From: Jarkko Sakkinen <jarkko@kernel.org> To: Ahmad Fatoum <a.fatoum@pengutronix.de> Cc: "Alasdair Kergon" <agk@redhat.com>, "Mike Snitzer" <snitzer@redhat.com>, dm-devel@redhat.com, "Song Liu" <song@kernel.org>, kernel@pengutronix.de, "Jan Lübbe" <jlu@pengutronix.de>, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, "Dmitry Baryshkov" <dbaryshkov@gmail.com>, "Jonathan Corbet" <corbet@lwn.net>, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, "Sumit Garg" <sumit.garg@linaro.org> Subject: Re: [PATCH 2/2] dm crypt: support using trusted keys Date: Fri, 22 Jan 2021 20:05:48 +0200 [thread overview] Message-ID: <YAsT/N8CHHNTZcj3@kernel.org> (raw) In-Reply-To: <20210122084321.24012-2-a.fatoum@pengutronix.de> On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: > Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended > dm-crypt to allow use of "encrypted" keys along with "user" and "logon". > > Along the same lines, teach dm-crypt to support "trusted" keys as well. > > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> > --- Is it possible to test run this with tmpfs? Would be a good test target for Sumit's ARM-TEE trusted keys patches. https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/ /Jarkko > Unsure on whether target_type::version is something authors increment or > maintainers fix up. I can respin if needed. > > Cc: Jan Lübbe <jlu@pengutronix.de> > Cc: linux-integrity@vger.kernel.org > Cc: keyrings@vger.kernel.org > Cc: Dmitry Baryshkov <dbaryshkov@gmail.com> > --- > .../admin-guide/device-mapper/dm-crypt.rst | 2 +- > drivers/md/Kconfig | 1 + > drivers/md/dm-crypt.c | 23 ++++++++++++++++++- > 3 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst > index 1a6753b76dbb..aa2d04d95df6 100644 > --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst > +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst > @@ -67,7 +67,7 @@ Parameters:: > the value passed in <key_size>. > > <key_type> > - Either 'logon', 'user' or 'encrypted' kernel key type. > + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. > > <key_description> > The kernel keyring key description crypt target should look for > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index 9e44c09f6410..f2014385d48b 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -270,6 +270,7 @@ config DM_CRYPT > tristate "Crypt target support" > depends on BLK_DEV_DM > depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) > + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) > select CRYPTO > select CRYPTO_CBC > select CRYPTO_ESSIV > diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c > index 7eeb9248eda5..6c7c687e546c 100644 > --- a/drivers/md/dm-crypt.c > +++ b/drivers/md/dm-crypt.c > @@ -37,6 +37,7 @@ > #include <linux/key-type.h> > #include <keys/user-type.h> > #include <keys/encrypted-type.h> > +#include <keys/trusted-type.h> > > #include <linux/device-mapper.h> > > @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) > return 0; > } > > +static int set_key_trusted(struct crypt_config *cc, struct key *key) > +{ > + const struct trusted_key_payload *tkp; > + > + tkp = key->payload.data[0]; > + if (!tkp) > + return -EKEYREVOKED; > + > + if (cc->key_size != tkp->key_len) > + return -EINVAL; > + > + memcpy(cc->key, tkp->key, cc->key_size); > + > + return 0; > +} > + > static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) > { > char *new_key_string, *key_desc; > @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string > !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { > type = &key_type_encrypted; > set_key = set_key_encrypted; > + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && > + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { > + type = &key_type_trusted; > + set_key = set_key_trusted; > } else { > return -EINVAL; > } > @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) > > static struct target_type crypt_target = { > .name = "crypt", > - .version = {1, 22, 0}, > + .version = {1, 23, 0}, > .module = THIS_MODULE, > .ctr = crypt_ctr, > .dtr = crypt_dtr, > -- > 2.30.0 > >
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko@kernel.org> To: Ahmad Fatoum <a.fatoum@pengutronix.de> Cc: "Sumit Garg" <sumit.garg@linaro.org>, "Jan Lübbe" <jlu@pengutronix.de>, "Mike Snitzer" <snitzer@redhat.com>, "Jonathan Corbet" <corbet@lwn.net>, "Dmitry Baryshkov" <dbaryshkov@gmail.com>, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, "Song Liu" <song@kernel.org>, dm-devel@redhat.com, keyrings@vger.kernel.org, kernel@pengutronix.de, linux-integrity@vger.kernel.org, "Alasdair Kergon" <agk@redhat.com> Subject: Re: [dm-devel] [PATCH 2/2] dm crypt: support using trusted keys Date: Fri, 22 Jan 2021 20:05:48 +0200 [thread overview] Message-ID: <YAsT/N8CHHNTZcj3@kernel.org> (raw) In-Reply-To: <20210122084321.24012-2-a.fatoum@pengutronix.de> On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: > Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended > dm-crypt to allow use of "encrypted" keys along with "user" and "logon". > > Along the same lines, teach dm-crypt to support "trusted" keys as well. > > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> > --- Is it possible to test run this with tmpfs? Would be a good test target for Sumit's ARM-TEE trusted keys patches. https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/ /Jarkko > Unsure on whether target_type::version is something authors increment or > maintainers fix up. I can respin if needed. > > Cc: Jan Lübbe <jlu@pengutronix.de> > Cc: linux-integrity@vger.kernel.org > Cc: keyrings@vger.kernel.org > Cc: Dmitry Baryshkov <dbaryshkov@gmail.com> > --- > .../admin-guide/device-mapper/dm-crypt.rst | 2 +- > drivers/md/Kconfig | 1 + > drivers/md/dm-crypt.c | 23 ++++++++++++++++++- > 3 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst > index 1a6753b76dbb..aa2d04d95df6 100644 > --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst > +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst > @@ -67,7 +67,7 @@ Parameters:: > the value passed in <key_size>. > > <key_type> > - Either 'logon', 'user' or 'encrypted' kernel key type. > + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. > > <key_description> > The kernel keyring key description crypt target should look for > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index 9e44c09f6410..f2014385d48b 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -270,6 +270,7 @@ config DM_CRYPT > tristate "Crypt target support" > depends on BLK_DEV_DM > depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) > + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) > select CRYPTO > select CRYPTO_CBC > select CRYPTO_ESSIV > diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c > index 7eeb9248eda5..6c7c687e546c 100644 > --- a/drivers/md/dm-crypt.c > +++ b/drivers/md/dm-crypt.c > @@ -37,6 +37,7 @@ > #include <linux/key-type.h> > #include <keys/user-type.h> > #include <keys/encrypted-type.h> > +#include <keys/trusted-type.h> > > #include <linux/device-mapper.h> > > @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) > return 0; > } > > +static int set_key_trusted(struct crypt_config *cc, struct key *key) > +{ > + const struct trusted_key_payload *tkp; > + > + tkp = key->payload.data[0]; > + if (!tkp) > + return -EKEYREVOKED; > + > + if (cc->key_size != tkp->key_len) > + return -EINVAL; > + > + memcpy(cc->key, tkp->key, cc->key_size); > + > + return 0; > +} > + > static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) > { > char *new_key_string, *key_desc; > @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string > !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { > type = &key_type_encrypted; > set_key = set_key_encrypted; > + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && > + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { > + type = &key_type_trusted; > + set_key = set_key_trusted; > } else { > return -EINVAL; > } > @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) > > static struct target_type crypt_target = { > .name = "crypt", > - .version = {1, 22, 0}, > + .version = {1, 23, 0}, > .module = THIS_MODULE, > .ctr = crypt_ctr, > .dtr = crypt_dtr, > -- > 2.30.0 > > -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-01-22 18:07 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-22 8:43 [PATCH 1/2] dm crypt: replaced #if defined with IS_ENABLED Ahmad Fatoum 2021-01-22 8:43 ` [dm-devel] " Ahmad Fatoum 2021-01-22 8:43 ` [PATCH 2/2] dm crypt: support using trusted keys Ahmad Fatoum 2021-01-22 8:43 ` [dm-devel] " Ahmad Fatoum 2021-01-22 18:05 ` Jarkko Sakkinen [this message] 2021-01-22 18:05 ` Jarkko Sakkinen 2021-01-22 18:18 ` Jarkko Sakkinen 2021-01-22 18:18 ` [dm-devel] " Jarkko Sakkinen 2021-01-22 19:04 ` Ahmad Fatoum 2021-01-22 19:04 ` [dm-devel] " Ahmad Fatoum 2021-02-02 15:12 ` Ahmad Fatoum 2021-02-02 15:12 ` [dm-devel] " Ahmad Fatoum 2021-02-02 18:10 ` [PATCH 1/2] dm crypt: replaced #if defined with IS_ENABLED Mike Snitzer 2021-02-02 18:10 ` [dm-devel] " Mike Snitzer 2021-02-02 18:19 ` Ahmad Fatoum 2021-02-02 18:19 ` [dm-devel] " Ahmad Fatoum 2021-02-03 0:33 ` Dmitry Baryshkov 2021-02-03 0:33 ` [dm-devel] " Dmitry Baryshkov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=YAsT/N8CHHNTZcj3@kernel.org \ --to=jarkko@kernel.org \ --cc=a.fatoum@pengutronix.de \ --cc=agk@redhat.com \ --cc=corbet@lwn.net \ --cc=dbaryshkov@gmail.com \ --cc=dm-devel@redhat.com \ --cc=jlu@pengutronix.de \ --cc=kernel@pengutronix.de \ --cc=keyrings@vger.kernel.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-raid@vger.kernel.org \ --cc=snitzer@redhat.com \ --cc=song@kernel.org \ --cc=sumit.garg@linaro.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.