| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 03 Aug 2019 21:46:00 -0400
From: Mimi Zohar <zohar@...nel.org>
To: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Tyler Hicks <tyhicks@...onical.com>
Cc: Roberto Sassu <roberto.sassu@...wei.com>, jejb@...ux.ibm.com,
jgg@...pe.ca, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, crazyt2019+lml@...il.com,
nayna@...ux.vnet.ibm.com, silviu.vlasceanu@...wei.com
Subject: Re: [PATCH] KEYS: trusted: allow module init if TPM is inactive or
deactivated
On Sat, 2019-08-03 at 17:44 +0300, Jarkko Sakkinen wrote:
> On Fri, 2019-08-02 at 15:23 -0500, Tyler Hicks wrote:
> > That wasn't the conclusion that I came to. I prefer Robert's proposed
> > change to trusted.ko.
> >
> > How do you propose that this be fixed in eCryptfs?
> >
> > Removing encrypted_key support from eCryptfs is the only way that I can
> > see to fix the bug in eCryptfs. That support has been there since 2011.
> > I'm not sure of the number of users that would be broken by removing
> > encrypted_key support. I don't think the number is high but I can't say
> > that confidently.
>
> Looking at the documentation [1] it is stated that
>
> "Encrypted keys do not depend on a TPM, and are faster, as they use AES
> for encryption/decryption."
>
> Why would you need to remove support for encrypted keys? Isn't it a
> regression in encrypted keys to hard depend on trusted keys given
> what the documentation says?
"Encrypted" key are symmetric keys, which are encrypted/decrypted
either by a "trusted" key or, for development purposes only, a "user"
key.
Mimi
Powered by blists - more mailing lists