On 22.01.21 20:04, Ahmad Fatoum wrote: > On 22.01.21 19:18, Jarkko Sakkinen wrote: >> On Fri, Jan 22, 2021 at 08:05:51PM +0200, Jarkko Sakkinen wrote: >>> On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: >>>> Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended >>>> dm-crypt to allow use of "encrypted" keys along with "user" and "logon". >>>> >>>> Along the same lines, teach dm-crypt to support "trusted" keys as well. Gentle ping. Is there anything further you require from me regarding these two patches? >>>> >>>> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> >>>> --- >>> >>> Is it possible to test run this with tmpfs? Would be a good test >>> target for Sumit's ARM-TEE trusted keys patches. > > I tested these on top of Sumit's patches with TPM and a CAAM blobifier > backend, I am preparing. The system I am developing these patches against > doesn't have a TEE. Steps to test these changes: > > #!/bin/sh > > DEV=/dev/loop0 > ALGO=aes-cbc-essiv:sha256 > KEYNAME=kmk > BLOCKS=20 > > fallocate -l $((BLOCKS*512)) /tmp/loop0.img > losetup -P $DEV /tmp/loop0.img > mount -o remount,rw / > KEY="$(keyctl add trusted $KEYNAME 'new 32' @s)" > keyctl pipe $KEY >$HOME/kmk.blob > > TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" > echo $TABLE | dmsetup create mydev > echo $TABLE | dmsetup load mydev > dd if=/dev/zero of=/dev/mapper/mydev > echo "It works!" 1<> /dev/mapper/mydev > cryptsetup close mydev > > reboot > > DEV=/dev/loop0 > ALGO=aes-cbc-essiv:sha256 > KEYNAME=kmk > BLOCKS=20 > > losetup -P $DEV $HOME/loop0.img > keyctl add trusted $KEYNAME "load $(cat $HOME/kmk.blob)" @s > TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" > echo $TABLE | dmsetup create mydev > echo $TABLE | dmsetup load mydev > > # should print that It works! > hexdump -C /dev/mapper/mydev > >>> https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@xxxxxxxxxx/ >> >> Also, I would hold merging *this* patch up until we are able to >> test TEE trusted keys with TEE trusted keys. > > Which blocks which? I tested this with TPM-Trusted keys, so it's usable > as is. For convenient usage, it would be nice to have cryptsetup > support for trusted and encrypted keys. I intended to look at this next week. > > Cheers, > Ahmad > >> >> /Jarkko >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel