lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 21 Jul 2018 14:44:15 +0000
From:   Udit Agarwal <udit.agarwal@....com>
To:     Jan Lübbe <jlu@...gutronix.de>,
        "dhowells@...hat.com" <dhowells@...hat.com>,
        "zohar@...ux.vnet.ibm.com" <zohar@...ux.vnet.ibm.com>,
        "jmorris@...ei.org" <jmorris@...ei.org>,
        "serge@...lyn.com" <serge@...lyn.com>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     Sahil Malhotra <sahil.malhotra@....com>,
        Ruchika Gupta <ruchika.gupta@....com>,
        Horia Geanta <horia.geanta@....com>,
        Aymen Sghaier <aymen.sghaier@....com>
Subject: RE: [PATCH 1/2] security/keys/secure_key: Adds the secure key support
 based on CAAM.

Hi,

Thanks for sharing the documentation changes and feedback.

Below are the answers to the questions:

1. Currently the secure key patch series has been added  to support only data blobs.
It is not supporting key blobs as of now, we have thought of adding that support in future.

2. Yes secure keys could also be implemented using OPTEE. I will change the 
documentation in next patch version.

Best regards,
Udit Agarwal


> -----Original Message-----
> From: Jan Lübbe [mailto:jlu@...gutronix.de]
> Sent: Friday, July 20, 2018 2:11 PM
> To: Udit Agarwal <udit.agarwal@....com>; dhowells@...hat.com;
> zohar@...ux.vnet.ibm.com; jmorris@...ei.org; serge@...lyn.com; linux-
> integrity@...r.kernel.org; keyrings@...r.kernel.org; linux-security-
> module@...r.kernel.org; linux-kernel@...r.kernel.org
> Cc: Sahil Malhotra <sahil.malhotra@....com>
> Subject: Re: [PATCH 1/2] security/keys/secure_key: Adds the secure key support based on
> CAAM.
> 
> On Fri, 2018-07-20 at 11:16 +0530, Udit Agarwal wrote:
> > +==========
> > +Secure Key
> > +==========
> > +
> > +Secure key is the new type added to kernel key ring service.
> > +Secure key is a symmetric type key of minimum length 32 bytes and
> > +with maximum possible length to be 128 bytes. It is produced in
> > +kernel using the CAAM crypto engine. Userspace can only see the blob
> > +for the corresponding key. All the blobs are displayed or loaded in
> > +hex ascii.
> > +
> > +Secure key can only be created on platforms which supports CAAM
> > +hardware block. Secure key can also be used as a master key to create
> > +the encrypted keys along with the existing key types in kernel.
> > +
> > +Secure key uses CAAM hardware to generate the key and blobify its
> > +content for userspace. Generated blobs are tied up with the hardware
> > +secret key stored in CAAM, hence the same blob will not be able to
> > +de-blobify with the different secret key on another machine.
> 
> Thanks for working on this, so far we've been using this functionality via a custom sysfs
> interface. Proper integration into the keyring framework would be very nice!
> 
> Some questions which might influence the userspace api design:
> 
> - If I remember correctly, CAAM key blobs contain flags which specify if the key can be
> exported from the CAAM after unwrapping or not (then it stays in one of the internal key
> registers). Which mode do you use?
> 
> - If that's not already supported by this series, do you intend to make secure keys (in the
> non-exportable-mode) usable for encryption/ decryption, so they could be used for dm-
> crypt? If so, you'd probably need some resource management in the CAAM driver, as the
> number of key registers is limited.
> 
> - Secure keys could also be implemented using OP-TEE for example, so the
> documentation shouldn't be CAAM-specific and only use it as an example.
> 
> Are there corresponding changes to the CAAM driver needed to test this?
> 
> Best regards,
> Jan
> --
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 |
> https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pengutronix
> .de%2F&amp;data=02%7C01%7Cudit.agarwal%40nxp.com%7C01d1208748da4a2ae32308
> d5ee1c8189%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C6366767285677184
> 93&amp;sdata=rRxZTlc%2BbrvD9VGL6fWlxS%2BcLWIt0RqEv1VT0zCLEs4%3D&amp;
> reserved=0  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ