On Wed, 2010-09-29 at 14:40 +0200, Roberto Sassu wrote: > On Wednesday, September 29, 2010 01:57:36 pm Mimi Zohar wrote: > > On Wed, 2010-09-29 at 12:00 +0200, Roberto Sassu wrote: > > > When a new encrypted key is created through the keyctl utility, the master > > > key specified is not searched in the keyring and the operation is performed even > > > if it is missing. > > > > Yes, and why is this a problem? After creating a new key, the first > > thing done should be to save it. At that point, you'd find out the > > master-key doesn't exist, requiring you to either load it or change the > > master-key name using 'keyctl update'. > > > > I think the master key verification is important at least for one reason: > i suppose to have one encrypted key which depends on a trusted key unsealed > during the boot process. Yes, this would be the normal scenario - decrypting the encrypted key with a trusted key. > If the former key is present in the keyring, this does not mean > that the platform is in a good status (condition required for the unsealing), > since an attacker can generate another encryption key with the same name that > may be used by users to encrypt their personal data. True, the existence of an encrypted key with the expected name does not imply anything about the key. However, using this 'fake' key will fail to decrypt anything already encrypted with the real key. I'm not clear how requiring the existence of the master-key prevents creating a 'fake' key. > The create check is probably wrong, what i mean is that key generation is an > administrative task and trusted and encrypted keys should be usable only after > decryption with the key they depend to. I understand your concern, but checking the existence of the master-key at creation doesn't imply that it will exist later, when needed to save the new key. So immediately after creating a new key, it's important to save both the master-key and the encrypted key. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
