| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 Feb 2019 22:45:58 -0600 From: Salah Coronya <salahx@...oo.com> To: linux-kernel@...r.kernel.org Subject: Cannot read payload of an encrypted key rooted in a trusted key In the file Documentation/security/keys-trusted-encrypted, an example is shown for to create an encrypted key rooted in trusted key. Basically, the following should work: KMK_KEY=$(keyctl add trusted kmk "new 32" @u) keyctl pipe $KMK_KEY > ~/kmk-trusted.blob EVM_KEY=$(keyctl add encrypted evm "new default trusted:kmk 32" @u) keyctl pipe $EVM_KEY > ~/evm-trusted.blob But the last command does not work. It reports "keyctl_read_alloc: Operation not supported" strace shows this: keyctl(KEYCTL_READ, 404204492, NULL, 0) = 185 keyctl(KEYCTL_READ, 404204492, 0x557a43f66260, 185) = -1 EOPNOTSUPP (Operation not supported) I've tried this on kernel 4.4.163, 4.14.83, and 4.20.6, on a machine with real TPM, and a virtual TPM in a VM, both versions 1.2 and 2.0 and none of the cases work. However, an encrypted key rooted in a (random) user key DOES work: KMK_USER=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd user kmk-user @u) keyctl pipe $KMK_USER > ~/kmk-user.blob EVM_USER=$(keyctl add encrypted evm-user "new default user:kmk-user 32" @u) keyctl pipe $EVM_USER > ~/evm-user.blob I'm not sure if there is a missing step in the examples, if have I hit a kernel bug, or if I'm doing something wrong.
Powered by blists - more mailing lists