| Message ID | 20210122084321.24012-2-a.fatoum@pengutronix.de (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | None | expand |
On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: > Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended > dm-crypt to allow use of "encrypted" keys along with "user" and "logon". > > Along the same lines, teach dm-crypt to support "trusted" keys as well. > > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> > --- Is it possible to test run this with tmpfs? Would be a good test target for Sumit's ARM-TEE trusted keys patches. https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/ /Jarkko > Unsure on whether target_type::version is something authors increment or > maintainers fix up. I can respin if needed. > > Cc: Jan Lübbe <jlu@pengutronix.de> > Cc: linux-integrity@vger.kernel.org > Cc: keyrings@vger.kernel.org > Cc: Dmitry Baryshkov <dbaryshkov@gmail.com> > --- > .../admin-guide/device-mapper/dm-crypt.rst | 2 +- > drivers/md/Kconfig | 1 + > drivers/md/dm-crypt.c | 23 ++++++++++++++++++- > 3 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst > index 1a6753b76dbb..aa2d04d95df6 100644 > --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst > +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst > @@ -67,7 +67,7 @@ Parameters:: > the value passed in <key_size>. > > <key_type> > - Either 'logon', 'user' or 'encrypted' kernel key type. > + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. > > <key_description> > The kernel keyring key description crypt target should look for > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index 9e44c09f6410..f2014385d48b 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -270,6 +270,7 @@ config DM_CRYPT > tristate "Crypt target support" > depends on BLK_DEV_DM > depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) > + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) > select CRYPTO > select CRYPTO_CBC > select CRYPTO_ESSIV > diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c > index 7eeb9248eda5..6c7c687e546c 100644 > --- a/drivers/md/dm-crypt.c > +++ b/drivers/md/dm-crypt.c > @@ -37,6 +37,7 @@ > #include <linux/key-type.h> > #include <keys/user-type.h> > #include <keys/encrypted-type.h> > +#include <keys/trusted-type.h> > > #include <linux/device-mapper.h> > > @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) > return 0; > } > > +static int set_key_trusted(struct crypt_config *cc, struct key *key) > +{ > + const struct trusted_key_payload *tkp; > + > + tkp = key->payload.data[0]; > + if (!tkp) > + return -EKEYREVOKED; > + > + if (cc->key_size != tkp->key_len) > + return -EINVAL; > + > + memcpy(cc->key, tkp->key, cc->key_size); > + > + return 0; > +} > + > static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) > { > char *new_key_string, *key_desc; > @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string > !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { > type = &key_type_encrypted; > set_key = set_key_encrypted; > + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && > + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { > + type = &key_type_trusted; > + set_key = set_key_trusted; > } else { > return -EINVAL; > } > @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) > > static struct target_type crypt_target = { > .name = "crypt", > - .version = {1, 22, 0}, > + .version = {1, 23, 0}, > .module = THIS_MODULE, > .ctr = crypt_ctr, > .dtr = crypt_dtr, > -- > 2.30.0 > >
On Fri, Jan 22, 2021 at 08:05:51PM +0200, Jarkko Sakkinen wrote: > On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: > > Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended > > dm-crypt to allow use of "encrypted" keys along with "user" and "logon". > > > > Along the same lines, teach dm-crypt to support "trusted" keys as well. > > > > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> > > --- > > Is it possible to test run this with tmpfs? Would be a good test > target for Sumit's ARM-TEE trusted keys patches. > > https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/ Also, I would hold merging *this* patch up until we are able to test TEE trusted keys with TEE trusted keys. /Jarkko
Hello Jarkko, On 22.01.21 19:18, Jarkko Sakkinen wrote: > On Fri, Jan 22, 2021 at 08:05:51PM +0200, Jarkko Sakkinen wrote: >> On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: >>> Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended >>> dm-crypt to allow use of "encrypted" keys along with "user" and "logon". >>> >>> Along the same lines, teach dm-crypt to support "trusted" keys as well. >>> >>> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> >>> --- >> >> Is it possible to test run this with tmpfs? Would be a good test >> target for Sumit's ARM-TEE trusted keys patches. I tested these on top of Sumit's patches with TPM and a CAAM blobifier backend, I am preparing. The system I am developing these patches against doesn't have a TEE. Steps to test these changes: #!/bin/sh DEV=/dev/loop0 ALGO=aes-cbc-essiv:sha256 KEYNAME=kmk BLOCKS=20 fallocate -l $((BLOCKS*512)) /tmp/loop0.img losetup -P $DEV /tmp/loop0.img mount -o remount,rw / KEY="$(keyctl add trusted $KEYNAME 'new 32' @s)" keyctl pipe $KEY >$HOME/kmk.blob TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" echo $TABLE | dmsetup create mydev echo $TABLE | dmsetup load mydev dd if=/dev/zero of=/dev/mapper/mydev echo "It works!" 1<> /dev/mapper/mydev cryptsetup close mydev reboot DEV=/dev/loop0 ALGO=aes-cbc-essiv:sha256 KEYNAME=kmk BLOCKS=20 losetup -P $DEV $HOME/loop0.img keyctl add trusted $KEYNAME "load $(cat $HOME/kmk.blob)" @s TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" echo $TABLE | dmsetup create mydev echo $TABLE | dmsetup load mydev # should print that It works! hexdump -C /dev/mapper/mydev >> https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/ > > Also, I would hold merging *this* patch up until we are able to > test TEE trusted keys with TEE trusted keys. Which blocks which? I tested this with TPM-Trusted keys, so it's usable as is. For convenient usage, it would be nice to have cryptsetup support for trusted and encrypted keys. I intended to look at this next week. Cheers, Ahmad > > /Jarkko >
On 22.01.21 20:04, Ahmad Fatoum wrote: > On 22.01.21 19:18, Jarkko Sakkinen wrote: >> On Fri, Jan 22, 2021 at 08:05:51PM +0200, Jarkko Sakkinen wrote: >>> On Fri, Jan 22, 2021 at 09:43:21AM +0100, Ahmad Fatoum wrote: >>>> Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended >>>> dm-crypt to allow use of "encrypted" keys along with "user" and "logon". >>>> >>>> Along the same lines, teach dm-crypt to support "trusted" keys as well. Gentle ping. Is there anything further you require from me regarding these two patches? >>>> >>>> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> >>>> --- >>> >>> Is it possible to test run this with tmpfs? Would be a good test >>> target for Sumit's ARM-TEE trusted keys patches. > > I tested these on top of Sumit's patches with TPM and a CAAM blobifier > backend, I am preparing. The system I am developing these patches against > doesn't have a TEE. Steps to test these changes: > > #!/bin/sh > > DEV=/dev/loop0 > ALGO=aes-cbc-essiv:sha256 > KEYNAME=kmk > BLOCKS=20 > > fallocate -l $((BLOCKS*512)) /tmp/loop0.img > losetup -P $DEV /tmp/loop0.img > mount -o remount,rw / > KEY="$(keyctl add trusted $KEYNAME 'new 32' @s)" > keyctl pipe $KEY >$HOME/kmk.blob > > TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" > echo $TABLE | dmsetup create mydev > echo $TABLE | dmsetup load mydev > dd if=/dev/zero of=/dev/mapper/mydev > echo "It works!" 1<> /dev/mapper/mydev > cryptsetup close mydev > > reboot > > DEV=/dev/loop0 > ALGO=aes-cbc-essiv:sha256 > KEYNAME=kmk > BLOCKS=20 > > losetup -P $DEV $HOME/loop0.img > keyctl add trusted $KEYNAME "load $(cat $HOME/kmk.blob)" @s > TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards" > echo $TABLE | dmsetup create mydev > echo $TABLE | dmsetup load mydev > > # should print that It works! > hexdump -C /dev/mapper/mydev > >>> https://lore.kernel.org/linux-integrity/1604419306-26105-1-git-send-email-sumit.garg@linaro.org/ >> >> Also, I would hold merging *this* patch up until we are able to >> test TEE trusted keys with TEE trusted keys. > > Which blocks which? I tested this with TPM-Trusted keys, so it's usable > as is. For convenient usage, it would be nice to have cryptsetup > support for trusted and encrypted keys. I intended to look at this next week. > > Cheers, > Ahmad > >> >> /Jarkko >> >
diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst index 1a6753b76dbb..aa2d04d95df6 100644 --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst @@ -67,7 +67,7 @@ Parameters:: the value passed in <key_size>. <key_type> - Either 'logon', 'user' or 'encrypted' kernel key type. + Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type. <key_description> The kernel keyring key description crypt target should look for diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig index 9e44c09f6410..f2014385d48b 100644 --- a/drivers/md/Kconfig +++ b/drivers/md/Kconfig @@ -270,6 +270,7 @@ config DM_CRYPT tristate "Crypt target support" depends on BLK_DEV_DM depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) + depends on (TRUSTED_KEYS || TRUSTED_KEYS=n) select CRYPTO select CRYPTO_CBC select CRYPTO_ESSIV diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index 7eeb9248eda5..6c7c687e546c 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -37,6 +37,7 @@ #include <linux/key-type.h> #include <keys/user-type.h> #include <keys/encrypted-type.h> +#include <keys/trusted-type.h> #include <linux/device-mapper.h> @@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) return 0; } +static int set_key_trusted(struct crypt_config *cc, struct key *key) +{ + const struct trusted_key_payload *tkp; + + tkp = key->payload.data[0]; + if (!tkp) + return -EKEYREVOKED; + + if (cc->key_size != tkp->key_len) + return -EINVAL; + + memcpy(cc->key, tkp->key, cc->key_size); + + return 0; +} + static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) { char *new_key_string, *key_desc; @@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { type = &key_type_encrypted; set_key = set_key_encrypted; + } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) && + !strncmp(key_string, "trusted:", key_desc - key_string + 1)) { + type = &key_type_trusted; + set_key = set_key_trusted; } else { return -EINVAL; } @@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) static struct target_type crypt_target = { .name = "crypt", - .version = {1, 22, 0}, + .version = {1, 23, 0}, .module = THIS_MODULE, .ctr = crypt_ctr, .dtr = crypt_dtr,
Commit 27f5411a718c ("dm crypt: support using encrypted keys") extended dm-crypt to allow use of "encrypted" keys along with "user" and "logon". Along the same lines, teach dm-crypt to support "trusted" keys as well. Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- Unsure on whether target_type::version is something authors increment or maintainers fix up. I can respin if needed. Cc: Jan Lübbe <jlu@pengutronix.de> Cc: linux-integrity@vger.kernel.org Cc: keyrings@vger.kernel.org Cc: Dmitry Baryshkov <dbaryshkov@gmail.com> --- .../admin-guide/device-mapper/dm-crypt.rst | 2 +- drivers/md/Kconfig | 1 + drivers/md/dm-crypt.c | 23 ++++++++++++++++++- 3 files changed, 24 insertions(+), 2 deletions(-)