Hi,
On 21/05/2019 12:00, Ondrej Mosnacek wrote:
> This patch adds new socket options to AF_ALG that allow setting key from
> kernel keyring. For simplicity, each keyring key type (logon, user,
> trusted, encrypted) has its own socket option name and the value is just
> the key description string that identifies the key to be used. The key
> description doesn't need to be NULL-terminated, but bytes after the
> first zero byte are ignored.
There is one nasty problem with this approach (we hit the same in dmcrypt now).
These lines cause hard module dependence on trusted.ko and encrypted.ko
modules (key_type_* are exported symbols):
+static const struct alg_keyring_type alg_keyring_type_trusted = {
+ .key_type = &key_type_trusted,...
...
+ .key_type = &key_type_encrypted,
I do not think this is what we actually want - the dependence should be dynamic,
the modules should be loaded per-request...
I asked David Howells, and seems kernel keyring does not have such
interface yet. (There is an internal lookup function already though.)
So until such a lookup interface is present, and the patch is ported to it,
I think this patch adds module dependency that should not be there.
Milan
