From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: d.kasatkin@samsung.com, zohar@us.ibm.com, keyrings@linux-nfs.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 9/9] KEYS: Fix encrypted key type update method
Date: Sat, 16 Nov 2013 22:51:29 -0500 [thread overview]
Message-ID: <1384660289.5181.8.camel@dhcp-9-2-203-236.watson.ibm.com> (raw)
In-Reply-To: <29885.1384451991@warthog.procyon.org.uk>
On Thu, 2013-11-14 at 17:59 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > Is there a keyutils git repo with a version of keyctl that supports the
> > control option?
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/log/?h=development
Thanks!
> > - type size_t is unsigned, no need to verify that it is negative.
>
> It doesn't hurt either...
>
> > - missing Documentation/security/keys-trusted-encrypted.txt updates
>
> Fixed (see diff below), but I suspect trusted_update() also needs scrutiny.
>
> > - the encrypted_preparse() comment still says 'encrypted_instantiate'
>
> Fixed.
>
> David
> ---
> diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> index e105ae97a4f5..78794adf445d 100644
> --- a/Documentation/security/keys-trusted-encrypted.txt
> +++ b/Documentation/security/keys-trusted-encrypted.txt
> @@ -61,7 +61,7 @@ Usage:
> keyctl add encrypted name "new [format] key-type:master-key-name keylen"
> ring
> keyctl add encrypted name "load hex_blob" ring
> - keyctl update keyid "update key-type:master-key-name"
> + keyctl control keyid encrypted change-master-key "key-type:master-key-name"
>
> format:= 'default | ecryptfs'
> key-type:= 'trusted' | 'user'
The command has remained the same as before: "update key-type:master-key-name".
diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index e105ae9..6610be4 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -61,12 +61,12 @@ Usage:
keyctl add encrypted name "new [format] key-type:master-key-name keylen"
ring
keyctl add encrypted name "load hex_blob" ring
- keyctl update keyid "update key-type:master-key-name"
+ keyctl control <keyid> encrypted change-master-key \
+ "update key-type:master-key-name"
format:= 'default | ecryptfs'
key-type:= 'trusted' | 'user'
-
Examples of trusted and encrypted key usage:
Create and save a trusted key named "kmk" of length 32 bytes:
@@ -153,6 +153,12 @@ Load an encrypted key "evm" from saved blob:
82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
+Encrypt the "evm" key with a new master key kmk-new:
+
+ $ keyctl add trusted kmk-new "new 32" @u
+ $ keyctl control 831684262 encrypted change-master-key \
+ "update trusted:kmk-new"
+
Other uses for trusted and encrypted keys, such as for disk and file encryption
are anticipated. In particular the new format 'ecryptfs' has been defined in
in order to use encrypted keys to mount an eCryptfs filesystem. More details
thanks,
Mimi
next prev parent reply other threads:[~2013-11-17 3:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-04 16:22 [RFC][PATCH 0/9] encrypted keys & key control op David Howells
2013-11-04 16:22 ` [PATCH 1/9] KEYS: The RSA public key algorithm needs to select MPILIB David Howells
2013-11-04 16:22 ` [PATCH 2/9] KEYS: Provide a generic instantiation function David Howells
2013-11-04 16:22 ` [PATCH 3/9] KEYS: struct key_preparsed_payload should have two payload pointers David Howells
2013-11-04 16:22 ` [PATCH 4/9] KEYS: Allow expiry time to be set when preparsing a key David Howells
2013-11-04 16:22 ` [PATCH 5/9] KEYS: Call ->free_preparse() even after ->preparse() returns an error David Howells
2013-11-04 16:23 ` [PATCH 6/9] KEYS: Trusted: Use key preparsing David Howells
2013-11-13 16:49 ` Mimi Zohar
2013-11-14 15:50 ` David Howells
2013-11-04 16:23 ` [PATCH 7/9] KEYS: Add a keyctl function to alter/control a key in type-dependent way David Howells
2013-11-04 16:23 ` [PATCH 8/9] KEYS: Implement keyctl control for encrypted keys David Howells
2013-11-04 16:23 ` [PATCH 9/9] KEYS: Fix encrypted key type update method David Howells
2013-11-13 18:45 ` Mimi Zohar
2013-11-14 17:59 ` David Howells
2013-11-17 3:51 ` Mimi Zohar [this message]
2013-11-17 9:17 ` David Howells
2013-11-17 13:43 ` Mimi Zohar
2013-11-06 17:20 ` [RFC][PATCH 0/9] encrypted keys & key control op Dmitry Kasatkin
2013-11-06 17:42 ` David Howells
2013-11-11 12:14 ` Mimi Zohar
2013-11-11 16:32 ` Mimi Zohar
2013-11-11 22:34 ` David Howells
2013-11-12 0:26 ` Mimi Zohar
2013-11-12 16:19 ` David Howells
2013-11-11 22:35 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1384660289.5181.8.camel@dhcp-9-2-203-236.watson.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.