On Wed, Jan 5, 2022 at 3:12 PM Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote: > > On Wed, 2021-12-29 at 16:53 -0500, Yael Tiomkin wrote: > > The encrypted.c class supports instantiation of encrypted keys with > > either an already-encrypted key material, or by generating new key > > material based on random numbers. This patch defines a new datablob > > format: [<format>] <master-key name> <decrypted data length> > > <decrypted data> that allows to instantiate encrypted keys using > > user-provided decrypted data, and therefore allows to perform key > > encryption from userspace. The decrypted key material will be > > inaccessible from userspace. > > The 2nd to last sentence is essentially a tautology but fails to > be even that, as you can already "perform key encryption" from user > space, just not with arbitrary key material. > > It does not elighten any applications of this feature. > > /Jarkko Sure. Please look at the modification below. The encrypted.c class supports instantiation of encrypted keys with either an already-encrypted key material, or by generating new key material based on random numbers. This patch defines a new datablob format: [<format>] <master-key name> <decrypted data length> <decrypted data> that allows to inject (and encrypt) user-provided decrypted data. The decrypted key material will be inaccessible from userspace. This feature also acts as a building block for a userspace envelope encryption capability. Yael
