From: Dave Jiang <dave.jiang@intel.com>
To: dan.j.williams@intel.com
Cc: linux-nvdimm@lists.01.org
Subject: [PATCH v15 04/16] keys-encrypted: add nvdimm key format type to encrypted keys
Date: Thu, 13 Dec 2018 16:48:18 -0700 [thread overview]
Message-ID: <154474489873.64529.17488192789733888751.stgit@djiang5-desk3.ch.intel.com> (raw)
In-Reply-To: <154474458351.64529.4227918957466268448.stgit@djiang5-desk3.ch.intel.com>
Adding nvdimm key format type to encrypted keys in order to limit the size
of the key to 32bytes.
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
Documentation/security/keys/trusted-encrypted.rst | 6 ++++
security/keys/encrypted-keys/encrypted.c | 29 ++++++++++++++-------
2 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 3bb24e09a332..e8a1c35cd277 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -76,7 +76,7 @@ Usage::
Where::
- format:= 'default | ecryptfs'
+ format:= 'default | ecryptfs | enc32'
key-type:= 'trusted' | 'user'
@@ -173,3 +173,7 @@ are anticipated. In particular the new format 'ecryptfs' has been defined in
in order to use encrypted keys to mount an eCryptfs filesystem. More details
about the usage can be found in the file
``Documentation/security/keys/ecryptfs.rst``.
+
+Another new format 'enc32' has been defined in order to support encrypted keys
+with payload size of 32 bytes. This will initially be used for nvdimm security
+but may expand to other usages that require 32 bytes payload.
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index d92cbf9687c3..fe0aefd06f83 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -45,6 +45,7 @@ static const char hmac_alg[] = "hmac(sha256)";
static const char blkcipher_alg[] = "cbc(aes)";
static const char key_format_default[] = "default";
static const char key_format_ecryptfs[] = "ecryptfs";
+static const char key_format_enc32[] = "enc32";
static unsigned int ivsize;
static int blksize;
@@ -54,6 +55,7 @@ static int blksize;
#define HASH_SIZE SHA256_DIGEST_SIZE
#define MAX_DATA_SIZE 4096
#define MIN_DATA_SIZE 20
+#define KEY_ENC32_PAYLOAD_LEN 32
static struct crypto_shash *hash_tfm;
@@ -62,12 +64,13 @@ enum {
};
enum {
- Opt_error = -1, Opt_default, Opt_ecryptfs
+ Opt_error = -1, Opt_default, Opt_ecryptfs, Opt_enc32
};
static const match_table_t key_format_tokens = {
{Opt_default, "default"},
{Opt_ecryptfs, "ecryptfs"},
+ {Opt_enc32, "enc32"},
{Opt_error, NULL}
};
@@ -195,6 +198,7 @@ static int datablob_parse(char *datablob, const char **format,
key_format = match_token(p, key_format_tokens, args);
switch (key_format) {
case Opt_ecryptfs:
+ case Opt_enc32:
case Opt_default:
*format = p;
*master_desc = strsep(&datablob, " \t");
@@ -625,15 +629,22 @@ static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
format_len = (!format) ? strlen(key_format_default) : strlen(format);
decrypted_datalen = dlen;
payload_datalen = decrypted_datalen;
- if (format && !strcmp(format, key_format_ecryptfs)) {
- if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
- pr_err("encrypted_key: keylen for the ecryptfs format "
- "must be equal to %d bytes\n",
- ECRYPTFS_MAX_KEY_BYTES);
- return ERR_PTR(-EINVAL);
+ if (format) {
+ if (!strcmp(format, key_format_ecryptfs)) {
+ if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
+ pr_err("encrypted_key: keylen for the ecryptfs format must be equal to %d bytes\n",
+ ECRYPTFS_MAX_KEY_BYTES);
+ return ERR_PTR(-EINVAL);
+ }
+ decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
+ payload_datalen = sizeof(struct ecryptfs_auth_tok);
+ } else if (!strcmp(format, key_format_enc32)) {
+ if (decrypted_datalen != KEY_ENC32_PAYLOAD_LEN) {
+ pr_err("encrypted_key: enc32 key payload incorrect length: %d\n",
+ decrypted_datalen);
+ return ERR_PTR(-EINVAL);
+ }
}
- decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
- payload_datalen = sizeof(struct ecryptfs_auth_tok);
}
encrypted_datalen = roundup(decrypted_datalen, blksize);
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm
next prev parent reply other threads:[~2018-12-13 23:48 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-13 23:47 [PATCH v15 00/16] Adding security support for nvdimm Dave Jiang
2018-12-13 23:48 ` [PATCH v15 01/16] acpi/nfit: Add support for Intel DSM 1.8 commands Dave Jiang
2018-12-14 1:57 ` Dan Williams
2018-12-13 23:48 ` [PATCH v15 02/16] acpi/nfit, libnvdimm: Store dimm id as a member to struct nvdimm Dave Jiang
2018-12-13 23:48 ` [PATCH v15 03/16] keys: Export lookup_user_key to external users Dave Jiang
2018-12-13 23:48 ` Dave Jiang [this message]
2018-12-13 23:48 ` [PATCH v15 05/16] acpi/nfit, libnvdimm: Introduce nvdimm_security_ops Dave Jiang
2018-12-13 23:48 ` [PATCH v15 06/16] acpi/nfit, libnvdimm: Add freeze security support to Intel nvdimm Dave Jiang
2018-12-13 23:48 ` [PATCH v15 07/16] acpi/nfit, libnvdimm: Add unlock of nvdimm support for Intel DIMMs Dave Jiang
2019-01-15 21:56 ` Elliott, Robert (Persistent Memory)
2019-01-15 22:35 ` Dave Jiang
2018-12-13 23:48 ` [PATCH v15 08/16] acpi/nfit, libnvdimm: Add disable passphrase support to Intel nvdimm Dave Jiang
2018-12-13 23:48 ` [PATCH v15 09/16] acpi/nfit, libnvdimm: Add enable/update passphrase support for Intel nvdimms Dave Jiang
2018-12-13 23:48 ` [PATCH v15 10/16] acpi/nfit, libnvdimm: Add support for issue secure erase DSM to Intel nvdimm Dave Jiang
2018-12-13 23:48 ` [PATCH v15 11/16] acpi/nfit, libnvdimm/security: Add security DSM overwrite support Dave Jiang
2018-12-13 23:49 ` [PATCH v15 12/16] acpi/nfit, libnvdimm/security: add Intel DSM 1.8 master passphrase support Dave Jiang
2018-12-13 23:49 ` [PATCH v15 13/16] tools/testing/nvdimm: Add test support for Intel nvdimm security DSMs Dave Jiang
2018-12-13 23:49 ` [PATCH v15 14/16] tools/testing/nvdimm: Add overwrite support for nfit_test Dave Jiang
2018-12-13 23:49 ` [PATCH v15 15/16] tools/testing/nvdimm: add Intel DSM 1.8 " Dave Jiang
2018-12-13 23:49 ` [PATCH v15 16/16] libnvdimm/security: Add documentation for nvdimm security support Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=154474489873.64529.17488192789733888751.stgit@djiang5-desk3.ch.intel.com \
--to=dave.jiang@intel.com \
--cc=dan.j.williams@intel.com \
--cc=linux-nvdimm@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.