[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1384660289.5181.8.camel@dhcp-9-2-203-236.watson.ibm.com>
Date: Sat, 16 Nov 2013 22:51:29 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: David Howells <dhowells@...hat.com>
Cc: d.kasatkin@...sung.com, zohar@...ibm.com, keyrings@...ux-nfs.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 9/9] KEYS: Fix encrypted key type update method
On Thu, 2013-11-14 at 17:59 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
>
> > Is there a keyutils git repo with a version of keyctl that supports the
> > control option?
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/log/?h=development
Thanks!
> > - type size_t is unsigned, no need to verify that it is negative.
>
> It doesn't hurt either...
>
> > - missing Documentation/security/keys-trusted-encrypted.txt updates
>
> Fixed (see diff below), but I suspect trusted_update() also needs scrutiny.
>
> > - the encrypted_preparse() comment still says 'encrypted_instantiate'
>
> Fixed.
>
> David
> ---
> diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> index e105ae97a4f5..78794adf445d 100644
> --- a/Documentation/security/keys-trusted-encrypted.txt
> +++ b/Documentation/security/keys-trusted-encrypted.txt
> @@ -61,7 +61,7 @@ Usage:
> keyctl add encrypted name "new [format] key-type:master-key-name keylen"
> ring
> keyctl add encrypted name "load hex_blob" ring
> - keyctl update keyid "update key-type:master-key-name"
> + keyctl control keyid encrypted change-master-key "key-type:master-key-name"
>
> format:= 'default | ecryptfs'
> key-type:= 'trusted' | 'user'
The command has remained the same as before: "update key-type:master-key-name".
diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index e105ae9..6610be4 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -61,12 +61,12 @@ Usage:
keyctl add encrypted name "new [format] key-type:master-key-name keylen"
ring
keyctl add encrypted name "load hex_blob" ring
- keyctl update keyid "update key-type:master-key-name"
+ keyctl control <keyid> encrypted change-master-key \
+ "update key-type:master-key-name"
format:= 'default | ecryptfs'
key-type:= 'trusted' | 'user'
-
Examples of trusted and encrypted key usage:
Create and save a trusted key named "kmk" of length 32 bytes:
@@ -153,6 +153,12 @@ Load an encrypted key "evm" from saved blob:
82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
+Encrypt the "evm" key with a new master key kmk-new:
+
+ $ keyctl add trusted kmk-new "new 32" @u
+ $ keyctl control 831684262 encrypted change-master-key \
+ "update trusted:kmk-new"
+
Other uses for trusted and encrypted keys, such as for disk and file encryption
are anticipated. In particular the new format 'ecryptfs' has been defined in
in order to use encrypted keys to mount an eCryptfs filesystem. More details
thanks,
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists