dm crypt: support using trusted keys
Commit 27f5411a71
("dm crypt: support using encrypted keys") extended
dm-crypt to allow use of "encrypted" keys along with "user" and "logon".
Along the same lines, teach dm-crypt to support "trusted" keys as well.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
This commit is contained in:
parent
831475cc0b
commit
363880c4eb
@ -67,7 +67,7 @@ Parameters::
|
||||
the value passed in <key_size>.
|
||||
|
||||
<key_type>
|
||||
Either 'logon', 'user' or 'encrypted' kernel key type.
|
||||
Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.
|
||||
|
||||
<key_description>
|
||||
The kernel keyring key description crypt target should look for
|
||||
|
@ -270,6 +270,7 @@ config DM_CRYPT
|
||||
tristate "Crypt target support"
|
||||
depends on BLK_DEV_DM
|
||||
depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
|
||||
depends on (TRUSTED_KEYS || TRUSTED_KEYS=n)
|
||||
select CRYPTO
|
||||
select CRYPTO_CBC
|
||||
select CRYPTO_ESSIV
|
||||
|
@ -37,6 +37,7 @@
|
||||
#include <linux/key-type.h>
|
||||
#include <keys/user-type.h>
|
||||
#include <keys/encrypted-type.h>
|
||||
#include <keys/trusted-type.h>
|
||||
|
||||
#include <linux/device-mapper.h>
|
||||
|
||||
@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int set_key_trusted(struct crypt_config *cc, struct key *key)
|
||||
{
|
||||
const struct trusted_key_payload *tkp;
|
||||
|
||||
tkp = key->payload.data[0];
|
||||
if (!tkp)
|
||||
return -EKEYREVOKED;
|
||||
|
||||
if (cc->key_size != tkp->key_len)
|
||||
return -EINVAL;
|
||||
|
||||
memcpy(cc->key, tkp->key, cc->key_size);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
|
||||
{
|
||||
char *new_key_string, *key_desc;
|
||||
@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
|
||||
!strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
|
||||
type = &key_type_encrypted;
|
||||
set_key = set_key_encrypted;
|
||||
} else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&
|
||||
!strncmp(key_string, "trusted:", key_desc - key_string + 1)) {
|
||||
type = &key_type_trusted;
|
||||
set_key = set_key_trusted;
|
||||
} else {
|
||||
return -EINVAL;
|
||||
}
|
||||
@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
|
||||
|
||||
static struct target_type crypt_target = {
|
||||
.name = "crypt",
|
||||
.version = {1, 22, 0},
|
||||
.version = {1, 23, 0},
|
||||
.module = THIS_MODULE,
|
||||
.ctr = crypt_ctr,
|
||||
.dtr = crypt_dtr,
|
||||
|
Loading…
Reference in New Issue
Block a user