 
 79      Similarly, when userspace wants to read back the contents of the key, if
 80      permitted, another key type operation will be called to convert the key's
 81      attached payload back into a blob of data.
 82 
 83   *  Each key can be in one of a number of basic states:
 84 
 85       *  Uninstantiated. The key exists, but does not have any data attached.
 86          Keys being requested from userspace will be in this state.
 87 
 88       *  Instantiated. This is the normal state. The key is fully formed, and
 89          has data attached.
 90 
 91       *  Negative. This is a relatively short-lived state. The key acts as a
 92          note saying that a previous call out to userspace failed, and acts as
 93          a throttle on key lookups. A negative key can be updated to a normal
 94          state.
 95 
 96       *  Expired. Keys can have lifetimes set. If their lifetime is exceeded,
 97          they traverse to this state. An expired key can be updated back to a
 98          normal state.
 99 
100       *  Revoked. A key is put in this state by userspace action. It can't be
101          found or operated upon (apart from by unlinking it).
102 
103       *  Dead. The key's type was unregistered, and so the key is now useless.
104 
105 Keys in the last three states are subject to garbage collection.  See the
106 section on "Garbage collection".
107 
108 
109 Key Service Overview
110 ====================
111 
112 The key service provides a number of features besides keys:
113 
114   *  The key service defines three special key types:
115 
116      (+) "keyring"
117 
118          Keyrings are special keys that contain a list of other keys. Keyring
119          lists can be modified using various system calls. Keyrings should not
120          be given a payload when created.
121 
122      (+) "user"
123 
124          A key of this type has a description and a payload that are arbitrary
125          blobs of data. These can be created, updated and read by userspace,
126          and aren't intended for use by kernel services.
127 
128      (+) "logon"
129 
130          Like a "user" key, a "logon" key has a payload that is an arbitrary
131          blob of data. It is intended as a place to store secrets which are
132          accessible to the kernel but not to userspace programs.
133 
134          The description can be arbitrary, but must be prefixed with a non-zero
135          length string that describes the key "subclass". The subclass is
136          separated from the rest of the description by a ':'. "logon" keys can
137          be created and updated from userspace, but the payload is only
138          readable from kernel space.
139 
140   *  Each process subscribes to three keyrings: a thread-specific keyring, a
141      process-specific keyring, and a session-specific keyring.
142 
143      The thread-specific keyring is discarded from the child when any sort of
144      clone, fork, vfork or execve occurs. A new keyring is created only when
145      required.
146 
147      The process-specific keyring is replaced with an empty one in the child on
148      clone, fork, vfork unless CLONE_THREAD is supplied, in which case it is
149      shared. execve also discards the process's process keyring and creates a
150      new one.
151 
152      The session-specific keyring is persistent across clone, fork, vfork and
153      execve, even when the latter executes a set-UID or set-GID binary. A
154      process can, however, replace its current session keyring with a new one
155      by using PR_JOIN_SESSION_KEYRING. It is permitted to request an anonymous
156      new one, or to attempt to create or join one of a specific name.
157 
158      The ownership of the thread keyring changes when the real UID and GID of
159      the thread changes.
160 
161   *  Each user ID resident in the system holds two special keyrings: a user
162      specific keyring and a default user session keyring. The default session
163      keyring is initialised with a link to the user-specific keyring.
164 
165      When a process changes its real UID, if it used to have no session key, it
166      will be subscribed to the default session key for the new UID.
167 
168      If a process attempts to access its session key when it doesn't have one,
169      it will be subscribed to the default for its current UID.
170 
171   *  Each user has two quotas against which the keys they own are tracked. One
172      limits the total number of keys and keyrings, the other limits the total
173      amount of description and payload space that can be consumed.
174 
175      The user can view information on this and other statistics through procfs
176      files.  The root user may also alter the quota limits through sysctl files
177      (see the section "New procfs files").
178 
179      Process-specific and thread-specific keyrings are not counted towards a
180      user's quota.
181 
182      If a system call that modifies a key or keyring in some way would put the
183      user over quota, the operation is refused and error EDQUOT is returned.
184 
185   *  There's a system call interface by which userspace programs can create and
186      manipulate keys and keyrings.
187 
188   *  There's a kernel interface by which services can register types and search
189      for keys.
190 
191   *  There's a way for the a search done from the kernel to call back to
192      userspace to request a key that can't be found in a process's keyrings.
193 
194   *  An optional filesystem is available through which the key database can be
195      viewed and manipulated.
196 
197 
198 Key Access Permissions
199 ======================
200 
201 Keys have an owner user ID, a group access ID, and a permissions mask. The mask
202 has up to eight bits each for possessor, user, group and other access. Only
203 six of each set of eight bits are defined. These permissions granted are:
204 
205   *  View
206 
207      This permits a key or keyring's attributes to be viewed - including key
208      type and description.
209 
210   *  Read
211 
212      This permits a key's payload to be viewed or a keyring's list of linked
213      keys.
214 
215   *  Write
216 
217      This permits a key's payload to be instantiated or updated, or it allows a
218      link to be added to or removed from a keyring.
219 
220   *  Search
221 
222      This permits keyrings to be searched and keys to be found. Searches can
223      only recurse into nested keyrings that have search permission set.
224 
225   *  Link
226 
227      This permits a key or keyring to be linked to. To create a link from a
228      keyring to a key, a process must have Write permission on the keyring and
229      Link permission on the key.
230 
231   *  Set Attribute
232 
233      This permits a key's UID, GID and permissions mask to be changed.
234 
235 For changing the ownership, group ID or permissions mask, being the owner of
236 the key or having the sysadmin capability is sufficient.
237 
238 
239 SELinux Support
240 ===============
241 
242 The security class "key" has been added to SELinux so that mandatory access
243 controls can be applied to keys created within various contexts.  This support
244 is preliminary, and is likely to change quite significantly in the near future.
245 Currently, all of the basic permissions explained above are provided in SELinux
246 as well; SELinux is simply invoked after all basic permission checks have been
247 performed.
248 
249 The value of the file /proc/self/attr/keycreate influences the labeling of
250 newly-created keys.  If the contents of that file correspond to an SELinux
251 security context, then the key will be assigned that context.  Otherwise, the
252 key will be assigned the current context of the task that invoked the key
253 creation request.  Tasks must be granted explicit permission to assign a
254 particular context to newly-created keys, using the "create" permission in the
255 key security class.
256 
257 The default keyrings associated with users will be labeled with the default
258 context of the user if and only if the login programs have been instrumented to
259 properly initialize keycreate during the login process.  Otherwise, they will
260 be labeled with the context of the login program itself.
261 
262 Note, however, that the default keyrings associated with the root user are
263 labeled with the default kernel context, since they are created early in the
264 boot process, before root has a chance to log in.
265 
266 The keyrings associated with new threads are each labeled with the context of
267 their associated thread, and both session and process keyrings are handled
268 similarly.
269 
270 
271 New ProcFS Files
272 ================
273 
274 Two files have been added to procfs by which an administrator can find out
275 about the status of the key service:
276 
277   *  /proc/keys
278 
279      This lists the keys that are currently viewable by the task reading the
280      file, giving information about their type, description and permissions.
281      It is not possible to view the payload of the key this way, though some
282      information about it may be given.
283 
284      The only keys included in the list are those that grant View permission to
285      the reading process whether or not it possesses them.  Note that LSM
286      security checks are still performed, and may further filter out keys that
287      the current process is not authorised to view.
288 
289      The contents of the file look like this::
290 
291         SERIAL   FLAGS  USAGE EXPY PERM     UID   GID   TYPE      DESCRIPTION: SUMMARY
292         00000001 I-----    39 perm 1f3f0000     0     0 keyring   _uid_ses.0: 1/4
293         00000002 I-----     2 perm 1f3f0000     0     0 keyring   _uid.0: empty
294         00000007 I-----     1 perm 1f3f0000     0     0 keyring   _pid.1: empty
295         0000018d I-----     1 perm 1f3f0000     0     0 keyring   _pid.412: empty
296         000004d2 I--Q--     1 perm 1f3f0000    32    -1 keyring   _uid.32: 1/4
297         000004d3 I--Q--     3 perm 1f3f0000    32    -1 keyring   _uid_ses.32: empty
298         00000892 I--QU-     1 perm 1f000000     0     0 user      metal:copper: 0
299         00000893 I--Q-N     1  35s 1f3f0000     0     0 user      metal:silver: 0
300         00000894 I--Q--     1  10h 003f0000     0     0 user      metal:gold: 0
301 
302      The flags are::
303 
304         I       Instantiated
305         R       Revoked
306         D       Dead
307         Q       Contributes to user's quota
308         U       Under construction by callback to userspace
309         N       Negative key
310 
311 
312   *  /proc/key-users
313 
314      This file lists the tracking data for each user that has at least one key
315      on the system.  Such data includes quota information and statistics::
316 
317         [root@andromeda root]# cat /proc/key-users
318         0:     46 45/45 1/100 13/10000
319         29:     2 2/2 2/100 40/10000
320         32:     2 2/2 2/100 40/10000
321         38:     2 2/2 2/100 40/10000
322 
323      The format of each line is::
324 
325         <UID>:                  User ID to which this applies
326         <usage>                 Structure refcount
327         <inst>/<keys>           Total number of keys and number instantiated
328         <keys>/<max>            Key count quota
329         <bytes>/<max>           Key size quota
330 
331 
332 Four new sysctl files have been added also for the purpose of controlling the
333 quota limits on keys:
334 
335   *  /proc/sys/kernel/keys/root_maxkeys
336      /proc/sys/kernel/keys/root_maxbytes
337 
338      These files hold the maximum number of keys that root may have and the
339      maximum total number of bytes of data that root may have stored in those
340      keys.
341 
342   *  /proc/sys/kernel/keys/maxkeys
343      /proc/sys/kernel/keys/maxbytes
344 
345      These files hold the maximum number of keys that each non-root user may
346      have and the maximum total number of bytes of data that each of those
347      users may have stored in their keys.
348 
349 Root may alter these by writing each new limit as a decimal number string to
350 the appropriate file.
351 
352 
353 Userspace System Call Interface
354 ===============================
355 
356 Userspace can manipulate keys directly through three new syscalls: add_key,
357 request_key and keyctl. The latter provides a number of functions for
358 manipulating keys.
359 
360 When referring to a key directly, userspace programs should use the key's
361 serial number (a positive 32-bit integer). However, there are some special
362 values available for referring to special keys and keyrings that relate to the
363 process making the call::
364 
365         CONSTANT                        VALUE   KEY REFERENCED
366         ==============================  ======  ===========================
367         KEY_SPEC_THREAD_KEYRING         -1      thread-specific keyring
368         KEY_SPEC_PROCESS_KEYRING        -2      process-specific keyring
369         KEY_SPEC_SESSION_KEYRING        -3      session-specific keyring
370         KEY_SPEC_USER_KEYRING           -4      UID-specific keyring
371         KEY_SPEC_USER_SESSION_KEYRING   -5      UID-session keyring
372         KEY_SPEC_GROUP_KEYRING          -6      GID-specific keyring
373         KEY_SPEC_REQKEY_AUTH_KEY        -7      assumed request_key()
374                                                   authorisation key
375 
376 
377 The main syscalls are:
378 
379   *  Create a new key of given type, description and payload and add it to the
380      nominated keyring::
381 
382         key_serial_t add_key(const char *type, const char *desc,
383                              const void *payload, size_t plen,
384                              key_serial_t keyring);
385 
386      If a key of the same type and description as that proposed already exists
387      in the keyring, this will try to update it with the given payload, or it
388      will return error EEXIST if that function is not supported by the key
389      type. The process must also have permission to write to the key to be able
390      to update it. The new key will have all user permissions granted and no
391      group or third party permissions.
392 
393      Otherwise, this will attempt to create a new key of the specified type and
394      description, and to instantiate it with the supplied payload and attach it
395      to the keyring. In this case, an error will be generated if the process
396      does not have permission to write to the keyring.
397 
398      If the key type supports it, if the description is NULL or an empty
399      string, the key type will try and generate a description from the content
400      of the payload.
401 
402      The payload is optional, and the pointer can be NULL if not required by
403      the type. The payload is plen in size, and plen can be zero for an empty
404      payload.
405 
406      A new keyring can be generated by setting type "keyring", the keyring name
407      as the description (or NULL) and setting the payload to NULL.
408 
409      User defined keys can be created by specifying type "user". It is
410      recommended that a user defined key's description by prefixed with a type
411      ID and a colon, such as "krb5tgt:" for a Kerberos 5 ticket granting
412      ticket.
413 
414      Any other type must have been registered with the kernel in advance by a
415      kernel service such as a filesystem.
416 
417      The ID of the new or updated key is returned if successful.
418 
419 
420   *  Search the process's keyrings for a key, potentially calling out to
421      userspace to create it::
422 
423         key_serial_t request_key(const char *type, const char *description,
424                                  const char *callout_info,
425                                  key_serial_t dest_keyring);
426 
427      This function searches all the process's keyrings in the order thread,
428      process, session for a matching key. This works very much like
429      KEYCTL_SEARCH, including the optional attachment of the discovered key to
430      a keyring.
431 
432      If a key cannot be found, and if callout_info is not NULL, then
433      /sbin/request-key will be invoked in an attempt to obtain a key. The
434      callout_info string will be passed as an argument to the program.
435 
436      To link a key into the destination keyring the key must grant link
437      permission on the key to the caller and the keyring must grant write
438      permission.
439 
440      See also Documentation/security/keys/request-key.rst.
441 
442 
443 The keyctl syscall functions are:
444 
445   *  Map a special key ID to a real key ID for this process::
446 
447         key_serial_t keyctl(KEYCTL_GET_KEYRING_ID, key_serial_t id,
448                             int create);
449 
450      The special key specified by "id" is looked up (with the key being created
451      if necessary) and the ID of the key or keyring thus found is returned if
452      it exists.
453 
454      If the key does not yet exist, the key will be created if "create" is
455      non-zero; and the error ENOKEY will be returned if "create" is zero.
456 
457 
458   *  Replace the session keyring this process subscribes to with a new one::
459 
460         key_serial_t keyctl(KEYCTL_JOIN_SESSION_KEYRING, const char *name);
461 
462      If name is NULL, an anonymous keyring is created attached to the process
463      as its session keyring, displacing the old session keyring.
464 
465      If name is not NULL, if a keyring of that name exists, the process
466      attempts to attach it as the session keyring, returning an error if that
467      is not permitted; otherwise a new keyring of that name is created and
468      attached as the session keyring.
469 
470      To attach to a named keyring, the keyring must have search permission for
471      the process's ownership.
472 
473      The ID of the new session keyring is returned if successful.
474 
475 
476   *  Update the specified key::
477 
478         long keyctl(KEYCTL_UPDATE, key_serial_t key, const void *payload,
479                     size_t plen);
480 
481      This will try to update the specified key with the given payload, or it
482      will return error EOPNOTSUPP if that function is not supported by the key
483      type. The process must also have permission to write to the key to be able
484      to update it.
485 
486      The payload is of length plen, and may be absent or empty as for
487      add_key().
488 
489 
490   *  Revoke a key::
491 
492         long keyctl(KEYCTL_REVOKE, key_serial_t key);
493 
494      This makes a key unavailable for further operations. Further attempts to
495      use the key will be met with error EKEYREVOKED, and the key will no longer
496      be findable.
497 
498 
499   *  Change the ownership of a key::
500 
501         long keyctl(KEYCTL_CHOWN, key_serial_t key, uid_t uid, gid_t gid);
502 
503      This function permits a key's owner and group ID to be changed. Either one
504      of uid or gid can be set to -1 to suppress that change.
505 
506      Only the superuser can change a key's owner to something other than the
507      key's current owner. Similarly, only the superuser can change a key's
508      group ID to something other than the calling process's group ID or one of
509      its group list members.
510 
511 
512   *  Change the permissions mask on a key::
513 
514         long keyctl(KEYCTL_SETPERM, key_serial_t key, key_perm_t perm);
515 
516      This function permits the owner of a key or the superuser to change the
517      permissions mask on a key.
518 
519      Only bits the available bits are permitted; if any other bits are set,
520      error EINVAL will be returned.
521 
522 
523   *  Describe a key::
524 
525         long keyctl(KEYCTL_DESCRIBE, key_serial_t key, char *buffer,
526                     size_t buflen);
527 
528      This function returns a summary of the key's attributes (but not its
529      payload data) as a string in the buffer provided.
530 
531      Unless there's an error, it always returns the amount of data it could
532      produce, even if that's too big for the buffer, but it won't copy more
533      than requested to userspace. If the buffer pointer is NULL then no copy
534      will take place.
535 
536      A process must have view permission on the key for this function to be
537      successful.
538 
539      If successful, a string is placed in the buffer in the following format::
540 
541         <type>;<uid>;<gid>;<perm>;<description>
542 
543      Where type and description are strings, uid and gid are decimal, and perm
544      is hexadecimal. A NUL character is included at the end of the string if
545      the buffer is sufficiently big.
546 
547      This can be parsed with::
548 
549         sscanf(buffer, "%[^;];%d;%d;%o;%s", type, &uid, &gid, &mode, desc);
550 
551 
552   *  Clear out a keyring::
553 
554         long keyctl(KEYCTL_CLEAR, key_serial_t keyring);
555 
556      This function clears the list of keys attached to a keyring. The calling
557      process must have write permission on the keyring, and it must be a
558      keyring (or else error ENOTDIR will result).
559 
560      This function can also be used to clear special kernel keyrings if they
561      are appropriately marked if the user has CAP_SYS_ADMIN capability.  The
562      DNS resolver cache keyring is an example of this.
563 
564 
565   *  Link a key into a keyring::
566 
567         long keyctl(KEYCTL_LINK, key_serial_t keyring, key_serial_t key);
568 
569      This function creates a link from the keyring to the key. The process must
570      have write permission on the keyring and must have link permission on the
571      key.
572 
573      Should the keyring not be a keyring, error ENOTDIR will result; and if the
574      keyring is full, error ENFILE will result.
575 
576      The link procedure checks the nesting of the keyrings, returning ELOOP if
577      it appears too deep or EDEADLK if the link would introduce a cycle.
578 
579      Any links within the keyring to keys that match the new key in terms of
580      type and description will be discarded from the keyring as the new one is
581      added.
582 
583 
584   *  Move a key from one keyring to another::
585 
586         long keyctl(KEYCTL_MOVE,
587                     key_serial_t id,
588                     key_serial_t from_ring_id,
589                     key_serial_t to_ring_id,
590                     unsigned int flags);
591 
592      Move the key specified by "id" from the keyring specified by
593      "from_ring_id" to the keyring specified by "to_ring_id".  If the two
594      keyrings are the same, nothing is done.
595 
596      "flags" can have KEYCTL_MOVE_EXCL set in it to cause the operation to fail
597      with EEXIST if a matching key exists in the destination keyring, otherwise
598      such a key will be replaced.
599 
600      A process must have link permission on the key for this function to be
601      successful and write permission on both keyrings.  Any errors that can
602      occur from KEYCTL_LINK also apply on the destination keyring here.
603 
604 
605   *  Unlink a key or keyring from another keyring::
606 
607         long keyctl(KEYCTL_UNLINK, key_serial_t keyring, key_serial_t key);
608 
609      This function looks through the keyring for the first link to the
610      specified key, and removes it if found. Subsequent links to that key are
611      ignored. The process must have write permission on the keyring.
612 
613      If the keyring is not a keyring, error ENOTDIR will result; and if the key
614      is not present, error ENOENT will be the result.
615 
616 
617   *  Search a keyring tree for a key::
618 
619         key_serial_t keyctl(KEYCTL_SEARCH, key_serial_t keyring,
620                             const char *type, const char *description,
621                             key_serial_t dest_keyring);
622 
623      This searches the keyring tree headed by the specified keyring until a key
624      is found that matches the type and description criteria. Each keyring is
625      checked for keys before recursion into its children occurs.
626 
627      The process must have search permission on the top level keyring, or else
628      error EACCES will result. Only keyrings that the process has search
629      permission on will be recursed into, and only keys and keyrings for which
630      a process has search permission can be matched. If the specified keyring
631      is not a keyring, ENOTDIR will result.
632 
633      If the search succeeds, the function will attempt to link the found key
634      into the destination keyring if one is supplied (non-zero ID). All the
635      constraints applicable to KEYCTL_LINK apply in this case too.
636 
637      Error ENOKEY, EKEYREVOKED or EKEYEXPIRED will be returned if the search
638      fails. On success, the resulting key ID will be returned.
639 
640 
641   *  Read the payload data from a key::
642 
643         long keyctl(KEYCTL_READ, key_serial_t keyring, char *buffer,
644                     size_t buflen);
645 
646      This function attempts to read the payload data from the specified key
647      into the buffer. The process must have read permission on the key to
648      succeed.
649 
650      The returned data will be processed for presentation by the key type. For
651      instance, a keyring will return an array of key_serial_t entries
652      representing the IDs of all the keys to which it is subscribed. The user
653      defined key type will return its data as is. If a key type does not
654      implement this function, error EOPNOTSUPP will result.
655 
656      If the specified buffer is too small, then the size of the buffer required
657      will be returned.  Note that in this case, the contents of the buffer may
658      have been overwritten in some undefined way.
659 
660      Otherwise, on success, the function will return the amount of data copied
661      into the buffer.
662 
663   *  Instantiate a partially constructed key::
664 
665         long keyctl(KEYCTL_INSTANTIATE, key_serial_t key,
666                     const void *payload, size_t plen,
667                     key_serial_t keyring);
668         long keyctl(KEYCTL_INSTANTIATE_IOV, key_serial_t key,
669                     const struct iovec *payload_iov, unsigned ioc,
670                     key_serial_t keyring);
671 
672      If the kernel calls back to userspace to complete the instantiation of a
673      key, userspace should use this call to supply data for the key before the
674      invoked process returns, or else the key will be marked negative
675      automatically.
676 
677      The process must have write access on the key to be able to instantiate
678      it, and the key must be uninstantiated.
679 
680      If a keyring is specified (non-zero), the key will also be linked into
681      that keyring, however all the constraints applying in KEYCTL_LINK apply in
682      this case too.
683 
684      The payload and plen arguments describe the payload data as for add_key().
685 
686      The payload_iov and ioc arguments describe the payload data in an iovec
687      array instead of a single buffer.
688 
689 
690   *  Negatively instantiate a partially constructed key::
691 
692         long keyctl(KEYCTL_NEGATE, key_serial_t key,
693                     unsigned timeout, key_serial_t keyring);
694         long keyctl(KEYCTL_REJECT, key_serial_t key,
695                     unsigned timeout, unsigned error, key_serial_t keyring);
696 
697      If the kernel calls back to userspace to complete the instantiation of a
698      key, userspace should use this call mark the key as negative before the
699      invoked process returns if it is unable to fulfill the request.
700 
701      The process must have write access on the key to be able to instantiate
702      it, and the key must be uninstantiated.
703 
704      If a keyring is specified (non-zero), the key will also be linked into
705      that keyring, however all the constraints applying in KEYCTL_LINK apply in
706      this case too.
707 
708      If the key is rejected, future searches for it will return the specified
709      error code until the rejected key expires.  Negating the key is the same
710      as rejecting the key with ENOKEY as the error code.
711 
712 
713   *  Set the default request-key destination keyring::
714 
715         long keyctl(KEYCTL_SET_REQKEY_KEYRING, int reqkey_defl);
716 
717      This sets the default keyring to which implicitly requested keys will be
718      attached for this thread. reqkey_defl should be one of these constants::
719 
720         CONSTANT                                VALUE   NEW DEFAULT KEYRING
721         ======================================  ======  =======================
722         KEY_REQKEY_DEFL_NO_CHANGE               -1      No change
723         KEY_REQKEY_DEFL_DEFAULT                 0       Default[1]
724         KEY_REQKEY_DEFL_THREAD_KEYRING          1       Thread keyring
725         KEY_REQKEY_DEFL_PROCESS_KEYRING         2       Process keyring
726         KEY_REQKEY_DEFL_SESSION_KEYRING         3       Session keyring
727         KEY_REQKEY_DEFL_USER_KEYRING            4       User keyring
728         KEY_REQKEY_DEFL_USER_SESSION_KEYRING    5       User session keyring
729         KEY_REQKEY_DEFL_GROUP_KEYRING           6       Group keyring
730 
731      The old default will be returned if successful and error EINVAL will be
732      returned if reqkey_defl is not one of the above values.
733 
734      The default keyring can be overridden by the keyring indicated to the
735      request_key() system call.
736 
737      Note that this setting is inherited across fork/exec.
738 
739      [1] The default is: the thread keyring if there is one, otherwise
740      the process keyring if there is one, otherwise the session keyring if
741      there is one, otherwise the user default session keyring.
742 
743 
744   *  Set the timeout on a key::
745 
746         long keyctl(KEYCTL_SET_TIMEOUT, key_serial_t key, unsigned timeout);
747 
748      This sets or clears the timeout on a key. The timeout can be 0 to clear
749      the timeout or a number of seconds to set the expiry time that far into
750      the future.
751 
752      The process must have attribute modification access on a key to set its
753      timeout. Timeouts may not be set with this function on negative, revoked
754      or expired keys.
755 
756 
757   *  Assume the authority granted to instantiate a key::
758 
759         long keyctl(KEYCTL_ASSUME_AUTHORITY, key_serial_t key);
760 
761      This assumes or divests the authority required to instantiate the
762      specified key. Authority can only be assumed if the thread has the
763      authorisation key associated with the specified key in its keyrings
764      somewhere.
765 
766      Once authority is assumed, searches for keys will also search the
767      requester's keyrings using the requester's security label, UID, GID and
768      groups.
769 
770      If the requested authority is unavailable, error EPERM will be returned,
771      likewise if the authority has been revoked because the target key is
772      already instantiated.
773 
774      If the specified key is 0, then any assumed authority will be divested.
775 
776      The assumed authoritative key is inherited across fork and exec.
777 
778 
779   *  Get the LSM security context attached to a key::
780 
781         long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,
782                     size_t buflen)
783 
784      This function returns a string that represents the LSM security context
785      attached to a key in the buffer provided.
786 
787      Unless there's an error, it always returns the amount of data it could
788      produce, even if that's too big for the buffer, but it won't copy more
789      than requested to userspace. If the buffer pointer is NULL then no copy
790      will take place.
791 
792      A NUL character is included at the end of the string if the buffer is
793      sufficiently big.  This is included in the returned count.  If no LSM is
794      in force then an empty string will be returned.
795 
796      A process must have view permission on the key for this function to be
797      successful.
798 
799 
800   *  Install the calling process's session keyring on its parent::
801 
802         long keyctl(KEYCTL_SESSION_TO_PARENT);
803 
804      This functions attempts to install the calling process's session keyring
805      on to the calling process's parent, replacing the parent's current session
806      keyring.
807 
808      The calling process must have the same ownership as its parent, the
809      keyring must have the same ownership as the calling process, the calling
810      process must have LINK permission on the keyring and the active LSM module
811      mustn't deny permission, otherwise error EPERM will be returned.
812 
813      Error ENOMEM will be returned if there was insufficient memory to complete
814      the operation, otherwise 0 will be returned to indicate success.
815 
816      The keyring will be replaced next time the parent process leaves the
817      kernel and resumes executing userspace.
818 
819 
820   *  Invalidate a key::
821 
822         long keyctl(KEYCTL_INVALIDATE, key_serial_t key);
823 
824      This function marks a key as being invalidated and then wakes up the
825      garbage collector.  The garbage collector immediately removes invalidated
826      keys from all keyrings and deletes the key when its reference count
827      reaches zero.
828 
829      Keys that are marked invalidated become invisible to normal key operations
830      immediately, though they are still visible in /proc/keys until deleted
831      (they're marked with an 'i' flag).
832 
833      A process must have search permission on the key for this function to be
834      successful.
835 
836   *  Compute a Diffie-Hellman shared secret or public key::
837 
838         long keyctl(KEYCTL_DH_COMPUTE, struct keyctl_dh_params *params,
839                     char *buffer, size_t buflen, struct keyctl_kdf_params *kdf);
840 
841      The params struct contains serial numbers for three keys::
842 
843          - The prime, p, known to both parties
844          - The local private key
845          - The base integer, which is either a shared generator or the
846            remote public key
847 
848      The value computed is::
849 
850         result = base ^ private (mod prime)
851 
852      If the base is the shared generator, the result is the local
853      public key.  If the base is the remote public key, the result is
854      the shared secret.
855 
856      If the parameter kdf is NULL, the following applies:
857 
858          - The buffer length must be at least the length of the prime, or zero.
859 
860          - If the buffer length is nonzero, the length of the result is
861            returned when it is successfully calculated and copied in to the
862            buffer. When the buffer length is zero, the minimum required
863            buffer length is returned.
864 
865      The kdf parameter allows the caller to apply a key derivation function
866      (KDF) on the Diffie-Hellman computation where only the result
867      of the KDF is returned to the caller. The KDF is characterized with
868      struct keyctl_kdf_params as follows:
869 
870          - ``char *hashname`` specifies the NUL terminated string identifying
871            the hash used from the kernel crypto API and applied for the KDF
872            operation. The KDF implementation complies with SP800-56A as well
873            as with SP800-108 (the counter KDF).
874 
875          - ``char *otherinfo`` specifies the OtherInfo data as documented in
876            SP800-56A section 5.8.1.2. The length of the buffer is given with
877            otherinfolen. The format of OtherInfo is defined by the caller.
878            The otherinfo pointer may be NULL if no OtherInfo shall be used.
879 
880      This function will return error EOPNOTSUPP if the key type is not
881      supported, error ENOKEY if the key could not be found, or error
882      EACCES if the key is not readable by the caller. In addition, the
883      function will return EMSGSIZE when the parameter kdf is non-NULL
884      and either the buffer length or the OtherInfo length exceeds the
885      allowed length.
886 
887 
888   *  Restrict keyring linkage::
889 
890         long keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring,
891                     const char *type, const char *restriction);
892 
893      An existing keyring can restrict linkage of additional keys by evaluating
894      the contents of the key according to a restriction scheme.
895 
896      "keyring" is the key ID for an existing keyring to apply a restriction
897      to. It may be empty or may already have keys linked. Existing linked keys
898      will remain in the keyring even if the new restriction would reject them.
899 
900      "type" is a registered key type.
901 
902      "restriction" is a string describing how key linkage is to be restricted.
903      The format varies depending on the key type, and the string is passed to
904      the lookup_restriction() function for the requested type.  It may specify
905      a method and relevant data for the restriction such as signature
906      verification or constraints on key payload. If the requested key type is
907      later unregistered, no keys may be added to the keyring after the key type
908      is removed.
909 
910      To apply a keyring restriction the process must have Set Attribute
911      permission and the keyring must not be previously restricted.
912 
913      One application of restricted keyrings is to verify X.509 certificate
914      chains or individual certificate signatures using the asymmetric key type.
915      See Documentation/crypto/asymmetric-keys.rst for specific restrictions
916      applicable to the asymmetric key type.
917 
918 
919   *  Query an asymmetric key::
920 
921         long keyctl(KEYCTL_PKEY_QUERY,
922                     key_serial_t key_id, unsigned long reserved,
923                     const char *params,
924                     struct keyctl_pkey_query *info);
925 
926      Get information about an asymmetric key.  Specific algorithms and
927      encodings may be queried by using the ``params`` argument.  This is a
928      string containing a space- or tab-separated string of key-value pairs.
929      Currently supported keys include ``enc`` and ``hash``.  The information
930      is returned in the keyctl_pkey_query struct::
931 
932         __u32   supported_ops;
933         __u32   key_size;
934         __u16   max_data_size;
935         __u16   max_sig_size;
936         __u16   max_enc_size;
937         __u16   max_dec_size;
938         __u32   __spare[10];
939 
940      ``supported_ops`` contains a bit mask of flags indicating which ops are
941      supported.  This is constructed from a bitwise-OR of::
942 
943         KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}
944 
945      ``key_size`` indicated the size of the key in bits.
946 
947      ``max_*_size`` indicate the maximum sizes in bytes of a blob of data to be
948      signed, a signature blob, a blob to be encrypted and a blob to be
949      decrypted.
950 
951      ``__spare[]`` must be set to 0.  This is intended for future use to hand
952      over one or more passphrases needed unlock a key.
953 
954      If successful, 0 is returned.  If the key is not an asymmetric key,
955      EOPNOTSUPP is returned.
956 
957 
958   *  Encrypt, decrypt, sign or verify a blob using an asymmetric key::
959 
960         long keyctl(KEYCTL_PKEY_ENCRYPT,
961                     const struct keyctl_pkey_params *params,
962                     const char *info,
963                     const void *in,
964                     void *out);
965 
966         long keyctl(KEYCTL_PKEY_DECRYPT,
967                     const struct keyctl_pkey_params *params,
968                     const char *info,
969                     const void *in,
970                     void *out);
971 
972         long keyctl(KEYCTL_PKEY_SIGN,
973                     const struct keyctl_pkey_params *params,
974                     const char *info,
975                     const void *in,
976                     void *out);
977 
978         long keyctl(KEYCTL_PKEY_VERIFY,
979                     const struct keyctl_pkey_params *params,
980                     const char *info,
981                     const void *in,
982                     const void *in2);
983 
984      Use an asymmetric key to perform a public-key cryptographic operation a
985      blob of data.  For encryption and verification, the asymmetric key may
986      only need the public parts to be available, but for decryption and signing
987      the private parts are required also.
988 
989      The parameter block pointed to by params contains a number of integer
990      values::
991 
992         __s32           key_id;
993         __u32           in_len;
994         __u32           out_len;
995         __u32           in2_len;
996 
997      ``key_id`` is the ID of the asymmetric key to be used.  ``in_len`` and
998      ``in2_len`` indicate the amount of data in the in and in2 buffers and
999      ``out_len`` indicates the size of the out buffer as appropriate for the
1000      above operations.
1001 
1002      For a given operation, the in and out buffers are used as follows::
1003 
1004         Operation ID            in,in_len       out,out_len     in2,in2_len
1005         ======================= =============== =============== ===============
1006         KEYCTL_PKEY_ENCRYPT     Raw data        Encrypted data  -
1007         KEYCTL_PKEY_DECRYPT     Encrypted data  Raw data        -
1008         KEYCTL_PKEY_SIGN        Raw data        Signature       -
1009         KEYCTL_PKEY_VERIFY      Raw data        -               Signature
1010 
1011      ``info`` is a string of key=value pairs that supply supplementary
1012      information.  These include:
1013 
1014         ``enc=<encoding>`` The encoding of the encrypted/signature blob.  This
1015                         can be "pkcs1" for RSASSA-PKCS1-v1.5 or
1016                         RSAES-PKCS1-v1.5; "pss" for "RSASSA-PSS"; "oaep" for
1017                         "RSAES-OAEP".  If omitted or is "raw", the raw output
1018                         of the encryption function is specified.
1019 
1020         ``hash=<algo>`` If the data buffer contains the output of a hash
1021                         function and the encoding includes some indication of
1022                         which hash function was used, the hash function can be
1023                         specified with this, eg. "hash=sha256".
1024 
1025      The ``__spare[]`` space in the parameter block must be set to 0.  This is
1026      intended, amongst other things, to allow the passing of passphrases
1027      required to unlock a key.
1028 
1029      If successful, encrypt, decrypt and sign all return the amount of data
1030      written into the output buffer.  Verification returns 0 on success.
1031 
1032 
1033   *  Watch a key or keyring for changes::
1034 
1035         long keyctl(KEYCTL_WATCH_KEY, key_serial_t key, int queue_fd,
1036                     const struct watch_notification_filter *filter);
1037 
1038      This will set or remove a watch for changes on the specified key or
1039      keyring.
1040 
1041      "key" is the ID of the key to be watched.
1042 
1043      "queue_fd" is a file descriptor referring to an open pipe which
1044      manages the buffer into which notifications will be delivered.
1045 
1046      "filter" is either NULL to remove a watch or a filter specification to
1047      indicate what events are required from the key.
1048 
1049      See Documentation/core-api/watch_queue.rst for more information.
1050 
1051      Note that only one watch may be emplaced for any particular { key,
1052      queue_fd } combination.
1053 
1054      Notification records look like::
1055 
1056         struct key_notification {
1057                 struct watch_notification watch;
1058                 __u32   key_id;
1059                 __u32   aux;
1060         };
1061 
1062      In this, watch::type will be "WATCH_TYPE_KEY_NOTIFY" and subtype will be
1063      one of::
1064 
1065         NOTIFY_KEY_INSTANTIATED
1066         NOTIFY_KEY_UPDATED
1067         NOTIFY_KEY_LINKED
1068         NOTIFY_KEY_UNLINKED
1069         NOTIFY_KEY_CLEARED
1070         NOTIFY_KEY_REVOKED
1071         NOTIFY_KEY_INVALIDATED
1072         NOTIFY_KEY_SETATTR
1073 
1074      Where these indicate a key being instantiated/rejected, updated, a link
1075      being made in a keyring, a link being removed from a keyring, a keyring
1076      being cleared, a key being revoked, a key being invalidated or a key
1077      having one of its attributes changed (user, group, perm, timeout,
1078      restriction).
1079 
1080      If a watched key is deleted, a basic watch_notification will be issued
1081      with "type" set to WATCH_TYPE_META and "subtype" set to
1082      watch_meta_removal_notification.  The watchpoint ID will be set in the
1083      "info" field.
1084 
1085      This needs to be configured by enabling:
1086 
1087         "Provide key/keyring change notifications" (KEY_NOTIFICATIONS)
1088 
1089 
1090 Kernel Services
1091 ===============
1092 
1093 The kernel services for key management are fairly simple to deal with. They can
1094 be broken down into two areas: keys and key types.
1095 
1096 Dealing with keys is fairly straightforward. Firstly, the kernel service
1097 registers its type, then it searches for a key of that type. It should retain
1098 the key as long as it has need of it, and then it should release it. For a
1099 filesystem or device file, a search would probably be performed during the open
1100 call, and the key released upon close. How to deal with conflicting keys due to
1101 two different users opening the same file is left to the filesystem author to
1102 solve.
1103 
1104 To access the key manager, the following header must be #included::
1105 
1106         <linux/key.h>
1107 
1108 Specific key types should have a header file under include/keys/ that should be
1109 used to access that type.  For keys of type "user", for example, that would be::
1110 
1111         <keys/user-type.h>
1112 
1113 Note that there are two different types of pointers to keys that may be
1114 encountered:
1115 
1116   *  struct key *
1117 
1118      This simply points to the key structure itself. Key structures will be at
1119      least four-byte aligned.
1120 
1121   *  key_ref_t
1122 
1123      This is equivalent to a ``struct key *``, but the least significant bit is set
1124      if the caller "possesses" the key. By "possession" it is meant that the
1125      calling processes has a searchable link to the key from one of its
1126      keyrings. There are three functions for dealing with these::
1127 
1128         key_ref_t make_key_ref(const struct key *key, bool possession);
1129 
1130         struct key *key_ref_to_ptr(const key_ref_t key_ref);
1131 
1132         bool is_key_possessed(const key_ref_t key_ref);
1133 
1134      The first function constructs a key reference from a key pointer and
1135      possession information (which must be true or false).
1136 
1137      The second function retrieves the key pointer from a reference and the
1138      third retrieves the possession flag.
1139 
1140 When accessing a key's payload contents, certain precautions must be taken to
1141 prevent access vs modification races. See the section "Notes on accessing
1142 payload contents" for more information.
1143 
1144  *  To search for a key, call::
1145 
1146         struct key *request_key(const struct key_type *type,
1147                                 const char *description,
1148                                 const char *callout_info);
1149 
1150     This is used to request a key or keyring with a description that matches
1151     the description specified according to the key type's match_preparse()
1152     method. This permits approximate matching to occur. If callout_string is
1153     not NULL, then /sbin/request-key will be invoked in an attempt to obtain
1154     the key from userspace. In that case, callout_string will be passed as an
1155     argument to the program.
1156 
1157     Should the function fail error ENOKEY, EKEYEXPIRED or EKEYREVOKED will be
1158     returned.
1159 
1160     If successful, the key will have been attached to the default keyring for
1161     implicitly obtained request-key keys, as set by KEYCTL_SET_REQKEY_KEYRING.
1162 
1163     See also Documentation/security/keys/request-key.rst.
1164 
1165 
1166  *  To search for a key in a specific domain, call::
1167 
1168         struct key *request_key_tag(const struct key_type *type,
1169                                     const char *description,
1170                                     struct key_tag *domain_tag,
1171                                     const char *callout_info);
1172 
1173     This is identical to request_key(), except that a domain tag may be
1174     specifies that causes search algorithm to only match keys matching that
1175     tag.  The domain_tag may be NULL, specifying a global domain that is
1176     separate from any nominated domain.
1177 
1178 
1179  *  To search for a key, passing auxiliary data to the upcaller, call::
1180 
1181         struct key *request_key_with_auxdata(const struct key_type *type,
1182                                              const char *description,
1183                                              struct key_tag *domain_tag,
1184                                              const void *callout_info,
1185                                              size_t callout_len,
1186                                              void *aux);
1187 
1188     This is identical to request_key_tag(), except that the auxiliary data is
1189     passed to the key_type->request_key() op if it exists, and the
1190     callout_info is a blob of length callout_len, if given (the length may be
1191     0).
1192 
1193 
1194  *  To search for a key under RCU conditions, call::
1195 
1196         struct key *request_key_rcu(const struct key_type *type,
1197                                     const char *description,
1198                                     struct key_tag *domain_tag);
1199 
1200     which is similar to request_key_tag() except that it does not check for
1201     keys that are under construction and it will not call out to userspace to
1202     construct a key if it can't find a match.
1203 
1204 
1205  *  When it is no longer required, the key should be released using::
1206 
1207         void key_put(struct key *key);
1208 
1209     Or::
1210 
1211         void key_ref_put(key_ref_t key_ref);
1212 
1213     These can be called from interrupt context. If CONFIG_KEYS is not set then
1214     the argument will not be parsed.
1215 
1216 
1217  *  Extra references can be made to a key by calling one of the following
1218     functions::
1219 
1220         struct key *__key_get(struct key *key);
1221         struct key *key_get(struct key *key);
1222 
1223     Keys so references will need to be disposed of by calling key_put() when
1224     they've been finished with.  The key pointer passed in will be returned.
1225 
1226     In the case of key_get(), if the pointer is NULL or CONFIG_KEYS is not set
1227     then the key will not be dereferenced and no increment will take place.
1228 
1229 
1230  *  A key's serial number can be obtained by calling::
1231 
1232         key_serial_t key_serial(struct key *key);
1233 
1234     If key is NULL or if CONFIG_KEYS is not set then 0 will be returned (in the
1235     latter case without parsing the argument).
1236 
1237 
1238  *  If a keyring was found in the search, this can be further searched by::
1239 
1240         key_ref_t keyring_search(key_ref_t keyring_ref,
1241                                  const struct key_type *type,
1242                                  const char *description,
1243                                  bool recurse)
1244 
1245     This searches the specified keyring only (recurse == false) or keyring tree
1246     (recurse == true) specified for a matching key. Error ENOKEY is returned
1247     upon failure (use IS_ERR/PTR_ERR to determine). If successful, the returned
1248     key will need to be released.
1249 
1250     The possession attribute from the keyring reference is used to control
1251     access through the permissions mask and is propagated to the returned key
1252     reference pointer if successful.
1253 
1254 
1255  *  A keyring can be created by::
1256 
1257         struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
1258                                   const struct cred *cred,
1259                                   key_perm_t perm,
1260                                   struct key_restriction *restrict_link,
1261                                   unsigned long flags,
1262                                   struct key *dest);
1263 
1264     This creates a keyring with the given attributes and returns it.  If dest
1265     is not NULL, the new keyring will be linked into the keyring to which it
1266     points.  No permission checks are made upon the destination keyring.
1267 
1268     Error EDQUOT can be returned if the keyring would overload the quota (pass
1269     KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted
1270     towards the user's quota).  Error ENOMEM can also be returned.
1271 
1272     If restrict_link is not NULL, it should point to a structure that contains
1273     the function that will be called each time an attempt is made to link a
1274     key into the new keyring.  The structure may also contain a key pointer
1275     and an associated key type.  The function is called to check whether a key
1276     may be added into the keyring or not.  The key type is used by the garbage
1277     collector to clean up function or data pointers in this structure if the
1278     given key type is unregistered.  Callers of key_create_or_update() within
1279     the kernel can pass KEY_ALLOC_BYPASS_RESTRICTION to suppress the check.
1280     An example of using this is to manage rings of cryptographic keys that are
1281     set up when the kernel boots where userspace is also permitted to add keys
1282     - provided they can be verified by a key the kernel already has.
1283 
1284     When called, the restriction function will be passed the keyring being
1285     added to, the key type, the payload of the key being added, and data to be
1286     used in the restriction check.  Note that when a new key is being created,
1287     this is called between payload preparsing and actual key creation.  The
1288     function should return 0 to allow the link or an error to reject it.
1289 
1290     A convenience function, restrict_link_reject, exists to always return
1291     -EPERM to in this case.
1292 
1293 
1294  *  To check the validity of a key, this function can be called::
1295 
1296         int validate_key(struct key *key);
1297 
1298     This checks that the key in question hasn't expired or and hasn't been
1299     revoked. Should the key be invalid, error EKEYEXPIRED or EKEYREVOKED will
1300     be returned. If the key is NULL or if CONFIG_KEYS is not set then 0 will be
1301     returned (in the latter case without parsing the argument).
1302 
1303 
1304  *  To register a key type, the following function should be called::
1305 
1306         int register_key_type(struct key_type *type);
1307 
1308     This will return error EEXIST if a type of the same name is already
1309     present.
1310 
1311 
1312  *  To unregister a key type, call::
1313 
1314         void unregister_key_type(struct key_type *type);
1315 
1316 
1317 Under some circumstances, it may be desirable to deal with a bundle of keys.
1318 The facility provides access to the keyring type for managing such a bundle::
1319 
1320         struct key_type key_type_keyring;
1321 
1322 This can be used with a function such as request_key() to find a specific
1323 keyring in a process's keyrings.  A keyring thus found can then be searched
1324 with keyring_search().  Note that it is not possible to use request_key() to
1325 search a specific keyring, so using keyrings in this way is of limited utility.
1326 
1327 
1328 Notes On Accessing Payload Contents
1329 ===================================
1330 
1331 The simplest payload is just data stored in key->payload directly.  In this
1332 case, there's no need to indulge in RCU or locking when accessing the payload.
1333 
1334 More complex payload contents must be allocated and pointers to them set in the
1335 key->payload.data[] array.  One of the following ways must be selected to
1336 access the data:
1337 
1338   1) Unmodifiable key type.
1339 
1340      If the key type does not have a modify method, then the key's payload can
1341      be accessed without any form of locking, provided that it's known to be
1342      instantiated (uninstantiated keys cannot be "found").
1343 
1344   2) The key's semaphore.
1345 
1346      The semaphore could be used to govern access to the payload and to control
1347      the payload pointer. It must be write-locked for modifications and would
1348      have to be read-locked for general access. The disadvantage of doing this
1349      is that the accessor may be required to sleep.
1350 
1351   3) RCU.
1352 
1353      RCU must be used when the semaphore isn't already held; if the semaphore
1354      is held then the contents can't change under you unexpectedly as the
1355      semaphore must still be used to serialise modifications to the key. The
1356      key management code takes care of this for the key type.
1357 
1358      However, this means using::
1359 
1360         rcu_read_lock() ... rcu_dereference() ... rcu_read_unlock()
1361 
1362      to read the pointer, and::
1363 
1364         rcu_dereference() ... rcu_assign_pointer() ... call_rcu()
1365 
1366      to set the pointer and dispose of the old contents after a grace period.
1367      Note that only the key type should ever modify a key's payload.
1368 
1369      Furthermore, an RCU controlled payload must hold a struct rcu_head for the
1370      use of call_rcu() and, if the payload is of variable size, the length of
1371      the payload. key->datalen cannot be relied upon to be consistent with the
1372      payload just dereferenced if the key's semaphore is not held.
1373 
1374      Note that key->payload.data[0] has a shadow that is marked for __rcu
1375      usage.  This is called key->payload.rcu_data0.  The following accessors
1376      wrap the RCU calls to this element:
1377 
1378      a) Set or change the first payload pointer::
1379 
1380                 rcu_assign_keypointer(struct key *key, void *data);
1381 
1382      b) Read the first payload pointer with the key semaphore held::
1383 
1384                 [const] void *dereference_key_locked([const] struct key *key);
1385 
1386          Note that the return value will inherit its constness from the key
1387          parameter.  Static analysis will give an error if it things the lock
1388          isn't held.
1389 
1390      c) Read the first payload pointer with the RCU read lock held::
1391 
1392                 const void *dereference_key_rcu(const struct key *key);
1393 
1394 
1395 Defining a Key Type
1396 ===================
1397 
1398 A kernel service may want to define its own key type. For instance, an AFS
1399 filesystem might want to define a Kerberos 5 ticket key type. To do this, it
1400 author fills in a key_type struct and registers it with the system.
1401 
1402 Source files that implement key types should include the following header file::
1403 
1404         <linux/key-type.h>
1405 
1406 The structure has a number of fields, some of which are mandatory:
1407 
1408   *  ``const char *name``
1409 
1410      The name of the key type. This is used to translate a key type name
1411      supplied by userspace into a pointer to the structure.
1412 
1413 
1414   *  ``size_t def_datalen``
1415 
1416      This is optional - it supplies the default payload data length as
1417      contributed to the quota. If the key type's payload is always or almost
1418      always the same size, then this is a more efficient way to do things.
1419 
1420      The data length (and quota) on a particular key can always be changed
1421      during instantiation or update by calling::
1422 
1423         int key_payload_reserve(struct key *key, size_t datalen);
1424 
1425      With the revised data length. Error EDQUOT will be returned if this is not
1426      viable.
1427 
1428 
1429   *  ``int (*vet_description)(const char *description);``
1430 
1431      This optional method is called to vet a key description.  If the key type
1432      doesn't approve of the key description, it may return an error, otherwise
1433      it should return 0.
1434 
1435 
1436   *  ``int (*preparse)(struct key_preparsed_payload *prep);``
1437 
1438      This optional method permits the key type to attempt to parse payload
1439      before a key is created (add key) or the key semaphore is taken (update or
1440      instantiate key).  The structure pointed to by prep looks like::
1441 
1442         struct key_preparsed_payload {
1443                 char            *description;
1444                 union key_payload payload;
1445                 const void      *data;
1446                 size_t          datalen;
1447                 size_t          quotalen;
1448                 time_t          expiry;
1449         };
1450 
1451      Before calling the method, the caller will fill in data and datalen with
1452      the payload blob parameters; quotalen will be filled in with the default
1453      quota size from the key type; expiry will be set to TIME_T_MAX and the
1454      rest will be cleared.
1455 
1456      If a description can be proposed from the payload contents, that should be
1457      attached as a string to the description field.  This will be used for the
1458      key description if the caller of add_key() passes NULL or "".
1459 
1460      The method can attach anything it likes to payload.  This is merely passed
1461      along to the instantiate() or update() operations.  If set, the expiry
1462      time will be applied to the key if it is instantiated from this data.
1463 
1464      The method should return 0 if successful or a negative error code
1465      otherwise.
1466 
1467 
1468   *  ``void (*free_preparse)(struct key_preparsed_payload *prep);``
1469 
1470      This method is only required if the preparse() method is provided,
1471      otherwise it is unused.  It cleans up anything attached to the description
1472      and payload fields of the key_preparsed_payload struct as filled in by the
1473      preparse() method.  It will always be called after preparse() returns
1474      successfully, even if instantiate() or update() succeed.
1475 
1476 
1477   *  ``int (*instantiate)(struct key *key, struct key_preparsed_payload *prep);``
1478 
1479      This method is called to attach a payload to a key during construction.
1480      The payload attached need not bear any relation to the data passed to this
1481      function.
1482 
1483      The prep->data and prep->datalen fields will define the original payload
1484      blob.  If preparse() was supplied then other fields may be filled in also.
1485 
1486      If the amount of data attached to the key differs from the size in
1487      keytype->def_datalen, then key_payload_reserve() should be called.
1488 
1489      This method does not have to lock the key in order to attach a payload.
1490      The fact that KEY_FLAG_INSTANTIATED is not set in key->flags prevents
1491      anything else from gaining access to the key.
1492 
1493      It is safe to sleep in this method.
1494 
1495      generic_key_instantiate() is provided to simply copy the data from
1496      prep->payload.data[] to key->payload.data[], with RCU-safe assignment on
1497      the first element.  It will then clear prep->payload.data[] so that the
1498      free_preparse method doesn't release the data.
1499 
1500 
1501   *  ``int (*update)(struct key *key, const void *data, size_t datalen);``
1502 
1503      If this type of key can be updated, then this method should be provided.
1504      It is called to update a key's payload from the blob of data provided.
1505 
1506      The prep->data and prep->datalen fields will define the original payload
1507      blob.  If preparse() was supplied then other fields may be filled in also.
1508 
1509      key_payload_reserve() should be called if the data length might change
1510      before any changes are actually made. Note that if this succeeds, the type
1511      is committed to changing the key because it's already been altered, so all
1512      memory allocation must be done first.
1513 
1514      The key will have its semaphore write-locked before this method is called,
1515      but this only deters other writers; any changes to the key's payload must
1516      be made under RCU conditions, and call_rcu() must be used to dispose of
1517      the old payload.
1518 
1519      key_payload_reserve() should be called before the changes are made, but
1520      after all allocations and other potentially failing function calls are
1521      made.
1522 
1523      It is safe to sleep in this method.
1524 
1525 
1526   *  ``int (*match_preparse)(struct key_match_data *match_data);``
1527 
1528      This method is optional.  It is called when a key search is about to be
1529      performed.  It is given the following structure::
1530 
1531         struct key_match_data {
1532                 bool (*cmp)(const struct key *key,
1533                             const struct key_match_data *match_data);
1534                 const void      *raw_data;
1535                 void            *preparsed;
1536                 unsigned        lookup_type;
1537         };
1538 
1539      On entry, raw_data will be pointing to the criteria to be used in matching
1540      a key by the caller and should not be modified.  ``(*cmp)()`` will be pointing
1541      to the default matcher function (which does an exact description match
1542      against raw_data) and lookup_type will be set to indicate a direct lookup.
1543 
1544      The following lookup_type values are available:
1545 
1546        *  KEYRING_SEARCH_LOOKUP_DIRECT - A direct lookup hashes the type and
1547           description to narrow down the search to a small number of keys.
1548 
1549        *  KEYRING_SEARCH_LOOKUP_ITERATE - An iterative lookup walks all the
1550           keys in the keyring until one is matched.  This must be used for any
1551           search that's not doing a simple direct match on the key description.
1552 
1553      The method may set cmp to point to a function of its choice that does some
1554      other form of match, may set lookup_type to KEYRING_SEARCH_LOOKUP_ITERATE
1555      and may attach something to the preparsed pointer for use by ``(*cmp)()``.
1556      ``(*cmp)()`` should return true if a key matches and false otherwise.
1557 
1558      If preparsed is set, it may be necessary to use the match_free() method to
1559      clean it up.
1560 
1561      The method should return 0 if successful or a negative error code
1562      otherwise.
1563 
1564      It is permitted to sleep in this method, but ``(*cmp)()`` may not sleep as
1565      locks will be held over it.
1566 
1567      If match_preparse() is not provided, keys of this type will be matched
1568      exactly by their description.
1569 
1570 
1571   *  ``void (*match_free)(struct key_match_data *match_data);``
1572 
1573      This method is optional.  If given, it called to clean up
1574      match_data->preparsed after a successful call to match_preparse().
1575 
1576 
1577   *  ``void (*revoke)(struct key *key);``
1578 
1579      This method is optional.  It is called to discard part of the payload
1580      data upon a key being revoked.  The caller will have the key semaphore
1581      write-locked.
1582 
1583      It is safe to sleep in this method, though care should be taken to avoid
1584      a deadlock against the key semaphore.
1585 
1586 
1587   *  ``void (*destroy)(struct key *key);``
1588 
1589      This method is optional. It is called to discard the payload data on a key
1590      when it is being destroyed.
1591 
1592      This method does not need to lock the key to access the payload; it can
1593      consider the key as being inaccessible at this time. Note that the key's
1594      type may have been changed before this function is called.
1595 
1596      It is not safe to sleep in this method; the caller may hold spinlocks.
1597 
1598 
1599   *  ``void (*describe)(const struct key *key, struct seq_file *p);``
1600 
1601      This method is optional. It is called during /proc/keys reading to
1602      summarise a key's description and payload in text form.
1603 
1604      This method will be called with the RCU read lock held. rcu_dereference()
1605      should be used to read the payload pointer if the payload is to be
1606      accessed. key->datalen cannot be trusted to stay consistent with the
1607      contents of the payload.
1608 
1609      The description will not change, though the key's state may.
1610 
1611      It is not safe to sleep in this method; the RCU read lock is held by the
1612      caller.
1613 
1614 
1615   *  ``long (*read)(const struct key *key, char __user *buffer, size_t buflen);``
1616 
1617      This method is optional. It is called by KEYCTL_READ to translate the
1618      key's payload into something a blob of data for userspace to deal with.
1619      Ideally, the blob should be in the same format as that passed in to the
1620      instantiate and update methods.
1621 
1622      If successful, the blob size that could be produced should be returned
1623      rather than the size copied.
1624 
1625      This method will be called with the key's semaphore read-locked. This will
1626      prevent the key's payload changing. It is not necessary to use RCU locking
1627      when accessing the key's payload. It is safe to sleep in this method, such
1628      as might happen when the userspace buffer is accessed.
1629 
1630 
1631   *  ``int (*request_key)(struct key_construction *cons, const char *op, void *aux);``
1632 
1633      This method is optional.  If provided, request_key() and friends will
1634      invoke this function rather than upcalling to /sbin/request-key to operate
1635      upon a key of this type.
1636 
1637      The aux parameter is as passed to request_key_async_with_auxdata() and
1638      similar or is NULL otherwise.  Also passed are the construction record for
1639      the key to be operated upon and the operation type (currently only
1640      "create").
1641 
1642      This method is permitted to return before the upcall is complete, but the
1643      following function must be called under all circumstances to complete the
1644      instantiation process, whether or not it succeeds, whether or not there's
1645      an error::
1646 
1647         void complete_request_key(struct key_construction *cons, int error);
1648 
1649      The error parameter should be 0 on success, -ve on error.  The
1650      construction record is destroyed by this action and the authorisation key
1651      will be revoked.  If an error is indicated, the key under construction
1652      will be negatively instantiated if it wasn't already instantiated.
1653 
1654      If this method returns an error, that error will be returned to the
1655      caller of request_key*().  complete_request_key() must be called prior to
1656      returning.
1657 
1658      The key under construction and the authorisation key can be found in the
1659      key_construction struct pointed to by cons:
1660 
1661       *  ``struct key *key;``
1662 
1663          The key under construction.
1664 
1665       *  ``struct key *authkey;``
1666 
1667          The authorisation key.
1668 
1669 
1670   *  ``struct key_restriction *(*lookup_restriction)(const char *params);``
1671 
1672      This optional method is used to enable userspace configuration of keyring
1673      restrictions. The restriction parameter string (not including the key type
1674      name) is passed in, and this method returns a pointer to a key_restriction
1675      structure containing the relevant functions and data to evaluate each
1676      attempted key link operation. If there is no match, -EINVAL is returned.
1677 
1678 
1679   *  ``asym_eds_op`` and ``asym_verify_signature``::
1680 
1681        int (*asym_eds_op)(struct kernel_pkey_params *params,
1682                           const void *in, void *out);
1683        int (*asym_verify_signature)(struct kernel_pkey_params *params,
1684                                     const void *in, const void *in2);
1685 
1686      These methods are optional.  If provided the first allows a key to be
1687      used to encrypt, decrypt or sign a blob of data, and the second allows a
1688      key to verify a signature.
1689 
1690      In all cases, the following information is provided in the params block::
1691 
1692         struct kernel_pkey_params {
1693                 struct key      *key;
1694                 const char      *encoding;
1695                 const char      *hash_algo;
1696                 char            *info;
1697                 __u32           in_len;
1698                 union {
1699                         __u32   out_len;
1700                         __u32   in2_len;
1701                 };
1702                 enum kernel_pkey_operation op : 8;
1703         };
1704 
1705      This includes the key to be used; a string indicating the encoding to use
1706      (for instance, "pkcs1" may be used with an RSA key to indicate
1707      RSASSA-PKCS1-v1.5 or RSAES-PKCS1-v1.5 encoding or "raw" if no encoding);
1708      the name of the hash algorithm used to generate the data for a signature
1709      (if appropriate); the sizes of the input and output (or second input)
1710      buffers; and the ID of the operation to be performed.
1711 
1712      For a given operation ID, the input and output buffers are used as
1713      follows::
1714 
1715         Operation ID            in,in_len       out,out_len     in2,in2_len
1716         ======================= =============== =============== ===============
1717         kernel_pkey_encrypt     Raw data        Encrypted data  -
1718         kernel_pkey_decrypt     Encrypted data  Raw data        -
1719         kernel_pkey_sign        Raw data        Signature       -
1720         kernel_pkey_verify      Raw data        -               Signature
1721 
1722      asym_eds_op() deals with encryption, decryption and signature creation as
1723      specified by params->op.  Note that params->op is also set for
1724      asym_verify_signature().
1725 
1726      Encrypting and signature creation both take raw data in the input buffer
1727      and return the encrypted result in the output buffer.  Padding may have
1728      been added if an encoding was set.  In the case of signature creation,
1729      depending on the encoding, the padding created may need to indicate the
1730      digest algorithm - the name of which should be supplied in hash_algo.
1731 
1732      Decryption takes encrypted data in the input buffer and returns the raw
1733      data in the output buffer.  Padding will get checked and stripped off if
1734      an encoding was set.
1735 
1736      Verification takes raw data in the input buffer and the signature in the
1737      second input buffer and checks that the one matches the other.  Padding
1738      will be validated.  Depending on the encoding, the digest algorithm used
1739      to generate the raw data may need to be indicated in hash_algo.
1740 
1741      If successful, asym_eds_op() should return the number of bytes written
1742      into the output buffer.  asym_verify_signature() should return 0.
1743 
1744      A variety of errors may be returned, including EOPNOTSUPP if the operation
1745      is not supported; EKEYREJECTED if verification fails; ENOPKG if the
1746      required crypto isn't available.
1747 
1748 
1749   *  ``asym_query``::
1750 
1751        int (*asym_query)(const struct kernel_pkey_params *params,
1752                          struct kernel_pkey_query *info);
1753 
1754      This method is optional.  If provided it allows information about the
1755      public or asymmetric key held in the key to be determined.
1756 
1757      The parameter block is as for asym_eds_op() and co. but in_len and out_len
1758      are unused.  The encoding and hash_algo fields should be used to reduce
1759      the returned buffer/data sizes as appropriate.
1760 
1761      If successful, the following information is filled in::
1762 
1763         struct kernel_pkey_query {
1764                 __u32           supported_ops;
1765                 __u32           key_size;
1766                 __u16           max_data_size;
1767                 __u16           max_sig_size;
1768                 __u16           max_enc_size;
1769                 __u16           max_dec_size;
1770         };
1771 
1772      The supported_ops field will contain a bitmask indicating what operations
1773      are supported by the key, including encryption of a blob, decryption of a
1774      blob, signing a blob and verifying the signature on a blob.  The following
1775      constants are defined for this::
1776 
1777         KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}
1778 
1779      The key_size field is the size of the key in bits.  max_data_size and
1780      max_sig_size are the maximum raw data and signature sizes for creation and
1781      verification of a signature; max_enc_size and max_dec_size are the maximum
1782      raw data and signature sizes for encryption and decryption.  The
1783      max_*_size fields are measured in bytes.
1784 
1785      If successful, 0 will be returned.  If the key doesn't support this,
1786      EOPNOTSUPP will be returned.
1787 
1788 
1789 Request-Key Callback Service
1790 ============================
1791 
1792 To create a new key, the kernel will attempt to execute the following command
1793 line::
1794 
1795         /sbin/request-key create <key> <uid> <gid> \
1796                 <threadring> <processring> <sessionring> <callout_info>
1797 
1798 <key> is the key being constructed, and the three keyrings are the process
1799 keyrings from the process that caused the search to be issued. These are
1800 included for two reasons:
1801 
1802    1  There may be an authentication token in one of the keyrings that is
1803       required to obtain the key, eg: a Kerberos Ticket-Granting Ticket.
1804 
1805    2  The new key should probably be cached in one of these rings.
1806 
1807 This program should set it UID and GID to those specified before attempting to
1808 access any more keys. It may then look around for a user specific process to
1809 hand the request off to (perhaps a path held in placed in another key by, for
1810 example, the KDE desktop manager).
1811 
1812 The program (or whatever it calls) should finish construction of the key by
1813 calling KEYCTL_INSTANTIATE or KEYCTL_INSTANTIATE_IOV, which also permits it to
1814 cache the key in one of the keyrings (probably the session ring) before
1815 returning.  Alternatively, the key can be marked as negative with KEYCTL_NEGATE
1816 or KEYCTL_REJECT; this also permits the key to be cached in one of the
1817 keyrings.
1818 
1819 If it returns with the key remaining in the unconstructed state, the key will
1820 be marked as being negative, it will be added to the session keyring, and an
1821 error will be returned to the key requestor.
1822 
1823 Supplementary information may be provided from whoever or whatever invoked this
1824 service. This will be passed as the <callout_info> parameter. If no such
1825 information was made available, then "-" will be passed as this parameter
1826 instead.
1827 
1828 
1829 Similarly, the kernel may attempt to update an expired or a soon to expire key
1830 by executing::
1831 
1832         /sbin/request-key update <key> <uid> <gid> \
1833                 <threadring> <processring> <sessionring>
1834 
1835 In this case, the program isn't required to actually attach the key to a ring;
1836 the rings are provided for reference.
1837 
1838 
1839 Garbage Collection
1840 ==================
1841 
1842 Dead keys (for which the type has been removed) will be automatically unlinked
1843 from those keyrings that point to them and deleted as soon as possible by a
1844 background garbage collector.
1845 
1846 Similarly, revoked and expired keys will be garbage collected, but only after a
1847 certain amount of time has passed.  This time is set as a number of seconds in::
1848 
1849         /proc/sys/kernel/keys/gc_delay

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php