Re: Migration to trusted keys: sealing user-provided key?

From: Mimi Zohar
Date: Sun Jan 31 2021 - 09:32:33 EST

Next message: Nobuhiro Iwamatsu: "[PATCH] firmware: xilinx: Remove zynqmp_pm_get_eemi_ops() in IS_REACHABLE(CONFIG_ZYNQMP_FIRMWARE)"
Previous message: kernel test robot: "[rtc] 211e5db19d: WARNING:at_drivers/rtc/rtc/rtc-mc146818-lib.c:25 mc146818_get_time"
In reply to: Jan Lübbe: "Re: Migration to trusted keys: sealing user-provided key?"
Next in thread: James Bottomley: "Re: Migration to trusted keys: sealing user-provided key?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2021-01-31 at 15:14 +0100, Jan Lübbe wrote:
> On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote:

<snip>

> >
> > [1] The ima-evm-utils README contains EVM examples of "trusted" and
> > "user" based "encrypted" keys.
>
> I assume you refer to
> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143
> "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"?
>
> In both cases, the key used by EVM is a *newly generated* random key. The only
> difference is whether it's encrypted to a user key or a (random) trusted key.

The "encrypted" asymmetric key data doesn't change, "update" just
changes the key under which it is encrypted/decrypted.

Usage::

keyctl add encrypted name "new [format] key-type:master-key-name
keylen"
ring
keyctl add encrypted name "load hex_blob" ring
keyctl update keyid "update key-type:master-key-name"

Mimi

Next message: Nobuhiro Iwamatsu: "[PATCH] firmware: xilinx: Remove zynqmp_pm_get_eemi_ops() in IS_REACHABLE(CONFIG_ZYNQMP_FIRMWARE)"
Previous message: kernel test robot: "[rtc] 211e5db19d: WARNING:at_drivers/rtc/rtc/rtc-mc146818-lib.c:25 mc146818_get_time"
In reply to: Jan Lübbe: "Re: Migration to trusted keys: sealing user-provided key?"
Next in thread: James Bottomley: "Re: Migration to trusted keys: sealing user-provided key?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]