LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: "Theodore Y. Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Eric Biggers <ebiggers@kernel.org>,
kernel@pengutronix.de, James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
James Bottomley <jejb@linux.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Sumit Garg <sumit.garg@linaro.org>,
David Howells <dhowells@redhat.com>,
linux-fscrypt@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] fscrypt: support trusted keys
Date: Mon, 9 Aug 2021 12:00:40 +0200 [thread overview]
Message-ID: <10dac5c6-4530-217c-e1ea-a7e2e3572f43@pengutronix.de> (raw)
In-Reply-To: <20210809094408.4iqwsx77u64usfx6@kernel.org>
Hello Jarkko,
On 09.08.21 11:44, Jarkko Sakkinen wrote:
> On Fri, Aug 06, 2021 at 05:09:28PM +0200, Ahmad Fatoum wrote:
>> Kernel trusted keys don't require userspace knowledge of the raw key
>> material and instead export a sealed blob, which can be persisted to
>> unencrypted storage. Userspace can then load this blob into the kernel,
>> where it's unsealed and from there on usable for kernel crypto.
>>
>> This is incompatible with fscrypt, where userspace is supposed to supply
>> the raw key material. For TPMs, a work around is to do key unsealing in
>> userspace, but this may not be feasible for other trusted key backends.
>>
>> Make it possible to benefit from both fscrypt and trusted key sealing
>> by extending fscrypt_add_key_arg::key_id to hold either the ID of a
>> fscrypt-provisioning or a trusted key.
>>
>> A non fscrypt-provisioning key_id was so far prohibited, so additionally
>> allowing trusted keys won't break backwards compatibility.
>>
>> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
>> ---
>> Tested with:
>> https://github.com/google/fscryptctl/pull/23
>> - if (key->type != &key_type_fscrypt_provisioning)
>> - goto bad_key;
>> - payload = key->payload.data[0];
>> + if (key->type == &key_type_fscrypt_provisioning) {
>
> Why does fscrypt have own key type, and does not extend 'encrypted' with a
> new format [*]?
See the commit[1] adding it for more information. TL;DR:
fscrypt maintainers would've preferred keys to be associated with
a "domain". So an encrypted key generated for fscrypt use couldn't be reused
for e.g. dm-crypt. They are wary of fscrypt users being more exposed if their
keys can be used with weaker ciphers via other kernel functionality that could
be used to extract information about the raw key material.
Eric also mentioned dislike of the possibility of rooting encrypted keys to
user keys. v2 is only restricted to v2, so we didn't discuss this further.
Restricting the key to fscrypt-only precludes this reuse.
My commit makes no attempts in changing that. It just adds a new way to pass
raw key material into fscrypt. For more information, see the commit[1] adding
that key type.
> [*] https://www.kernel.org/doc/html/v5.13/security/keys/trusted-encrypted.html
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93edd392ca
Cheers,
Ahmad
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2021-08-09 10:01 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 15:09 [PATCH v2] fscrypt: support trusted keys Ahmad Fatoum
2021-08-09 9:44 ` Jarkko Sakkinen
2021-08-09 10:00 ` Ahmad Fatoum [this message]
2021-08-09 10:02 ` Ahmad Fatoum
2021-08-10 18:02 ` Jarkko Sakkinen
2021-08-09 20:52 ` Eric Biggers
2021-08-10 18:06 ` Jarkko Sakkinen
2021-08-10 18:46 ` Eric Biggers
2021-08-10 21:21 ` Jarkko Sakkinen
2021-08-10 21:27 ` Eric Biggers
2021-08-11 0:17 ` Jarkko Sakkinen
2021-08-11 11:34 ` Mimi Zohar
2021-08-11 17:16 ` Eric Biggers
2021-08-12 0:54 ` Mimi Zohar
2021-08-17 13:04 ` Ahmad Fatoum
2021-08-17 13:55 ` Mimi Zohar
2021-08-17 14:13 ` Ahmad Fatoum
2021-08-17 14:24 ` Mimi Zohar
2021-08-18 2:09 ` Jarkko Sakkinen
2021-08-18 4:53 ` Sumit Garg
2021-08-09 21:24 ` Eric Biggers
2021-08-10 7:41 ` Ahmad Fatoum
2021-08-10 17:35 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10dac5c6-4530-217c-e1ea-a7e2e3572f43@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=jarkko@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=kernel@pengutronix.de \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=sumit.garg@linaro.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).