lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1384660289.5181.8.camel@dhcp-9-2-203-236.watson.ibm.com>
Date:	Sat, 16 Nov 2013 22:51:29 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	David Howells <dhowells@...hat.com>
Cc:	d.kasatkin@...sung.com, zohar@...ibm.com, keyrings@...ux-nfs.org,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 9/9] KEYS: Fix encrypted key type update method

On Thu, 2013-11-14 at 17:59 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> 
> > Is there a keyutils git repo with a version of keyctl that supports the
> > control option?
> 
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/log/?h=development

Thanks!

> > - type size_t is unsigned, no need to verify that it is negative.
> 
> It doesn't hurt either...
> 
> > - missing Documentation/security/keys-trusted-encrypted.txt updates
> 
> Fixed (see diff below), but I suspect trusted_update() also needs scrutiny.
> 
> > - the encrypted_preparse() comment still says 'encrypted_instantiate'
> 
> Fixed.
> 
> David
> ---
> diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> index e105ae97a4f5..78794adf445d 100644
> --- a/Documentation/security/keys-trusted-encrypted.txt
> +++ b/Documentation/security/keys-trusted-encrypted.txt
> @@ -61,7 +61,7 @@ Usage:
>      keyctl add encrypted name "new [format] key-type:master-key-name keylen"
>          ring
>      keyctl add encrypted name "load hex_blob" ring
> -    keyctl update keyid "update key-type:master-key-name"
> +    keyctl control keyid encrypted change-master-key "key-type:master-key-name"
> 
>  format:= 'default | ecryptfs'
>  key-type:= 'trusted' | 'user'

The command has remained the same as before: "update key-type:master-key-name".

diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index e105ae9..6610be4 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -61,12 +61,12 @@ Usage:
     keyctl add encrypted name "new [format] key-type:master-key-name keylen"
         ring
     keyctl add encrypted name "load hex_blob" ring
-    keyctl update keyid "update key-type:master-key-name"
+    keyctl control <keyid> encrypted change-master-key \
+		"update key-type:master-key-name"
 
 format:= 'default | ecryptfs'
 key-type:= 'trusted' | 'user'
 
-
 Examples of trusted and encrypted key usage:
 
 Create and save a trusted key named "kmk" of length 32 bytes:
@@ -153,6 +153,12 @@ Load an encrypted key "evm" from saved blob:
     82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
     24717c64 5972dcb82ab2dde83376d82b2e3c09ffc
 
+Encrypt the "evm" key with a new master key kmk-new:
+
+    $ keyctl add trusted kmk-new "new 32" @u
+    $ keyctl control 831684262 encrypted change-master-key \
+	"update trusted:kmk-new"
+
 Other uses for trusted and encrypted keys, such as for disk and file encryption
 are anticipated.  In particular the new format 'ecryptfs' has been defined in
 in order to use encrypted keys to mount an eCryptfs filesystem.  More details


thanks,

Mimi



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ