Re: [0/many] Acrypto - asynchronous crypto layer for linux kernel 2.6

From: Kyle Moffett
Date: Tue Mar 08 2005 - 09:48:37 EST

Next message: Evgeniy Polyakov: "Re: [1/5] bd: Asynchronous block device"
Previous message: Stephen Smalley: "[PATCH][SELINUX] Fix selinux_setprocattr"
In reply to: Evgeniy Polyakov: "Re: [0/many] Acrypto - asynchronous crypto layer for linux kernel2.6"
Next in thread: Evgeniy Polyakov: "Re: [0/many] Acrypto - asynchronous crypto layer for linux kernel2.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 08, 2005, at 08:07, Evgeniy Polyakov wrote:

On Tue, 8 Mar 2005 07:22:01 -0500 Kyle Moffett <mrmacman_g4@xxxxxxx> wrote:
I'm not exactly familiar with asynchronous block device, but I'm
guessing that it would need to get its crypto keys from the user
somehow, no? If so, then the best way of managing them is via
the key/keyring infrastructure. From the point of view of other
kernel systems, it's basically a set of BLOB<=>task associations
that supports a reasonable inheritance and permissions model.

Above setup may be implemeted for the userspace/kernelspace application,
which requires continuous access to the key material from the both sides,
but asynchronous block device (and existing cryptoloop and dm-crypt) use
different model, when controlling userspace application only one time
provides required key material(using ioctl) and exits, but key material
remains in kernelspace in device's private area.

The above application works perfectly with the design of the keyring
system. A process (An init-script or something) creates a "key" either
with a file or through some complex method that only user-space needs to
care about, then it calls the keyctl syscall to create an in-kernel key
with the data BLOB. The kernel module that registered the key-type (IE:
symmetric128 or something like that) verifies that the data is valid and
attaches it to a key data-structure.

Later, when you want to use the key for acrypto, cryptoloop, dm-crypt, etc,
you would just pass the key-ID instead of a custom binary format, and the
acrypto layer would just add a reference to the key in its own structure
and increment the refcount.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r !y?(-)
------END GEEK CODE BLOCK------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Evgeniy Polyakov: "Re: [1/5] bd: Asynchronous block device"
Previous message: Stephen Smalley: "[PATCH][SELINUX] Fix selinux_setprocattr"
In reply to: Evgeniy Polyakov: "Re: [0/many] Acrypto - asynchronous crypto layer for linux kernel2.6"
Next in thread: Evgeniy Polyakov: "Re: [0/many] Acrypto - asynchronous crypto layer for linux kernel2.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]