Re: [PATCH 9/9] KEYS: Fix encrypted key type update method

From: Mimi Zohar
Date: Sat Nov 16 2013 - 22:51:50 EST

Next message: Viresh Kumar: "Re: [PATCH] cpufreq: cpufreq-cpu0: Use a sane boot frequency whenbooting with a mismatched bootloader configuration"
Previous message: Andi Kleen: "Re: [BUG] perf stat: explicit grouping yields unexpected results"
Next in thread: David Howells: "Re: [PATCH 9/9] KEYS: Fix encrypted key type update method"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2013-11-14 at 17:59 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
> > Is there a keyutils git repo with a version of keyctl that supports the
> > control option?
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/log/?h=development

Thanks!

> > - type size_t is unsigned, no need to verify that it is negative.
>
> It doesn't hurt either...
>
> > - missing Documentation/security/keys-trusted-encrypted.txt updates
>
> Fixed (see diff below), but I suspect trusted_update() also needs scrutiny.
>
> > - the encrypted_preparse() comment still says 'encrypted_instantiate'
>
> Fixed.
>
> David
> ---
> diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
> index e105ae97a4f5..78794adf445d 100644
> --- a/Documentation/security/keys-trusted-encrypted.txt
> +++ b/Documentation/security/keys-trusted-encrypted.txt
> @@ -61,7 +61,7 @@ Usage:
> keyctl add encrypted name "new [format] key-type:master-key-name keylen"
> ring
> keyctl add encrypted name "load hex_blob" ring
> - keyctl update keyid "update key-type:master-key-name"
> + keyctl control keyid encrypted change-master-key "key-type:master-key-name"
>
> format:= 'default | ecryptfs'
> key-type:= 'trusted' | 'user'

The command has remained the same as before: "update key-type:master-key-name".

diff --git a/Documentation/security/keys-trusted-encrypted.txt b/Documentation/security/keys-trusted-encrypted.txt
index e105ae9..6610be4 100644
--- a/Documentation/security/keys-trusted-encrypted.txt
+++ b/Documentation/security/keys-trusted-encrypted.txt
@@ -61,12 +61,12 @@ Usage:
keyctl add encrypted name "new [format] key-type:master-key-name keylen"
ring
keyctl add encrypted name "load hex_blob" ring
- keyctl update keyid "update key-type:master-key-name"
+ keyctl control <keyid> encrypted change-master-key \
+ "update key-type:master-key-name"

format:= 'default | ecryptfs'
key-type:= 'trusted' | 'user'

-
Examples of trusted and encrypted key usage:

Create and save a trusted key named "kmk" of length 32 bytes:
@@ -153,6 +153,12 @@ Load an encrypted key "evm" from saved blob:
82dbbc55be2a44616e4959430436dc4f2a7a9659aa60bb4652aeb2120f149ed197c564e0
24717c64 5972dcb82ab2dde83376d82b2e3c09ffc

+Encrypt the "evm" key with a new master key kmk-new:
+
+ $ keyctl add trusted kmk-new "new 32" @u
+ $ keyctl control 831684262 encrypted change-master-key \
+ "update trusted:kmk-new"
+
Other uses for trusted and encrypted keys, such as for disk and file encryption
are anticipated. In particular the new format 'ecryptfs' has been defined in
in order to use encrypted keys to mount an eCryptfs filesystem. More details

thanks,

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Viresh Kumar: "Re: [PATCH] cpufreq: cpufreq-cpu0: Use a sane boot frequency whenbooting with a mismatched bootloader configuration"
Previous message: Andi Kleen: "Re: [BUG] perf stat: explicit grouping yields unexpected results"
Next in thread: David Howells: "Re: [PATCH 9/9] KEYS: Fix encrypted key type update method"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]