August 21, 2009 posted by Marc Balmer
Recently, generic support for electro-mechanical multi-position keylocks in the kernel has been added to NetBSD. Such locks can be turned into various positions, usually up to three or four positions. They come with a set of keys that are different in so far as not all positions can be reached with all keys (which key can go up to which position is called the "locking program"). With the new keylock support, such locks can be used to tinker with the kernel security, much like the traditional securelevel variable...
The number of keylock positions, the current keylock position, and the overall keylock state can be read within the kernel using a set of functions defined in sys/dev/keylock.h and userland can access them through the hw.keylock sysctl hierarchy.
The following components have been added:
- gpiolock(4) a driver for GPIO attached keylocks. The driver registers with the in-kernel keylock "subsystem".
- secmodel_keylock, a kauth(9) security model that authorizes based on the keylock "closedness". Wheter the rightmost (default) or leftmost position of the keylock means open can be controlled using the hw.keylock.order sysctl variable. This variable can only be changed if the keylock state is OPEN.
The security model is started when a keylock driver registers and stopped when there is no more keylock driver. The keylock security model is optional, keylock support can be used without the security model as well (e.g. to provide keylock state to a userland applications. Useful e.g. for POS applications).
The keylock state interpretation is done in sys/dev/keylock.c and not in the driver itself. This allows for adding support for multiple keylocks in the future. The hw.keylock.pos and hw.keylock.npos sysctl variable have debugging character, the hw.keylock.state variable reflects the state and should be used.
Currently, the keylock positions are interpreted as follows: There are maximum four positions, OPEN, SEMIOPEN, SEMICLOSE, CLOSE. What exactly that means leaves room for interpretation right now.... (experience will show what makes sense in the end).
To enable the keylock support, the keylock security model, and the gpiolock(4) driver, add the following lines to your kernel configuration file:
gpiolock* at gpio?
Of course you must have at least one GPIO device in your system for the gpiolock(4) driver to work and the lock must be connected properly.
Please keep in mind that this is an experimental feature...
(There is also a wiki page available to discuss keylock support at http://wiki.netbsd.se/Keylock_Support.