[OpenAFS-devel] Preliminary LKI (Linux Key Infrastructure)

Kyle Moffett mrmacman_g4@mac.com
Fri, 23 Jul 2004 18:12:28 -0400


Here is my starting work on a key architecture for the kernel.  This 
hasn't even
been test compiled yet, so there are still bugs galore, but if anyone 
wants to
have a look, here it is:

Linux Key Infrastructure: <http://www.tjhsst.edu/~kmoffett/lki.tar.bz2>

Implemented:
	- lki_key_t
		A single key implemented with a generic blob

	- lki_keytype_t
		A keytype, either auto-generated by calling from user-space or
		registered by a kernel module with lki_keytype_register

	- lki_key_create, lki_key_destroy
		Kernel functions to create and destroy keys.  They allocate from
		a number pool.

	- lki_key_hash_add, lki_key_hash_remove, lki_key_hash_search
		Kernel functions to look up keys by number.

In progress:
	- lki_key_handle_t
		This will be tied to a file-descriptor for access by user processes. 
If
		a process "revokes" a given file-descriptor that it has open, then 
that
		key file-descriptor and any that it created (children) through dup() 
or
		being passed to another process will be destroyed.
	- Permissions on lki_key_t
		I'm still learning about this posix_acl_t stuff.  It would be nice if
		somebody could write a patch to seperate the POSIX ACL functions
		from inodes so they could be applied to lki_key_t objects even when
		the keyfs(TODO) isn't mounted

Not yet started:
	- key-rings
		They'll be a special case of a key where the BLOB contains a list of
		lki_key_handle_t and some extra metadata.
	- keyfs
		I'm not ready to open _that_ can of worms yet
	- syscall "keyctl"
		Once I get the kernel-side interfaces finalized, I'll build keyctl to 
match.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a17 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r  
!y?(-)
------END GEEK CODE BLOCK------