[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <897df7dd-83a1-3e3e-1d9f-5a1adfd5b2fb@pengutronix.de>
Date: Thu, 1 Apr 2021 12:04:31 +0200
From: Ahmad Fatoum <a.fatoum@...gutronix.de>
To: Richard Weinberger <richard.weinberger@...il.com>
Cc: Jarkko Sakkinen <jarkko@...nel.org>,
Horia Geantă <horia.geanta@....com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Aymen Sghaier <aymen.sghaier@....com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
James Bottomley <jejb@...ux.ibm.com>, kernel@...gutronix.de,
David Howells <dhowells@...hat.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Steffen Trumtrar <s.trumtrar@...gutronix.de>,
Udit Agarwal <udit.agarwal@....com>,
Jan Luebbe <j.luebbe@...gutronix.de>,
David Gstir <david@...ma-star.at>,
Franck LENORMAND <franck.lenormand@....com>,
Sumit Garg <sumit.garg@...aro.org>,
linux-integrity@...r.kernel.org, keyrings@...r.kernel.org,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
LSM <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP
CAAM-based trusted keys
Hello Richard,
On 30.03.21 23:50, Richard Weinberger wrote:
> Ahmad,
>
> On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@...gutronix.de> wrote:
>
>> TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards"
>> echo $TABLE | dmsetup create mydev
>> echo $TABLE | dmsetup load mydev
>
> Do you also plan to add support for this to cryptsetup?
>
> David and I have added (rough) support for our CAAM/DCP based keyrings
> to cryptsetup:
> https://github.com/sigma-star/cryptsetup/tree/rw/plain
>
> I'm pretty sure with minimal changes it will work with your recent approach too.
I am using dmsetup directly in my project. I am not familiar with cryptsetup
plain. What benefits do you see with this over direct dmsetup?
What I'd like to see eventually is support for this with LUKS.
There is a RFE on trusted keys and cryptsetup on the project's repository[1].
The behavior I'd want it that the LUKS header would point at the trusted key
blob to use and load it into the kernel. This of course means that
you won't be able to have multiple keys for the encrypted partition.
[1]: https://gitlab.com/cryptsetup/cryptsetup/-/issues/443
Cheers,
Ahmad
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Powered by blists - more mailing lists