On Thu, May 14, 2020 at 11:24:14AM +0200, Johannes Thumshirn wrote: > From: Johannes Thumshirn <johannes.thumshirn@xxxxxxx> > Example usage: > Create a file-system with authentication key 0123456 > mkfs.btrfs --csum "hmac(sha256)" --auth-key 0123456 /dev/disk > > Add the key to the kernel's keyring as keyid 'btrfs:foo' > keyctl add logon btrfs:foo 0123456 @u > > Mount the fs using the 'btrfs:foo' key > mount -o auth_key=btrfs:foo,auth_hash_name="hmac(sha256)" /dev/disk /mnt/point I tried to follow the example but the filesystem does not mount. But what almost shocked me was the way the key is specified on the userspace side. $ mkfs.btrfs --csum "hmac(sha256)" --auth-key 0123456 /dev/disk "0123456" are the raw bytes of the key? Seriously? And how it's passed to the hmac code: gcry_mac_hd_t mac; gcry_mac_open(&mac, GCRY_MAC_HMAC_SHA256, 0, NULL); gcry_mac_setkey(mac, fs_info->auth_key, strlen(fs_info->auth_key)); gcry_mac_write(mac, buf, length); gcry_mac_read(mac, out, &length); Strlen means the key must avoid char 0 and I don't think we want do any decoding from ascii-hex format, when there's the whole keyctl infrastructure. The key for all userspace commands needs to be specified the same way as for kernel, ie. "--auth-key btrfs:foo" and use the appropriate ioctls to read the key bytes.
