On Sun, 2021-01-31 at 15:14 +0100, Jan Lübbe wrote: > On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote: <snip> > > > > [1] The ima-evm-utils README contains EVM examples of "trusted" and > > "user" based "encrypted" keys. > > I assume you refer to > https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143 > "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"? > > In both cases, the key used by EVM is a *newly generated* random key. The only > difference is whether it's encrypted to a user key or a (random) trusted key. The "encrypted" asymmetric key data doesn't change, "update" just changes the key under which it is encrypted/decrypted. Usage:: keyctl add encrypted name "new [format] key-type:master-key-name keylen" ring keyctl add encrypted name "load hex_blob" ring keyctl update keyid "update key-type:master-key-name" Mimi