|
version 1.1, 2009/12/29 09:17:38
|
version 1.6, 2009/12/29 09:31:15
|
|
Line 1
|
Line 1
|
| # A Keylock Security Model for kauth(9) |
[[!meta title="A Keylock Security Model for kauth(9)"]] |
| |
|
| Recently, generic support for electro-mechanical multi-position keylocks |
Recently, generic support for electro-mechanical multi-position keylocks |
| in the kernel has been added to NetBSD. Such locks can be turned into |
in the kernel has been added to NetBSD. Such locks can be turned into |
|
Line 11 securelevel variable...
|
Line 11 securelevel variable...
|
| |
|
| The number of keylock positions, the current keylock position, and the |
The number of keylock positions, the current keylock position, and the |
| overall keylock state can be read within the kernel using a set of |
overall keylock state can be read within the kernel using a set of |
| functions defined in {{src|keylock.h|sys/dev/keylock.h|}} and userland |
functions defined in |
| can access them through the '''hw.keylock''' sysctl hierarchy. |
[keylock.h](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/dev/keylock.h?rev=HEAD) |
| |
and userland |
| |
can access them through the <b>hw.keylock</b> sysctl hierarchy. |
| |
|
| The following components have been added: |
The following components have been added: |
| |
|
| * '''{{manual page|gpiolock|4|}}''' a driver for GPIO attached keylocks. |
* <b>[gpiolock(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gpiolock+4+NetBSD-current)</b> |
| |
a driver for GPIO attached keylocks. |
| The driver registers with the in-kernel keylock "subsystem". See |
The driver registers with the in-kernel keylock "subsystem". See |
| {{src|gpiolock.c|sys/dev/gpio/gpiolock.c}}. |
[gpiolock.c](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/dev/gpio/gpiolock.c?rev=HEAD). |
| |
|
| * '''secmodel_keylock''', a {{manual page|kauth|9}} security model that |
* <b>secmodel_keylock</b>, a |
| |
[kauth(9)](http://netbsd.gw.com/cgi-bin/man-cgi?kauth+9+NetBSD-current) |
| |
security model that |
| authorizes based on the keylock "closedness". Wheter the rightmost |
authorizes based on the keylock "closedness". Wheter the rightmost |
| (default) or leftmost position of the keylock means open can be |
(default) or leftmost position of the keylock means open can be |
| controlled using the '''hw.keylock.order''' sysctl variable. This |
controlled using the <b>hw.keylock.order</b> sysctl variable. This |
| variable can only be changed if the keylock state is OPEN. See |
variable can only be changed if the keylock state is OPEN. See |
| {{src|secmodel_keylock.c|sys/secmodel/keylock/secmodel_keylock.c}}. |
[secmodel_keylock.c](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/secmodel/keylock/secmodel_keylock.c?rev=HEAD). |
| |
|
| The security model is started when a keylock driver registers and |
The security model is started when a keylock driver registers and |
| stopped when there is no more keylock driver. The keylock security |
stopped when there is no more keylock driver. The keylock security |
|
Line 34 model as well (e.g. to provide keylock s
|
Line 39 model as well (e.g. to provide keylock s
|
| Useful e.g. for POS applications). |
Useful e.g. for POS applications). |
| |
|
| The keylock state interpretation is done in |
The keylock state interpretation is done in |
| {{src|keylock.c|sys/dev/keylock.c}} and not in the driver itself. This |
[keylock.c](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/dev/keylock.c?rev=HEAD) |
| |
and not in the driver itself. This |
| allows for adding support for multiple keylocks in the future. The |
allows for adding support for multiple keylocks in the future. The |
| hw.keylock.pos and hw.keylock.npos sysctl variable have debugging |
hw.keylock.pos and hw.keylock.npos sysctl variable have debugging |
| character, the hw.keylock.state variable reflects the state and should |
character, the hw.keylock.state variable reflects the state and should |
|
Line 46 that means leaves room for interpretatio
|
Line 52 that means leaves room for interpretatio
|
| show what makes sense in the end). |
show what makes sense in the end). |
| |
|
| To enable the keylock support, the keylock security model, and the |
To enable the keylock support, the keylock security model, and the |
| {{manual page|gpiolock|4|}} driver, add the following lines to your |
[gpiolock(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gpiolock+4+NetBSD-current) |
| |
driver, add the following lines to your |
| kernel configuration file: |
kernel configuration file: |
| |
|
| options KEYLOCK |
options KEYLOCK |
|
Line 54 kernel configuration file:
|
Line 61 kernel configuration file:
|
| gpiolock* at gpio? |
gpiolock* at gpio? |
| |
|
| Of course you must have at least one GPIO device in your system for the |
Of course you must have at least one GPIO device in your system for the |
| {{manual page|gpiolock|4|}} driver to work and the lock must be |
[gpiolock(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gpiolock+4+NetBSD-current) |
| |
driver to work and the lock must be |
| connected properly. |
connected properly. |
| |
|
| Please keep in mind that this is an experimental feature... |
<b>Please keep in mind that this is an experimental feature...</b> |
![[BACK]](/icons/back.gif){kind=icon}
Return to keylock.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / users / mbalmer