Cannot read payload of an encrypted key rooted in a trusted key

From: Salah Coronya
Date: Sun Feb 10 2019 - 23:46:21 EST

Next message: Jitao Shi: "[PATCH] drm/mediatek: add mt8183 dpi support"
Previous message: Matt Turner: "[PULL] alpha.git"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In the file Documentation/security/keys-trusted-encrypted, an example is shown for to create an encrypted key rooted in trusted key. Basically, the following should work:

KMK_KEY=$(keyctl add trusted kmk "new 32" @u)
keyctl pipe $KMK_KEY > ~/kmk-trusted.blob
EVM_KEY=$(keyctl add encrypted evm "new default trusted:kmk 32" @u)
keyctl pipe $EVM_KEY > ~/evm-trusted.blob

But the last command does not work. It reports "keyctl_read_alloc: Operation not supported"

strace shows this:

keyctl(KEYCTL_READ, 404204492, NULL, 0) = 185
keyctl(KEYCTL_READ, 404204492, 0x557a43f66260, 185) = -1 EOPNOTSUPP (Operation not supported)

I've tried this on kernel 4.4.163, 4.14.83, and 4.20.6, on a machine with real TPM, and a virtual TPM in a VM, both versions 1.2 and 2.0 and none of the cases work.

However, an encrypted key rooted in a (random) user key DOES work:

KMK_USER=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd user kmk-user @u)
keyctl pipe $KMK_USER > ~/kmk-user.blob
EVM_USER=$(keyctl add encrypted evm-user "new default user:kmk-user 32" @u)
keyctl pipe $EVM_USER > ~/evm-user.blob

I'm not sure if there is a missing step in the examples, if have I hit a kernel bug, or if I'm doing something wrong.

Next message: Jitao Shi: "[PATCH] drm/mediatek: add mt8183 dpi support"
Previous message: Matt Turner: "[PULL] alpha.git"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]