Diff for /wikisrc/users/mbalmer/keylock.mdwn between versions 1.1 and 1.7

version 1.1, 2009/12/29 09:17:38 version 1.7, 2020/09/09 15:47:01
Line 1 Line 1
 # A Keylock Security Model for kauth(9)  [[!meta title="A Keylock Security Model for kauth(9)"]]
   
 Recently, generic support for electro-mechanical multi-position keylocks  Recently, generic support for electro-mechanical multi-position keylocks
 in the kernel has been added to NetBSD.  Such locks can be turned into  in the kernel has been added to NetBSD.  Such locks can be turned into
Line 11  securelevel variable... Line 11  securelevel variable...
   
 The number of keylock positions, the current keylock position, and the  The number of keylock positions, the current keylock position, and the
 overall keylock state can be read within the kernel using a set of  overall keylock state can be read within the kernel using a set of
 functions defined in {{src|keylock.h|sys/dev/keylock.h|}} and userland  functions defined in
 can access them through the '''hw.keylock''' sysctl hierarchy.  [keylock.h](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/dev/keylock.h?rev=HEAD)
   and userland
   can access them through the <b>hw.keylock</b> sysctl hierarchy.
   
 The following components have been added:  The following components have been added:
   
 * '''{{manual page|gpiolock|4|}}''' a driver for GPIO attached keylocks.  * <b>[[!template id=man name="gpiolock" section="4"]]</b>
   a driver for GPIO attached keylocks.
  The driver registers with the in-kernel keylock "subsystem". See   The driver registers with the in-kernel keylock "subsystem". See
 {{src|gpiolock.c|sys/dev/gpio/gpiolock.c}}.  [gpiolock.c](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/dev/gpio/gpiolock.c?rev=HEAD).
   
 * '''secmodel_keylock''', a {{manual page|kauth|9}} security model that  * <b>secmodel_keylock</b>, a
   [[!template id=man name="kauth" section="9"]]
   security model that
 authorizes based on the keylock "closedness".  Wheter the rightmost  authorizes based on the keylock "closedness".  Wheter the rightmost
 (default) or leftmost position of the keylock means open can be  (default) or leftmost position of the keylock means open can be
 controlled using the '''hw.keylock.order''' sysctl variable. This  controlled using the <b>hw.keylock.order</b> sysctl variable. This
 variable can only be changed if the keylock state is OPEN. See  variable can only be changed if the keylock state is OPEN. See
 {{src|secmodel_keylock.c|sys/secmodel/keylock/secmodel_keylock.c}}.  [secmodel_keylock.c](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/secmodel/keylock/secmodel_keylock.c?rev=HEAD).
   
 The security model is started when a keylock driver registers and  The security model is started when a keylock driver registers and
 stopped when there is no more keylock driver.  The keylock security  stopped when there is no more keylock driver.  The keylock security
Line 34  model as well (e.g. to provide keylock s Line 39  model as well (e.g. to provide keylock s
 Useful e.g. for POS applications).  Useful e.g. for POS applications).
   
 The keylock state interpretation is done in  The keylock state interpretation is done in
 {{src|keylock.c|sys/dev/keylock.c}} and not in the driver itself.  This  [keylock.c](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/dev/keylock.c?rev=HEAD)
   and not in the driver itself.  This
 allows for adding support for multiple keylocks in the future.  The  allows for adding support for multiple keylocks in the future.  The
 hw.keylock.pos and hw.keylock.npos sysctl variable have debugging  hw.keylock.pos and hw.keylock.npos sysctl variable have debugging
 character, the hw.keylock.state variable reflects the state and should  character, the hw.keylock.state variable reflects the state and should
Line 46  that means leaves room for interpretatio Line 52  that means leaves room for interpretatio
 show what makes sense in the end).  show what makes sense in the end).
   
 To enable the keylock support, the keylock security model, and the  To enable the keylock support, the keylock security model, and the
 {{manual page|gpiolock|4|}} driver, add the following lines to your  [[!template id=man name="gpiolock" section="4"]]
   driver, add the following lines to your
 kernel configuration file:  kernel configuration file:
   
         options KEYLOCK          options KEYLOCK
Line 54  kernel configuration file: Line 61  kernel configuration file:
         gpiolock* at gpio?          gpiolock* at gpio?
   
 Of course you must have at least one GPIO device in your system for the  Of course you must have at least one GPIO device in your system for the
 {{manual page|gpiolock|4|}} driver to work and the lock must be  [[!template id=man name="gpiolock" section="4"]]
   driver to work and the lock must be
 connected properly.  connected properly.
   
 Please keep in mind that this is an experimental feature...  <b>Please keep in mind that this is an experimental feature...</b>

Removed from v.1.1  
changed lines
  Added in v.1.7


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb