* Cannot read payload of an encrypted key rooted in a trusted key
@ 2019-02-11 4:45 Salah Coronya
0 siblings, 0 replies; only message in thread
From: Salah Coronya @ 2019-02-11 4:45 UTC (permalink / raw)
To: linux-kernel
In the file Documentation/security/keys-trusted-encrypted, an example is
shown for to create an encrypted key rooted in trusted key. Basically,
the following should work:
KMK_KEY=$(keyctl add trusted kmk "new 32" @u)
keyctl pipe $KMK_KEY > ~/kmk-trusted.blob
EVM_KEY=$(keyctl add encrypted evm "new default trusted:kmk 32" @u)
keyctl pipe $EVM_KEY > ~/evm-trusted.blob
But the last command does not work. It reports "keyctl_read_alloc:
Operation not supported"
strace shows this:
keyctl(KEYCTL_READ, 404204492, NULL, 0) = 185
keyctl(KEYCTL_READ, 404204492, 0x557a43f66260, 185) = -1 EOPNOTSUPP
(Operation not supported)
I've tried this on kernel 4.4.163, 4.14.83, and 4.20.6, on a machine
with real TPM, and a virtual TPM in a VM, both versions 1.2 and 2.0 and
none of the cases work.
However, an encrypted key rooted in a (random) user key DOES work:
KMK_USER=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd
user kmk-user @u)
keyctl pipe $KMK_USER > ~/kmk-user.blob
EVM_USER=$(keyctl add encrypted evm-user "new default user:kmk-user 32" @u)
keyctl pipe $EVM_USER > ~/evm-user.blob
I'm not sure if there is a missing step in the examples, if have I hit a
kernel bug, or if I'm doing something wrong.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-02-11 4:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-11 4:45 Cannot read payload of an encrypted key rooted in a trusted key Salah Coronya
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).