leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dm crypt: support using trusted keys

Browse Source 
Commit 27f5411a71 ("dm crypt: support using encrypted keys") extended
dm-crypt to allow use of "encrypted" keys along with "user" and "logon".

Along the same lines, teach dm-crypt to support "trusted" keys as well.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
This commit is contained in:
Ahmad Fatoum 2021-01-22 09:43:21 +01:00 committed by Mike Snitzer
parent 831475cc0b
commit 363880c4eb
3 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/admin-guide/device-mapper/dm-crypt.rst
View File

@ -67,7 +67,7 @@ Parameters::
the value passed in <key_size>. the value passed in <key_size>.
<key_type> <key_type>
Either 'logon', 'user' or 'encrypted' kernel key type. Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.
<key_description> <key_description>
The kernel keyring key description crypt target should look for The kernel keyring key description crypt target should look for

1
drivers/md/Kconfig
View File

@ -270,6 +270,7 @@ config DM_CRYPT
tristate "Crypt target support" tristate "Crypt target support"
depends on BLK_DEV_DM depends on BLK_DEV_DM
depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
depends on (TRUSTED_KEYS || TRUSTED_KEYS=n)
select CRYPTO select CRYPTO
select CRYPTO_CBC select CRYPTO_CBC
select CRYPTO_ESSIV select CRYPTO_ESSIV

23
drivers/md/dm-crypt.c
View File

@ -37,6 +37,7 @@
#include <linux/key-type.h> #include <linux/key-type.h>
#include <keys/user-type.h> #include <keys/user-type.h>
#include <keys/encrypted-type.h> #include <keys/encrypted-type.h>
#include <keys/trusted-type.h>
#include <linux/device-mapper.h> #include <linux/device-mapper.h>
@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key)
return 0; return 0;
} }
static int set_key_trusted(struct crypt_config *cc, struct key *key)
{
const struct trusted_key_payload *tkp;
tkp = key->payload.data[0];
if (!tkp)
return -EKEYREVOKED;
if (cc->key_size != tkp->key_len)
return -EINVAL;
memcpy(cc->key, tkp->key, cc->key_size);
return 0;
}
static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
{ {
char *new_key_string, *key_desc; char *new_key_string, *key_desc;
@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
!strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
type = &key_type_encrypted; type = &key_type_encrypted;
set_key = set_key_encrypted; set_key = set_key_encrypted;
} else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&
!strncmp(key_string, "trusted:", key_desc - key_string + 1)) {
type = &key_type_trusted;
set_key = set_key_trusted;
} else { } else {
return -EINVAL; return -EINVAL;
} }
@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
static struct target_type crypt_target = { static struct target_type crypt_target = {
.name = "crypt", .name = "crypt",
.version = {1, 22, 0}, .version = {1, 23, 0},
.module = THIS_MODULE, .module = THIS_MODULE,
.ctr = crypt_ctr, .ctr = crypt_ctr,
.dtr = crypt_dtr, .dtr = crypt_dtr,