dm crypt: support using trusted keys · tjh.dev/kernel@363880c

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

dm crypt: support using trusted keys

Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended
dm-crypt to allow use of "encrypted" keys along with "user" and "logon".

Along the same lines, teach dm-crypt to support "trusted" keys as well.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

authored by

Ahmad Fatoum and committed by

Mike Snitzer 5 years ago 363880c4 831475cc

+24 -2

3 changed files

expand all

Documentation

admin-guide

device-mapper

dm-crypt.rst

drivers

Kconfig

dm-crypt.c

+1 -1

Documentation/admin-guide/device-mapper/dm-crypt.rst

··· 67 67 the value passed in <key_size>. 68 68 69 69 <key_type> 70 - Either 'logon', 'user' or 'encrypted' kernel key type. 70 + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. 71 71 72 72 <key_description> 73 73 The kernel keyring key description crypt target should look for

drivers/md/Kconfig

··· 270 270 tristate "Crypt target support" 271 271 depends on BLK_DEV_DM 272 272 depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) 273 + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) 273 274 select CRYPTO 274 275 select CRYPTO_CBC 275 276 select CRYPTO_ESSIV

+22 -1

drivers/md/dm-crypt.c

··· 37 37 #include <linux/key-type.h> 38 38 #include <keys/user-type.h> 39 39 #include <keys/encrypted-type.h> 40 + #include <keys/trusted-type.h> 40 41 41 42 #include <linux/device-mapper.h> 42 43 ··· 2453 2452 return 0; 2454 2453 } 2455 2454 2455 + static int set_key_trusted(struct crypt_config *cc, struct key *key) 2456 + { 2457 + const struct trusted_key_payload *tkp; 2458 + 2459 + tkp = key->payload.data[0]; 2460 + if (!tkp) 2461 + return -EKEYREVOKED; 2462 + 2463 + if (cc->key_size != tkp->key_len) 2464 + return -EINVAL; 2465 + 2466 + memcpy(cc->key, tkp->key, cc->key_size); 2467 + 2468 + return 0; 2469 + } 2470 + 2456 2471 static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) 2457 2472 { 2458 2473 char *new_key_string, *key_desc; ··· 2501 2484 !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { 2502 2485 type = &key_type_encrypted; 2503 2486 set_key = set_key_encrypted; 2487 + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && 2488 + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { 2489 + type = &key_type_trusted; 2490 + set_key = set_key_trusted; 2504 2491 } else { 2505 2492 return -EINVAL; 2506 2493 } ··· 3576 3555 3577 3556 static struct target_type crypt_target = { 3578 3557 .name = "crypt", 3579 - .version = {1, 22, 0}, 3558 + .version = {1, 23, 0}, 3580 3559 .module = THIS_MODULE, 3581 3560 .ctr = crypt_ctr, 3582 3561 .dtr = crypt_dtr,