From: Udit Agarwal <udit.agarwal@nxp.com>
To: dhowells@redhat.com, zohar@linux.vnet.ibm.com, jmorris@namei.org,
serge@hallyn.com, linux-integrity@vger.kernel.org,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: sahil.malhotra@nxp.com, Udit Agarwal <udit.agarwal@nxp.com>
Subject: [PATCH 2/2] encrypted_keys: Adds support for secure key-type as master key.
Date: Fri, 20 Jul 2018 05:58:56 +0000 [thread overview]
Message-ID: <20180720054656.29143-2-udit.agarwal@nxp.com> (raw)
In-Reply-To: <20180720054656.29143-1-udit.agarwal@nxp.com>
Encrypted keys can use secure key-type as master key along with
trusted/user keys.
Secure key as master key uses, secure key type payload derieved
using CAAM hardware.
Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
---
MAINTAINERS | 1 +
security/keys/encrypted-keys/Makefile | 2 +
security/keys/encrypted-keys/encrypted.c | 13 ++++++-
security/keys/encrypted-keys/encrypted.h | 13 +++++++
.../keys/encrypted-keys/masterkey_secure.c | 37 +++++++++++++++++++
5 files changed, 64 insertions(+), 2 deletions(-)
create mode 100644 security/keys/encrypted-keys/masterkey_secure.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 654be2ee4b0a..847254eec22a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7949,6 +7949,7 @@ F: include/keys/secure-type.h
F: security/keys/secure_key.c
F: security/keys/securekey_desc.c
F: security/keys/securekey_desc.h
+F: security/keys/encrypted-keys/masterkey_secure.c
KEYS/KEYRINGS:
M: David Howells <dhowells@redhat.com>
diff --git a/security/keys/encrypted-keys/Makefile b/security/keys/encrypted-keys/Makefile
index 7a44dce6f69d..df2b906b7d24 100644
--- a/security/keys/encrypted-keys/Makefile
+++ b/security/keys/encrypted-keys/Makefile
@@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys.o
encrypted-keys-y := encrypted.o ecryptfs_format.o
masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index d92cbf9687c3..258b38094705 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -39,6 +39,7 @@
#include "ecryptfs_format.h"
static const char KEY_TRUSTED_PREFIX[] = "trusted:";
+static const char KEY_SECURE_PREFIX[] = "secure:";
static const char KEY_USER_PREFIX[] = "user:";
static const char hash_alg[] = "sha256";
static const char hmac_alg[] = "hmac(sha256)";
@@ -49,6 +50,7 @@ static unsigned int ivsize;
static int blksize;
#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
+#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
#define KEY_ECRYPTFS_DESC_LEN 16
#define HASH_SIZE SHA256_DIGEST_SIZE
@@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc)
/*
* valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
*
- * key-type:= "trusted:" | "user:"
+ * key-type:= "trusted:" | "user:" | "secure:"
* desc:= master-key description
*
* Verify that 'key-type' is valid and that 'desc' exists. On key update,
@@ -140,6 +142,8 @@ static int valid_master_desc(const char *new_desc, const char *orig_desc)
if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
prefix_len = KEY_TRUSTED_PREFIX_LEN;
+ else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
+ prefix_len = KEY_SECURE_PREFIX_LEN;
else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
prefix_len = KEY_USER_PREFIX_LEN;
else
@@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
enum derived_key_type { ENC_KEY, AUTH_KEY };
-/* Derive authentication/encryption key from trusted key */
+/* Derive authentication/encryption key from trusted/secure key */
static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
const u8 *master_key, size_t master_keylen)
{
@@ -429,6 +433,11 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload,
mkey = request_trusted_key(epayload->master_desc +
KEY_TRUSTED_PREFIX_LEN,
master_key, master_keylen);
+ } else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
+ KEY_SECURE_PREFIX_LEN)) {
+ mkey = request_secure_key(epayload->master_desc +
+ KEY_SECURE_PREFIX_LEN,
+ master_key, master_keylen);
} else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
KEY_USER_PREFIX_LEN)) {
mkey = request_user_key(epayload->master_desc +
diff --git a/security/keys/encrypted-keys/encrypted.h b/security/keys/encrypted-keys/encrypted.h
index 1809995db452..f1cb73611e77 100644
--- a/security/keys/encrypted-keys/encrypted.h
+++ b/security/keys/encrypted-keys/encrypted.h
@@ -16,6 +16,19 @@ static inline struct key *request_trusted_key(const char *trusted_desc,
}
#endif
+#if defined(CONFIG_SECURE_KEYS)
+extern struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen);
+#else
+static inline struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen)
+{
+ return ERR_PTR(-EOPNOTSUPP);
+}
+#endif
+
#if ENCRYPTED_DEBUG
static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
{
diff --git a/security/keys/encrypted-keys/masterkey_secure.c b/security/keys/encrypted-keys/masterkey_secure.c
new file mode 100644
index 000000000000..87068c966111
--- /dev/null
+++ b/security/keys/encrypted-keys/masterkey_secure.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2018 NXP.
+ *
+ */
+
+#include <linux/uaccess.h>
+#include <linux/module.h>
+#include <linux/err.h>
+#include <keys/secure-type.h>
+#include <keys/encrypted-type.h>
+#include "encrypted.h"
+
+/*
+ * request_secure_key - request the secure key
+ *
+ * Secure keys and their blobs are derived from CAAM hardware.
+ * Userspace manages secure key-type data, but key data is not
+ * visible in plain form. It is presented as blobs.
+ */
+struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key, size_t *master_keylen)
+{
+ struct secure_key_payload *spayload;
+ struct key *skey;
+
+ skey = request_key(&key_type_secure, secure_desc, NULL);
+ if (IS_ERR(skey))
+ goto error;
+
+ down_read(&skey->sem);
+ spayload = skey->payload.data[0];
+ *master_key = spayload->key;
+ *master_keylen = spayload->key_len;
+error:
+ return skey;
+}
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Udit Agarwal <udit.agarwal@nxp.com>
To: dhowells@redhat.com, zohar@linux.vnet.ibm.com, jmorris@namei.org,
serge@hallyn.com, linux-integrity@vger.kernel.org,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: sahil.malhotra@nxp.com, Udit Agarwal <udit.agarwal@nxp.com>
Subject: [PATCH 2/2] encrypted_keys: Adds support for secure key-type as master key.
Date: Fri, 20 Jul 2018 11:16:56 +0530 [thread overview]
Message-ID: <20180720054656.29143-2-udit.agarwal@nxp.com> (raw)
In-Reply-To: <20180720054656.29143-1-udit.agarwal@nxp.com>
Encrypted keys can use secure key-type as master key along with
trusted/user keys.
Secure key as master key uses, secure key type payload derieved
using CAAM hardware.
Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
---
MAINTAINERS | 1 +
security/keys/encrypted-keys/Makefile | 2 +
security/keys/encrypted-keys/encrypted.c | 13 ++++++-
security/keys/encrypted-keys/encrypted.h | 13 +++++++
.../keys/encrypted-keys/masterkey_secure.c | 37 +++++++++++++++++++
5 files changed, 64 insertions(+), 2 deletions(-)
create mode 100644 security/keys/encrypted-keys/masterkey_secure.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 654be2ee4b0a..847254eec22a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7949,6 +7949,7 @@ F: include/keys/secure-type.h
F: security/keys/secure_key.c
F: security/keys/securekey_desc.c
F: security/keys/securekey_desc.h
+F: security/keys/encrypted-keys/masterkey_secure.c
KEYS/KEYRINGS:
M: David Howells <dhowells@redhat.com>
diff --git a/security/keys/encrypted-keys/Makefile b/security/keys/encrypted-keys/Makefile
index 7a44dce6f69d..df2b906b7d24 100644
--- a/security/keys/encrypted-keys/Makefile
+++ b/security/keys/encrypted-keys/Makefile
@@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys.o
encrypted-keys-y := encrypted.o ecryptfs_format.o
masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index d92cbf9687c3..258b38094705 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -39,6 +39,7 @@
#include "ecryptfs_format.h"
static const char KEY_TRUSTED_PREFIX[] = "trusted:";
+static const char KEY_SECURE_PREFIX[] = "secure:";
static const char KEY_USER_PREFIX[] = "user:";
static const char hash_alg[] = "sha256";
static const char hmac_alg[] = "hmac(sha256)";
@@ -49,6 +50,7 @@ static unsigned int ivsize;
static int blksize;
#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
+#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
#define KEY_ECRYPTFS_DESC_LEN 16
#define HASH_SIZE SHA256_DIGEST_SIZE
@@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc)
/*
* valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
*
- * key-type:= "trusted:" | "user:"
+ * key-type:= "trusted:" | "user:" | "secure:"
* desc:= master-key description
*
* Verify that 'key-type' is valid and that 'desc' exists. On key update,
@@ -140,6 +142,8 @@ static int valid_master_desc(const char *new_desc, const char *orig_desc)
if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
prefix_len = KEY_TRUSTED_PREFIX_LEN;
+ else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
+ prefix_len = KEY_SECURE_PREFIX_LEN;
else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
prefix_len = KEY_USER_PREFIX_LEN;
else
@@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
enum derived_key_type { ENC_KEY, AUTH_KEY };
-/* Derive authentication/encryption key from trusted key */
+/* Derive authentication/encryption key from trusted/secure key */
static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
const u8 *master_key, size_t master_keylen)
{
@@ -429,6 +433,11 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload,
mkey = request_trusted_key(epayload->master_desc +
KEY_TRUSTED_PREFIX_LEN,
master_key, master_keylen);
+ } else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
+ KEY_SECURE_PREFIX_LEN)) {
+ mkey = request_secure_key(epayload->master_desc +
+ KEY_SECURE_PREFIX_LEN,
+ master_key, master_keylen);
} else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
KEY_USER_PREFIX_LEN)) {
mkey = request_user_key(epayload->master_desc +
diff --git a/security/keys/encrypted-keys/encrypted.h b/security/keys/encrypted-keys/encrypted.h
index 1809995db452..f1cb73611e77 100644
--- a/security/keys/encrypted-keys/encrypted.h
+++ b/security/keys/encrypted-keys/encrypted.h
@@ -16,6 +16,19 @@ static inline struct key *request_trusted_key(const char *trusted_desc,
}
#endif
+#if defined(CONFIG_SECURE_KEYS)
+extern struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen);
+#else
+static inline struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen)
+{
+ return ERR_PTR(-EOPNOTSUPP);
+}
+#endif
+
#if ENCRYPTED_DEBUG
static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
{
diff --git a/security/keys/encrypted-keys/masterkey_secure.c b/security/keys/encrypted-keys/masterkey_secure.c
new file mode 100644
index 000000000000..87068c966111
--- /dev/null
+++ b/security/keys/encrypted-keys/masterkey_secure.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2018 NXP.
+ *
+ */
+
+#include <linux/uaccess.h>
+#include <linux/module.h>
+#include <linux/err.h>
+#include <keys/secure-type.h>
+#include <keys/encrypted-type.h>
+#include "encrypted.h"
+
+/*
+ * request_secure_key - request the secure key
+ *
+ * Secure keys and their blobs are derived from CAAM hardware.
+ * Userspace manages secure key-type data, but key data is not
+ * visible in plain form. It is presented as blobs.
+ */
+struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key, size_t *master_keylen)
+{
+ struct secure_key_payload *spayload;
+ struct key *skey;
+
+ skey = request_key(&key_type_secure, secure_desc, NULL);
+ if (IS_ERR(skey))
+ goto error;
+
+ down_read(&skey->sem);
+ spayload = skey->payload.data[0];
+ *master_key = spayload->key;
+ *master_keylen = spayload->key_len;
+error:
+ return skey;
+}
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: udit.agarwal@nxp.com (Udit Agarwal)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 2/2] encrypted_keys: Adds support for secure key-type as master key.
Date: Fri, 20 Jul 2018 11:16:56 +0530 [thread overview]
Message-ID: <20180720054656.29143-2-udit.agarwal@nxp.com> (raw)
In-Reply-To: <20180720054656.29143-1-udit.agarwal@nxp.com>
Encrypted keys can use secure key-type as master key along with
trusted/user keys.
Secure key as master key uses, secure key type payload derieved
using CAAM hardware.
Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
---
MAINTAINERS | 1 +
security/keys/encrypted-keys/Makefile | 2 +
security/keys/encrypted-keys/encrypted.c | 13 ++++++-
security/keys/encrypted-keys/encrypted.h | 13 +++++++
.../keys/encrypted-keys/masterkey_secure.c | 37 +++++++++++++++++++
5 files changed, 64 insertions(+), 2 deletions(-)
create mode 100644 security/keys/encrypted-keys/masterkey_secure.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 654be2ee4b0a..847254eec22a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7949,6 +7949,7 @@ F: include/keys/secure-type.h
F: security/keys/secure_key.c
F: security/keys/securekey_desc.c
F: security/keys/securekey_desc.h
+F: security/keys/encrypted-keys/masterkey_secure.c
KEYS/KEYRINGS:
M: David Howells <dhowells@redhat.com>
diff --git a/security/keys/encrypted-keys/Makefile b/security/keys/encrypted-keys/Makefile
index 7a44dce6f69d..df2b906b7d24 100644
--- a/security/keys/encrypted-keys/Makefile
+++ b/security/keys/encrypted-keys/Makefile
@@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys.o
encrypted-keys-y := encrypted.o ecryptfs_format.o
masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index d92cbf9687c3..258b38094705 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -39,6 +39,7 @@
#include "ecryptfs_format.h"
static const char KEY_TRUSTED_PREFIX[] = "trusted:";
+static const char KEY_SECURE_PREFIX[] = "secure:";
static const char KEY_USER_PREFIX[] = "user:";
static const char hash_alg[] = "sha256";
static const char hmac_alg[] = "hmac(sha256)";
@@ -49,6 +50,7 @@ static unsigned int ivsize;
static int blksize;
#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
+#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
#define KEY_ECRYPTFS_DESC_LEN 16
#define HASH_SIZE SHA256_DIGEST_SIZE
@@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc)
/*
* valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
*
- * key-type:= "trusted:" | "user:"
+ * key-type:= "trusted:" | "user:" | "secure:"
* desc:= master-key description
*
* Verify that 'key-type' is valid and that 'desc' exists. On key update,
@@ -140,6 +142,8 @@ static int valid_master_desc(const char *new_desc, const char *orig_desc)
if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
prefix_len = KEY_TRUSTED_PREFIX_LEN;
+ else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
+ prefix_len = KEY_SECURE_PREFIX_LEN;
else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
prefix_len = KEY_USER_PREFIX_LEN;
else
@@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
enum derived_key_type { ENC_KEY, AUTH_KEY };
-/* Derive authentication/encryption key from trusted key */
+/* Derive authentication/encryption key from trusted/secure key */
static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
const u8 *master_key, size_t master_keylen)
{
@@ -429,6 +433,11 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload,
mkey = request_trusted_key(epayload->master_desc +
KEY_TRUSTED_PREFIX_LEN,
master_key, master_keylen);
+ } else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
+ KEY_SECURE_PREFIX_LEN)) {
+ mkey = request_secure_key(epayload->master_desc +
+ KEY_SECURE_PREFIX_LEN,
+ master_key, master_keylen);
} else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
KEY_USER_PREFIX_LEN)) {
mkey = request_user_key(epayload->master_desc +
diff --git a/security/keys/encrypted-keys/encrypted.h b/security/keys/encrypted-keys/encrypted.h
index 1809995db452..f1cb73611e77 100644
--- a/security/keys/encrypted-keys/encrypted.h
+++ b/security/keys/encrypted-keys/encrypted.h
@@ -16,6 +16,19 @@ static inline struct key *request_trusted_key(const char *trusted_desc,
}
#endif
+#if defined(CONFIG_SECURE_KEYS)
+extern struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen);
+#else
+static inline struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen)
+{
+ return ERR_PTR(-EOPNOTSUPP);
+}
+#endif
+
#if ENCRYPTED_DEBUG
static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
{
diff --git a/security/keys/encrypted-keys/masterkey_secure.c b/security/keys/encrypted-keys/masterkey_secure.c
new file mode 100644
index 000000000000..87068c966111
--- /dev/null
+++ b/security/keys/encrypted-keys/masterkey_secure.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2018 NXP.
+ *
+ */
+
+#include <linux/uaccess.h>
+#include <linux/module.h>
+#include <linux/err.h>
+#include <keys/secure-type.h>
+#include <keys/encrypted-type.h>
+#include "encrypted.h"
+
+/*
+ * request_secure_key - request the secure key
+ *
+ * Secure keys and their blobs are derived from CAAM hardware.
+ * Userspace manages secure key-type data, but key data is not
+ * visible in plain form. It is presented as blobs.
+ */
+struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key, size_t *master_keylen)
+{
+ struct secure_key_payload *spayload;
+ struct key *skey;
+
+ skey = request_key(&key_type_secure, secure_desc, NULL);
+ if (IS_ERR(skey))
+ goto error;
+
+ down_read(&skey->sem);
+ spayload = skey->payload.data[0];
+ *master_key = spayload->key;
+ *master_keylen = spayload->key_len;
+error:
+ return skey;
+}
--
2.17.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-07-20 5:58 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-20 5:46 [PATCH 1/2] security/keys/secure_key: Adds the secure key support based on CAAM Udit Agarwal
2018-07-20 5:58 ` Udit Agarwal
2018-07-20 5:46 ` Udit Agarwal
2018-07-20 5:46 ` Udit Agarwal [this message]
2018-07-20 5:58 ` [PATCH 2/2] encrypted_keys: Adds support for secure key-type as master key Udit Agarwal
2018-07-20 5:46 ` Udit Agarwal
2018-07-20 8:40 ` [PATCH 1/2] security/keys/secure_key: Adds the secure key support based on CAAM Jan Lübbe
2018-07-20 8:40 ` Jan Lübbe
2018-07-20 8:40 ` Jan Lübbe
2018-07-21 14:44 ` Udit Agarwal
2018-07-21 14:44 ` Udit Agarwal
2018-07-21 14:44 ` Udit Agarwal
2018-07-21 14:44 ` Udit Agarwal
2018-07-23 12:42 ` Jan Lübbe
2018-07-23 12:42 ` Jan Lübbe
2018-07-23 12:42 ` Jan Lübbe
2018-07-23 12:42 ` Jan Lübbe
2018-07-20 18:37 ` kbuild test robot
2018-07-20 18:37 ` kbuild test robot
2018-07-20 18:37 ` kbuild test robot
2018-07-22 23:34 ` Mimi Zohar
2018-07-22 23:34 ` Mimi Zohar
2018-07-22 23:34 ` Mimi Zohar
2018-07-22 23:34 ` Mimi Zohar
2018-07-24 12:31 ` Udit Agarwal
2018-07-24 12:31 ` Udit Agarwal
2018-07-24 12:31 ` Udit Agarwal
2018-07-24 12:31 ` Udit Agarwal
2018-07-24 13:34 ` Mimi Zohar
2018-07-24 13:34 ` Mimi Zohar
2018-07-24 13:34 ` Mimi Zohar
2018-07-24 13:34 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180720054656.29143-2-udit.agarwal@nxp.com \
--to=udit.agarwal@nxp.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sahil.malhotra@nxp.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.