From: Ahmad Fatoum <a.fatoum@pengutronix.de> To: Alasdair Kergon <agk@redhat.com>, Mike Snitzer <snitzer@redhat.com>, dm-devel@redhat.com, Song Liu <song@kernel.org> Cc: kernel@pengutronix.de, "Ahmad Fatoum" <a.fatoum@pengutronix.de>, "Jan Lübbe" <jlu@pengutronix.de>, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, "Dmitry Baryshkov" <dbaryshkov@gmail.com>, "Jonathan Corbet" <corbet@lwn.net>, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org Subject: [PATCH 2/2] dm crypt: support using trusted keys Date: Fri, 22 Jan 2021 09:43:21 +0100 [thread overview] Message-ID: <20210122084321.24012-2-a.fatoum@pengutronix.de> (raw) In-Reply-To: <20210122084321.24012-1-a.fatoum@pengutronix.de> Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended dm-crypt to allow use of "encrypted" keys along with "user" and "logon". Along the same lines, teach dm-crypt to support "trusted" keys as well. Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- Unsure on whether target_type::version is something authors increment or maintainers fix up. I can respin if needed. Cc: Jan Lübbe <jlu@pengutronix.de> Cc: linux-integrity@vger.kernel.org Cc: keyrings@vger.kernel.org Cc: Dmitry Baryshkov <dbaryshkov@gmail.com> --- .../admin-guide/device-mapper/dm-crypt.rst | 2 +- drivers/md/Kconfig | 1 + drivers/md/dm-crypt.c | 23 ++++++++++++++++++- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst index 1a6753b76dbb..aa2d04d95df6 100644 --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst @@ -67,7 +67,7 @@ Parameters:: the value passed in <key_size>. <key_type> - Either 'logon', 'user' or 'encrypted' kernel key type. + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. <key_description> The kernel keyring key description crypt target should look for diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig index 9e44c09f6410..f2014385d48b 100644 --- a/drivers/md/Kconfig +++ b/drivers/md/Kconfig @@ -270,6 +270,7 @@ config DM_CRYPT tristate "Crypt target support" depends on BLK_DEV_DM depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) select CRYPTO select CRYPTO_CBC select CRYPTO_ESSIV diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index 7eeb9248eda5..6c7c687e546c 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -37,6 +37,7 @@ #include <linux/key-type.h> #include <keys/user-type.h> #include <keys/encrypted-type.h> +#include <keys/trusted-type.h> #include <linux/device-mapper.h> @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) return 0; } +static int set_key_trusted(struct crypt_config *cc, struct key *key) +{ + const struct trusted_key_payload *tkp; + + tkp = key->payload.data[0]; + if (!tkp) + return -EKEYREVOKED; + + if (cc->key_size != tkp->key_len) + return -EINVAL; + + memcpy(cc->key, tkp->key, cc->key_size); + + return 0; +} + static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) { char *new_key_string, *key_desc; @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { type = &key_type_encrypted; set_key = set_key_encrypted; + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { + type = &key_type_trusted; + set_key = set_key_trusted; } else { return -EINVAL; } @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) static struct target_type crypt_target = { .name = "crypt", - .version = {1, 22, 0}, + .version = {1, 23, 0}, .module = THIS_MODULE, .ctr = crypt_ctr, .dtr = crypt_dtr, -- 2.30.0
WARNING: multiple messages have this Message-ID (diff)
From: Ahmad Fatoum <a.fatoum@pengutronix.de> To: Alasdair Kergon <agk@redhat.com>, Mike Snitzer <snitzer@redhat.com>, dm-devel@redhat.com, Song Liu <song@kernel.org> Cc: "Ahmad Fatoum" <a.fatoum@pengutronix.de>, "Jan Lübbe" <jlu@pengutronix.de>, "Jonathan Corbet" <corbet@lwn.net>, "Dmitry Baryshkov" <dbaryshkov@gmail.com>, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, keyrings@vger.kernel.org, kernel@pengutronix.de, linux-integrity@vger.kernel.org Subject: [dm-devel] [PATCH 2/2] dm crypt: support using trusted keys Date: Fri, 22 Jan 2021 09:43:21 +0100 [thread overview] Message-ID: <20210122084321.24012-2-a.fatoum@pengutronix.de> (raw) In-Reply-To: <20210122084321.24012-1-a.fatoum@pengutronix.de> Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended dm-crypt to allow use of "encrypted" keys along with "user" and "logon". Along the same lines, teach dm-crypt to support "trusted" keys as well. Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- Unsure on whether target_type::version is something authors increment or maintainers fix up. I can respin if needed. Cc: Jan Lübbe <jlu@pengutronix.de> Cc: linux-integrity@vger.kernel.org Cc: keyrings@vger.kernel.org Cc: Dmitry Baryshkov <dbaryshkov@gmail.com> --- .../admin-guide/device-mapper/dm-crypt.rst | 2 +- drivers/md/Kconfig | 1 + drivers/md/dm-crypt.c | 23 ++++++++++++++++++- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst index 1a6753b76dbb..aa2d04d95df6 100644 --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst @@ -67,7 +67,7 @@ Parameters:: the value passed in <key_size>. <key_type> - Either 'logon', 'user' or 'encrypted' kernel key type. + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. <key_description> The kernel keyring key description crypt target should look for diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig index 9e44c09f6410..f2014385d48b 100644 --- a/drivers/md/Kconfig +++ b/drivers/md/Kconfig @@ -270,6 +270,7 @@ config DM_CRYPT tristate "Crypt target support" depends on BLK_DEV_DM depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) select CRYPTO select CRYPTO_CBC select CRYPTO_ESSIV diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index 7eeb9248eda5..6c7c687e546c 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -37,6 +37,7 @@ #include <linux/key-type.h> #include <keys/user-type.h> #include <keys/encrypted-type.h> +#include <keys/trusted-type.h> #include <linux/device-mapper.h> @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) return 0; } +static int set_key_trusted(struct crypt_config *cc, struct key *key) +{ + const struct trusted_key_payload *tkp; + + tkp = key->payload.data[0]; + if (!tkp) + return -EKEYREVOKED; + + if (cc->key_size != tkp->key_len) + return -EINVAL; + + memcpy(cc->key, tkp->key, cc->key_size); + + return 0; +} + static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) { char *new_key_string, *key_desc; @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { type = &key_type_encrypted; set_key = set_key_encrypted; + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { + type = &key_type_trusted; + set_key = set_key_trusted; } else { return -EINVAL; } @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) static struct target_type crypt_target = { .name = "crypt", - .version = {1, 22, 0}, + .version = {1, 23, 0}, .module = THIS_MODULE, .ctr = crypt_ctr, .dtr = crypt_dtr, -- 2.30.0 -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-01-22 8:47 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-22 8:43 [PATCH 1/2] dm crypt: replaced #if defined with IS_ENABLED Ahmad Fatoum 2021-01-22 8:43 ` [dm-devel] " Ahmad Fatoum 2021-01-22 8:43 ` Ahmad Fatoum [this message] 2021-01-22 8:43 ` [dm-devel] [PATCH 2/2] dm crypt: support using trusted keys Ahmad Fatoum 2021-01-22 18:05 ` Jarkko Sakkinen 2021-01-22 18:05 ` [dm-devel] " Jarkko Sakkinen 2021-01-22 18:18 ` Jarkko Sakkinen 2021-01-22 18:18 ` [dm-devel] " Jarkko Sakkinen 2021-01-22 19:04 ` Ahmad Fatoum 2021-01-22 19:04 ` [dm-devel] " Ahmad Fatoum 2021-02-02 15:12 ` Ahmad Fatoum 2021-02-02 15:12 ` [dm-devel] " Ahmad Fatoum 2021-02-02 18:10 ` [PATCH 1/2] dm crypt: replaced #if defined with IS_ENABLED Mike Snitzer 2021-02-02 18:10 ` [dm-devel] " Mike Snitzer 2021-02-02 18:19 ` Ahmad Fatoum 2021-02-02 18:19 ` [dm-devel] " Ahmad Fatoum 2021-02-03 0:33 ` Dmitry Baryshkov 2021-02-03 0:33 ` [dm-devel] " Dmitry Baryshkov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210122084321.24012-2-a.fatoum@pengutronix.de \ --to=a.fatoum@pengutronix.de \ --cc=agk@redhat.com \ --cc=corbet@lwn.net \ --cc=dbaryshkov@gmail.com \ --cc=dm-devel@redhat.com \ --cc=jlu@pengutronix.de \ --cc=kernel@pengutronix.de \ --cc=keyrings@vger.kernel.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-raid@vger.kernel.org \ --cc=snitzer@redhat.com \ --cc=song@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.