On Fri, Jul 26, 2019 at 03:41:33PM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > Add a new fscrypt ioctl, FS_IOC_GET_ENCRYPTION_KEY_STATUS. Given a key > specified by 'struct fscrypt_key_specifier' (the same way a key is > specified for the other fscrypt key management ioctls), it returns > status information in a 'struct fscrypt_get_key_status_arg'. > > The main motivation for this is that applications need to be able to > check whether an encrypted directory is "unlocked" or not, so that they > can add the key if it is not, and avoid adding the key (which may > involve prompting the user for a passphrase) if it already is. > > It's possible to use some workarounds such as checking whether opening a > regular file fails with ENOKEY, or checking whether the filenames "look > like gibberish" or not. However, no workaround is usable in all cases. > > Like the other key management ioctls, the keyrings syscalls may seem at > first to be a good fit for this. Unfortunately, they are not. Even if > we exposed the keyring ID of the ->s_master_keys keyring and gave > everyone Search permission on it (note: currently the keyrings > permission system would also allow everyone to "invalidate" the keyring > too), the fscrypt keys have an additional state that doesn't map cleanly > to the keyrings API: the secret can be removed, but we can be still > tracking the files that were using the key, and the removal can be > re-attempted or the secret added again. > > After later patches, some applications will also need a way to determine > whether a key was added by the current user vs. by some other user. > Reserved fields are included in fscrypt_get_key_status_arg for this and > other future extensions. > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> Looks good, feel free to add: Reviewed-by: Theodore Ts'o <tytso@xxxxxxx> ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/
Re: [PATCH v7 08/16] fscrypt: add FS_IOC_GET_ENCRYPTION_KEY_STATUS ioctl
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH v7 08/16] fscrypt: add FS_IOC_GET_ENCRYPTION_KEY_STATUS ioctl
- From: "Theodore Y. Ts'o" <tytso@xxxxxxx>
- Date: Sun, 28 Jul 2019 15:30:12 -0400
- Cc: Satya Tangirala <satyat@xxxxxxxxxx>, linux-api@xxxxxxxxxxxxxxx, linux-f2fs-devel@xxxxxxxxxxxxxxxxxxxxx, linux-fscrypt@xxxxxxxxxxxxxxx, keyrings@xxxxxxxxxxxxxxx, linux-mtd@xxxxxxxxxxxxxxxxxxx, linux-crypto@xxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, linux-ext4@xxxxxxxxxxxxxxx, Paul Crowley <paulcrowley@xxxxxxxxxx>
- In-reply-to: <20190726224141.14044-9-ebiggers@kernel.org>
- References: <20190726224141.14044-1-ebiggers@kernel.org> <20190726224141.14044-9-ebiggers@kernel.org>
- User-agent: Mutt/1.10.1 (2018-07-13)
- References:
- [PATCH v7 00/16] fscrypt: key management improvements
- From: Eric Biggers
- [PATCH v7 08/16] fscrypt: add FS_IOC_GET_ENCRYPTION_KEY_STATUS ioctl
- From: Eric Biggers
- [PATCH v7 00/16] fscrypt: key management improvements
- Prev by Date: Re: [PATCH v7 07/16] fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl
- Next by Date: Re: [PATCH v7 09/16] fscrypt: add an HKDF-SHA512 implementation
- Previous by thread: [PATCH v7 08/16] fscrypt: add FS_IOC_GET_ENCRYPTION_KEY_STATUS ioctl
- Next by thread: [PATCH v7 09/16] fscrypt: add an HKDF-SHA512 implementation
- Index(es):
 |