| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 31 Jan 2021 09:29:29 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Jan Lübbe <jlu@...gutronix.de>,
Jarkko Sakkinen <jarkko@...nel.org>,
Ahmad Fatoum <a.fatoum@...gutronix.de>,
James Bottomley <jejb@...ux.ibm.com>,
David Howells <dhowells@...hat.com>, keyrings@...r.kernel.org,
Sumit Garg <sumit.garg@...aro.org>
Cc: linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, kernel@...gutronix.de
Subject: Re: Migration to trusted keys: sealing user-provided key?
On Sun, 2021-01-31 at 15:14 +0100, Jan Lübbe wrote:
> On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote:
<snip>
> >
> > [1] The ima-evm-utils README contains EVM examples of "trusted" and
> > "user" based "encrypted" keys.
>
> I assume you refer to
> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143
> "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"?
>
> In both cases, the key used by EVM is a *newly generated* random key. The only
> difference is whether it's encrypted to a user key or a (random) trusted key.
The "encrypted" asymmetric key data doesn't change, "update" just
changes the key under which it is encrypted/decrypted.
Usage::
keyctl add encrypted name "new [format] key-type:master-key-name
keylen"
ring
keyctl add encrypted name "load hex_blob" ring
keyctl update keyid "update key-type:master-key-name"
Mimi
Powered by blists - more mailing lists