keyring: new keyctl backend

Alessio Treglia · alessio · commit 99206edc50f3 · 2024-09-12T04:23:09.000+08:00
keyctl is a Linux kernel's interface to help protect cryptohtaphic data from a whole class of potential security vulnerabilities. The Keyctl backend leverages such Linux's kernel feature to store keys in memory securely. For more information, please see: https://docs.kernel.org/security/keys/core.html The keyctl backend is available on Linux platforms only.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -44,6 +44,7 @@ Every module contains its own CHANGELOG.md. Please refer to the module you are i
 
 * (baseapp) [#20291](https://github.com/cosmos/cosmos-sdk/pull/20291) Simulate nested messages.
 * (cli) [#21372](https://github.com/cosmos/cosmos-sdk/pull/21372) Add a `bulk-add-genesis-account` genesis command to add many genesis accounts at once.
+* (crypto/keyring) [#21653](https://github.com/cosmos/cosmos-sdk/pull/21653) New Linux-only backend that adds Linux kernel's `keyctl` support.
 
 ### Improvements
 
diff --git a/crypto/keyring/keyring.go b/crypto/keyring/keyring.go
@@ -180,7 +180,7 @@ func NewInMemoryWithKeyring(kr keyring.Keyring, cdc codec.Codec, opts ...Option)
 // New creates a new instance of a keyring.
 // Keyring options can be applied when generating the new instance.
 // Available backends are "os", "file", "kwallet", "memory", "pass", "test".
-func New(
+func newKeyringGeneric(
 	appName, backend, rootDir string, userInput io.Reader, cdc codec.Codec, opts ...Option,
 ) (Keyring, error) {
 	var (
diff --git a/crypto/keyring/keyring_linux.go b/crypto/keyring/keyring_linux.go
@@ -0,0 +1,42 @@
+//go:build linux
+// +build linux
+
+package keyring
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/99designs/keyring"
+	"github.com/cosmos/cosmos-sdk/codec"
+)
+
+const BackendKeyctl = "keyctl"
+
+func newKeyctlBackendConfig(appName, _ string, _ io.Reader) keyring.Config {
+	return keyring.Config{
+		AllowedBackends: []keyring.BackendType{keyring.KeyCtlBackend},
+		ServiceName:     appName,
+		KeyCtlScope:     "user",
+		KeyCtlPerm:      0x3f3f0000,
+	}
+}
+
+// New creates a new instance of a keyring.
+// Keyring options can be applied when generating the new instance.
+// Available backends are "os", "file", "kwallet", "memory", "pass", "test".
+func New(
+	appName, backend, rootDir string, userInput io.Reader, cdc codec.Codec, opts ...Option,
+) (Keyring, error) {
+
+	if backend != BackendKeyctl {
+		return newKeyringGeneric(appName, backend, rootDir, userInput, cdc, opts...)
+	}
+
+	db, err := keyring.Open(newKeyctlBackendConfig(appName, "", userInput))
+	if err != nil {
+		return nil, fmt.Errorf("couldn't open keyring for %q: %w", appName, err)
+	}
+
+	return newKeystore(db, cdc, backend, opts...), nil
+}
diff --git a/crypto/keyring/keyring_other.go b/crypto/keyring/keyring_other.go
@@ -0,0 +1,16 @@
+//go:build !linux
+// +build !linux
+
+package keyring
+
+import (
+	"io"
+
+	"github.com/cosmos/cosmos-sdk/codec"
+)
+
+func New(
+	appName, backend, rootDir string, userInput io.Reader, cdc codec.Codec, opts ...Option,
+) (Keyring, error) {
+	return newKeyringGeneric(appName, backend, rootDir, userInput, cdc, opts...)
+}
