Re: Migration to trusted keys: sealing user-provided key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2021-01-31 at 15:14 +0100, Jan Lübbe wrote:
> On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote:

<snip>

> > 
> > [1] The ima-evm-utils README contains EVM examples of "trusted" and
> > "user" based "encrypted" keys.
> 
> I assume you refer to
> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143
> "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"?
> 
> In both cases, the key used by EVM is a *newly generated* random key. The only
> difference is whether it's encrypted to a user key or a (random) trusted key.
 
The "encrypted" asymmetric key data doesn't change, "update" just
changes the key under which it is encrypted/decrypted.

Usage::

    keyctl add encrypted name "new [format] key-type:master-key-name
keylen"
        ring
    keyctl add encrypted name "load hex_blob" ring
    keyctl update keyid "update key-type:master-key-name"

Mimi
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux