From: Jarkko Sakkinen <jarkko@kernel.org>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: "Alasdair Kergon" <agk@redhat.com>,
"Mike Snitzer" <snitzer@redhat.com>,
dm-devel@redhat.com, "Song Liu" <song@kernel.org>,
kernel@pengutronix.de, "Jan Lübbe" <jlu@pengutronix.de>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
"Dmitry Baryshkov" <dbaryshkov@gmail.com>,
"Jonathan Corbet" <corbet@lwn.net>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-raid@vger.kernel.org, "Sumit Garg" <sumit.garg@linaro.org>
Subject: Re: [PATCH 2/2] dm crypt: support using trusted keys
Date: Fri, 22 Jan 2021 20:05:48 +0200 [thread overview]
Message-ID: <YAsT/N8CHHNTZcj3@kernel.org> (raw)
In-Reply-To: <20210122084321.24012-2-a.fatoum@pengutronix.de>
On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote:
> Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended
> dm-crypt to allow use of "encrypted" keys along with "user" and "logon".
>
> Along the same lines, teach dm-crypt to support "trusted" keys as well.
>
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
Is it possible to test run this with tmpfs? Would be a good test
target for Sumit's ARM-TEE trusted keys patches.
https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/
/Jarkko
> Unsure on whether target_type::version is something authors increment or
> maintainers fix up. I can respin if needed.
>
> Cc: Jan Lübbe <jlu@pengutronix.de>
> Cc: linux-integrity@vger.kernel.org
> Cc: keyrings@vger.kernel.org
> Cc: Dmitry Baryshkov <dbaryshkov@gmail.com>
> ---
> .../admin-guide/device-mapper/dm-crypt.rst | 2 +-
> drivers/md/Kconfig | 1 +
> drivers/md/dm-crypt.c | 23 ++++++++++++++++++-
> 3 files changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst
> index 1a6753b76dbb..aa2d04d95df6 100644
> --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst
> +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst
> @@ -67,7 +67,7 @@ Parameters::
> the value passed in <key_size>.
>
> <key_type>
> - Either 'logon', 'user' or 'encrypted' kernel key type.
> + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.
>
> <key_description>
> The kernel keyring key description crypt target should look for
> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> index 9e44c09f6410..f2014385d48b 100644
> --- a/drivers/md/Kconfig
> +++ b/drivers/md/Kconfig
> @@ -270,6 +270,7 @@ config DM_CRYPT
> tristate "Crypt target support"
> depends on BLK_DEV_DM
> depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
> + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n)
> select CRYPTO
> select CRYPTO_CBC
> select CRYPTO_ESSIV
> diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
> index 7eeb9248eda5..6c7c687e546c 100644
> --- a/drivers/md/dm-crypt.c
> +++ b/drivers/md/dm-crypt.c
> @@ -37,6 +37,7 @@
> #include <linux/key-type.h>
> #include <keys/user-type.h>
> #include <keys/encrypted-type.h>
> +#include <keys/trusted-type.h>
>
> #include <linux/device-mapper.h>
>
> @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key)
> return 0;
> }
>
> +static int set_key_trusted(struct crypt_config *cc, struct key *key)
> +{
> + const struct trusted_key_payload *tkp;
> +
> + tkp = key->payload.data[0];
> + if (!tkp)
> + return -EKEYREVOKED;
> +
> + if (cc->key_size != tkp->key_len)
> + return -EINVAL;
> +
> + memcpy(cc->key, tkp->key, cc->key_size);
> +
> + return 0;
> +}
> +
> static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
> {
> char *new_key_string, *key_desc;
> @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
> !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
> type = &key_type_encrypted;
> set_key = set_key_encrypted;
> + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&
> + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) {
> + type = &key_type_trusted;
> + set_key = set_key_trusted;
> } else {
> return -EINVAL;
> }
> @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
>
> static struct target_type crypt_target = {
> .name = "crypt",
> - .version = {1, 22, 0},
> + .version = {1, 23, 0},
> .module = THIS_MODULE,
> .ctr = crypt_ctr,
> .dtr = crypt_dtr,
> --
> 2.30.0
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: "Sumit Garg" <sumit.garg@linaro.org>,
"Jan Lübbe" <jlu@pengutronix.de>,
"Mike Snitzer" <snitzer@redhat.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Dmitry Baryshkov" <dbaryshkov@gmail.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-raid@vger.kernel.org, "Song Liu" <song@kernel.org>,
dm-devel@redhat.com, keyrings@vger.kernel.org,
kernel@pengutronix.de, linux-integrity@vger.kernel.org,
"Alasdair Kergon" <agk@redhat.com>
Subject: Re: [dm-devel] [PATCH 2/2] dm crypt: support using trusted keys
Date: Fri, 22 Jan 2021 20:05:48 +0200 [thread overview]
Message-ID: <YAsT/N8CHHNTZcj3@kernel.org> (raw)
In-Reply-To: <20210122084321.24012-2-a.fatoum@pengutronix.de>
On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote:
> Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended
> dm-crypt to allow use of "encrypted" keys along with "user" and "logon".
>
> Along the same lines, teach dm-crypt to support "trusted" keys as well.
>
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
Is it possible to test run this with tmpfs? Would be a good test
target for Sumit's ARM-TEE trusted keys patches.
https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/
/Jarkko
> Unsure on whether target_type::version is something authors increment or
> maintainers fix up. I can respin if needed.
>
> Cc: Jan Lübbe <jlu@pengutronix.de>
> Cc: linux-integrity@vger.kernel.org
> Cc: keyrings@vger.kernel.org
> Cc: Dmitry Baryshkov <dbaryshkov@gmail.com>
> ---
> .../admin-guide/device-mapper/dm-crypt.rst | 2 +-
> drivers/md/Kconfig | 1 +
> drivers/md/dm-crypt.c | 23 ++++++++++++++++++-
> 3 files changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst
> index 1a6753b76dbb..aa2d04d95df6 100644
> --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst
> +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst
> @@ -67,7 +67,7 @@ Parameters::
> the value passed in <key_size>.
>
> <key_type>
> - Either 'logon', 'user' or 'encrypted' kernel key type.
> + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.
>
> <key_description>
> The kernel keyring key description crypt target should look for
> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> index 9e44c09f6410..f2014385d48b 100644
> --- a/drivers/md/Kconfig
> +++ b/drivers/md/Kconfig
> @@ -270,6 +270,7 @@ config DM_CRYPT
> tristate "Crypt target support"
> depends on BLK_DEV_DM
> depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
> + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n)
> select CRYPTO
> select CRYPTO_CBC
> select CRYPTO_ESSIV
> diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
> index 7eeb9248eda5..6c7c687e546c 100644
> --- a/drivers/md/dm-crypt.c
> +++ b/drivers/md/dm-crypt.c
> @@ -37,6 +37,7 @@
> #include <linux/key-type.h>
> #include <keys/user-type.h>
> #include <keys/encrypted-type.h>
> +#include <keys/trusted-type.h>
>
> #include <linux/device-mapper.h>
>
> @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key)
> return 0;
> }
>
> +static int set_key_trusted(struct crypt_config *cc, struct key *key)
> +{
> + const struct trusted_key_payload *tkp;
> +
> + tkp = key->payload.data[0];
> + if (!tkp)
> + return -EKEYREVOKED;
> +
> + if (cc->key_size != tkp->key_len)
> + return -EINVAL;
> +
> + memcpy(cc->key, tkp->key, cc->key_size);
> +
> + return 0;
> +}
> +
> static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
> {
> char *new_key_string, *key_desc;
> @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
> !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
> type = &key_type_encrypted;
> set_key = set_key_encrypted;
> + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&
> + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) {
> + type = &key_type_trusted;
> + set_key = set_key_trusted;
> } else {
> return -EINVAL;
> }
> @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
>
> static struct target_type crypt_target = {
> .name = "crypt",
> - .version = {1, 22, 0},
> + .version = {1, 23, 0},
> .module = THIS_MODULE,
> .ctr = crypt_ctr,
> .dtr = crypt_dtr,
> --
> 2.30.0
>
>
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-01-22 18:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 8:43 [PATCH 1/2] dm crypt: replaced #if defined with IS_ENABLED Ahmad Fatoum
2021-01-22 8:43 ` [dm-devel] " Ahmad Fatoum
2021-01-22 8:43 ` [PATCH 2/2] dm crypt: support using trusted keys Ahmad Fatoum
2021-01-22 8:43 ` [dm-devel] " Ahmad Fatoum
2021-01-22 18:05 ` Jarkko Sakkinen [this message]
2021-01-22 18:05 ` Jarkko Sakkinen
2021-01-22 18:18 ` Jarkko Sakkinen
2021-01-22 18:18 ` [dm-devel] " Jarkko Sakkinen
2021-01-22 19:04 ` Ahmad Fatoum
2021-01-22 19:04 ` [dm-devel] " Ahmad Fatoum
2021-02-02 15:12 ` Ahmad Fatoum
2021-02-02 15:12 ` [dm-devel] " Ahmad Fatoum
2021-02-02 18:10 ` [PATCH 1/2] dm crypt: replaced #if defined with IS_ENABLED Mike Snitzer
2021-02-02 18:10 ` [dm-devel] " Mike Snitzer
2021-02-02 18:19 ` Ahmad Fatoum
2021-02-02 18:19 ` [dm-devel] " Ahmad Fatoum
2021-02-03 0:33 ` Dmitry Baryshkov
2021-02-03 0:33 ` [dm-devel] " Dmitry Baryshkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAsT/N8CHHNTZcj3@kernel.org \
--to=jarkko@kernel.org \
--cc=a.fatoum@pengutronix.de \
--cc=agk@redhat.com \
--cc=corbet@lwn.net \
--cc=dbaryshkov@gmail.com \
--cc=dm-devel@redhat.com \
--cc=jlu@pengutronix.de \
--cc=kernel@pengutronix.de \
--cc=keyrings@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=snitzer@redhat.com \
--cc=song@kernel.org \
--cc=sumit.garg@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.