On 09.08.21 12:00, Ahmad Fatoum wrote: > Hello Jarkko, > > On 09.08.21 11:44, Jarkko Sakkinen wrote: >> On Fri, Aug 06, 2021 at 05:09:28PM +0200, Ahmad Fatoum wrote: >>> Kernel trusted keys don't require userspace knowledge of the raw key >>> material and instead export a sealed blob, which can be persisted to >>> unencrypted storage. Userspace can then load this blob into the kernel, >>> where it's unsealed and from there on usable for kernel crypto. >>> >>> This is incompatible with fscrypt, where userspace is supposed to supply >>> the raw key material. For TPMs, a work around is to do key unsealing in >>> userspace, but this may not be feasible for other trusted key backends. >>> >>> Make it possible to benefit from both fscrypt and trusted key sealing >>> by extending fscrypt_add_key_arg::key_id to hold either the ID of a >>> fscrypt-provisioning or a trusted key. >>> >>> A non fscrypt-provisioning key_id was so far prohibited, so additionally >>> allowing trusted keys won't break backwards compatibility. >>> >>> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> >>> --- >>> Tested with: >>> https://github.com/google/fscryptctl/pull/23 >>> - if (key->type != &key_type_fscrypt_provisioning) >>> - goto bad_key; >>> - payload = key->payload.data[0]; >>> + if (key->type == &key_type_fscrypt_provisioning) { >> >> Why does fscrypt have own key type, and does not extend 'encrypted' with a >> new format [*]? > > See the commit[1] adding it for more information. TL;DR: > > fscrypt maintainers would've preferred keys to be associated with > a "domain". So an encrypted key generated for fscrypt use couldn't be reused > for e.g. dm-crypt. They are wary of fscrypt users being more exposed if their > keys can be used with weaker ciphers via other kernel functionality that could > be used to extract information about the raw key material. > > Eric also mentioned dislike of the possibility of rooting encrypted keys to > user keys. v2 is only restricted to v2, so we didn't discuss this further. Typo: v2 (of my series) is only restricted to s/v2/trusted keys/ > > Restricting the key to fscrypt-only precludes this reuse. > > My commit makes no attempts in changing that. It just adds a new way to pass > raw key material into fscrypt. For more information, see the commit[1] adding > that key type. > >> [*] https://www.kernel.org/doc/html/v5.13/security/keys/trusted-encrypted.html > > [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93edd392ca > > Cheers, > Ahmad > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
