From: James Prestwood <prestwoj@gmail.com>
To: ell@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [RFC 0/8] Crypto operations by key ID
Date: Fri, 18 Nov 2022 13:16:16 -0800 [thread overview]
Message-ID: <20221118211624.19298-1-prestwoj@gmail.com> (raw)
This adds support for several key based crypto opterations but
instead of using a key directly it uses a key ID. This avoids
the need for ELL to ever hold a copy of the key assuming it
already exists in the kernel.
The motivation behind this is to enhance IWDs profile encryption.
Currently this uses a systemd feature but ultimately the secret
key is decrypted and put onto the file system for IWD to use.
This isn't desirable and it would be better if the key never hits
the FS, and even better if IWD never even sees it. This would
allow some external, trusted, entity (e.g. PAM/systemd-logind) to
set a secret key into the kernel upon user login (e.g. the users
password). This key ID could then be used by IWD to encrypt
profiles without ever seeing the actual key.
James Prestwood (8):
key: add l_key_search
unit: add key search test
checksum: commonize checksum creation
checksum: add l_checksum_new_hmac_from_key_id
cert-crypto: refactor l_cert_pkcs5_pbkdf2
cert: add l_cert_pkcs5_pbkdf2_from_key_id
cert: add explicit length to l_cert_pkcs5_pbkdf2
unit: update test-pbkdf2 with API change
ell/cert-crypto.c | 97 +++++++++++++++++++++++++++-----------
ell/cert.h | 7 ++-
ell/checksum.c | 114 ++++++++++++++++++++-------------------------
ell/checksum.h | 2 +
ell/ell.sym | 3 ++
ell/key.c | 46 ++++++++++++++++++
ell/key.h | 3 ++
unit/test-key.c | 26 +++++++++++
unit/test-pbkdf2.c | 1 +
9 files changed, 208 insertions(+), 91 deletions(-)
--
2.34.3
next reply other threads:[~2022-11-18 21:16 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-18 21:16 James Prestwood [this message]
2022-11-18 21:16 ` [RFC 1/8] key: add l_key_search James Prestwood
2022-11-22 16:43 ` Denis Kenzior
2022-11-22 17:16 ` James Prestwood
2022-11-22 17:09 ` Denis Kenzior
2022-11-22 18:34 ` James Prestwood
2022-11-18 21:16 ` [RFC 2/8] unit: add key search test James Prestwood
2022-11-18 21:16 ` [RFC 3/8] checksum: commonize checksum creation James Prestwood
2022-11-22 16:46 ` Denis Kenzior
2022-11-18 21:16 ` [RFC 4/8] checksum: add l_checksum_new_hmac_from_key_id James Prestwood
2022-11-22 16:53 ` Denis Kenzior
2022-11-18 21:16 ` [RFC 5/8] cert-crypto: refactor l_cert_pkcs5_pbkdf2 James Prestwood
2022-11-22 17:00 ` Denis Kenzior
2022-11-18 21:16 ` [RFC 6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id James Prestwood
2022-11-22 17:03 ` Denis Kenzior
2022-11-18 21:16 ` [RFC 7/8] cert: add explicit length to l_cert_pkcs5_pbkdf2 James Prestwood
2022-11-18 21:16 ` [RFC 8/8] unit: update test-pbkdf2 with API change James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221118211624.19298-1-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=ell@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).