On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: > Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended > dm-crypt to allow use of "encrypted" keys along with "user" and "logon". > > Along the same lines, teach dm-crypt to support "trusted" keys as well. > > Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> > --- Is it possible to test run this with tmpfs? Would be a good test target for Sumit's ARM-TEE trusted keys patches. https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@xxxxxxxxxx/ /Jarkko > Unsure on whether target_type::version is something authors increment or > maintainers fix up. I can respin if needed. > > Cc: Jan Lübbe <jlu@xxxxxxxxxxxxxx> > Cc: linux-integrity@xxxxxxxxxxxxxxx > Cc: keyrings@xxxxxxxxxxxxxxx > Cc: Dmitry Baryshkov <dbaryshkov@xxxxxxxxx> > --- > .../admin-guide/device-mapper/dm-crypt.rst | 2 +- > drivers/md/Kconfig | 1 + > drivers/md/dm-crypt.c | 23 ++++++++++++++++++- > 3 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst > index 1a6753b76dbb..aa2d04d95df6 100644 > --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst > +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst > @@ -67,7 +67,7 @@ Parameters:: > the value passed in <key_size>. > > <key_type> > - Either 'logon', 'user' or 'encrypted' kernel key type. > + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. > > <key_description> > The kernel keyring key description crypt target should look for > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index 9e44c09f6410..f2014385d48b 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -270,6 +270,7 @@ config DM_CRYPT > tristate "Crypt target support" > depends on BLK_DEV_DM > depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) > + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) > select CRYPTO > select CRYPTO_CBC > select CRYPTO_ESSIV > diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c > index 7eeb9248eda5..6c7c687e546c 100644 > --- a/drivers/md/dm-crypt.c > +++ b/drivers/md/dm-crypt.c > @@ -37,6 +37,7 @@ > #include <linux/key-type.h> > #include <keys/user-type.h> > #include <keys/encrypted-type.h> > +#include <keys/trusted-type.h> > > #include <linux/device-mapper.h> > > @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) > return 0; > } > > +static int set_key_trusted(struct crypt_config *cc, struct key *key) > +{ > + const struct trusted_key_payload *tkp; > + > + tkp = key->payload.data[0]; > + if (!tkp) > + return -EKEYREVOKED; > + > + if (cc->key_size != tkp->key_len) > + return -EINVAL; > + > + memcpy(cc->key, tkp->key, cc->key_size); > + > + return 0; > +} > + > static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) > { > char *new_key_string, *key_desc; > @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string > !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { > type = &key_type_encrypted; > set_key = set_key_encrypted; > + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && > + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { > + type = &key_type_trusted; > + set_key = set_key_trusted; > } else { > return -EINVAL; > } > @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) > > static struct target_type crypt_target = { > .name = "crypt", > - .version = {1, 22, 0}, > + .version = {1, 23, 0}, > .module = THIS_MODULE, > .ctr = crypt_ctr, > .dtr = crypt_dtr, > -- > 2.30.0 > > -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel