encrypted_keys: Adds support for secure key-type as master key.
Encrypted keys can use secure key-type as master key along with trusted/user keys. Secure key as master key uses, secure key type payload derieved using CAAM hardware. Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com> Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
This commit is contained in:
parent
e2173ee987
commit
bb7f2bc98a
|
@ -9071,6 +9071,7 @@ F: include/keys/secure-type.h
|
|||
F: security/keys/secure_key.c
|
||||
F: security/keys/securekey_desc.c
|
||||
F: security/keys/securekey_desc.h
|
||||
F: security/keys/encrypted-keys/masterkey_secure.c
|
||||
|
||||
KEYS/KEYRINGS:
|
||||
M: David Howells <dhowells@redhat.com>
|
||||
|
|
|
@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys.o
|
|||
|
||||
encrypted-keys-y := encrypted.o ecryptfs_format.o
|
||||
masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
|
||||
masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
|
||||
masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
|
||||
masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
|
||||
encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
|
||||
|
|
|
@ -36,6 +36,7 @@
|
|||
#include "ecryptfs_format.h"
|
||||
|
||||
static const char KEY_TRUSTED_PREFIX[] = "trusted:";
|
||||
static const char KEY_SECURE_PREFIX[] = "secure:";
|
||||
static const char KEY_USER_PREFIX[] = "user:";
|
||||
static const char hash_alg[] = "sha256";
|
||||
static const char hmac_alg[] = "hmac(sha256)";
|
||||
|
@ -47,6 +48,7 @@ static unsigned int ivsize;
|
|||
static int blksize;
|
||||
|
||||
#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
|
||||
#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
|
||||
#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
|
||||
#define KEY_ECRYPTFS_DESC_LEN 16
|
||||
#define HASH_SIZE SHA256_DIGEST_SIZE
|
||||
|
@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc)
|
|||
/*
|
||||
* valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
|
||||
*
|
||||
* key-type:= "trusted:" | "user:"
|
||||
* key-type:= "trusted:" | "user:" | "secure:"
|
||||
* desc:= master-key description
|
||||
*
|
||||
* Verify that 'key-type' is valid and that 'desc' exists. On key update,
|
||||
|
@ -140,6 +142,8 @@ static int valid_master_desc(const char *new_desc, const char *orig_desc)
|
|||
|
||||
if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
|
||||
prefix_len = KEY_TRUSTED_PREFIX_LEN;
|
||||
else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
|
||||
prefix_len = KEY_SECURE_PREFIX_LEN;
|
||||
else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
|
||||
prefix_len = KEY_USER_PREFIX_LEN;
|
||||
else
|
||||
|
@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
|
|||
|
||||
enum derived_key_type { ENC_KEY, AUTH_KEY };
|
||||
|
||||
/* Derive authentication/encryption key from trusted key */
|
||||
/* Derive authentication/encryption key from trusted/secure key */
|
||||
static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
|
||||
const u8 *master_key, size_t master_keylen)
|
||||
{
|
||||
|
@ -429,6 +433,11 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload,
|
|||
mkey = request_trusted_key(epayload->master_desc +
|
||||
KEY_TRUSTED_PREFIX_LEN,
|
||||
master_key, master_keylen);
|
||||
} else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
|
||||
KEY_SECURE_PREFIX_LEN)) {
|
||||
mkey = request_secure_key(epayload->master_desc +
|
||||
KEY_SECURE_PREFIX_LEN,
|
||||
master_key, master_keylen);
|
||||
} else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
|
||||
KEY_USER_PREFIX_LEN)) {
|
||||
mkey = request_user_key(epayload->master_desc +
|
||||
|
|
|
@ -16,6 +16,19 @@ static inline struct key *request_trusted_key(const char *trusted_desc,
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_SECURE_KEYS)
|
||||
extern struct key *request_secure_key(const char *secure_desc,
|
||||
const u8 **master_key,
|
||||
size_t *master_keylen);
|
||||
#else
|
||||
static inline struct key *request_secure_key(const char *secure_desc,
|
||||
const u8 **master_key,
|
||||
size_t *master_keylen)
|
||||
{
|
||||
return ERR_PTR(-EOPNOTSUPP);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if ENCRYPTED_DEBUG
|
||||
static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
|
||||
{
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
// SPDX-License-Identifier: GPL-2.0
|
||||
/*
|
||||
* Copyright (C) 2018 NXP.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/err.h>
|
||||
#include <keys/secure-type.h>
|
||||
#include <keys/encrypted-type.h>
|
||||
#include "encrypted.h"
|
||||
|
||||
/*
|
||||
* request_secure_key - request the secure key
|
||||
*
|
||||
* Secure keys and their blobs are derived from CAAM hardware.
|
||||
* Userspace manages secure key-type data, but key data is not
|
||||
* visible in plain form. It is presented as blobs.
|
||||
*/
|
||||
struct key *request_secure_key(const char *secure_desc,
|
||||
const u8 **master_key, size_t *master_keylen)
|
||||
{
|
||||
struct secure_key_payload *spayload;
|
||||
struct key *skey;
|
||||
|
||||
skey = request_key(&key_type_secure, secure_desc, NULL);
|
||||
if (IS_ERR(skey))
|
||||
goto error;
|
||||
|
||||
down_read(&skey->sem);
|
||||
spayload = skey->payload.data[0];
|
||||
*master_key = spayload->key;
|
||||
*master_keylen = spayload->key_len;
|
||||
error:
|
||||
return skey;
|
||||
}
|
Loading…
Reference in New Issue