Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys

From: Richard Weinberger
Date: Thu Apr 01 2021 - 14:02:19 EST

Next message: Johannes Weiner: "Re: [PATCH v5 00/27] Memory Folios"
Previous message: Boris Brezillon: "Re: [PATCH v10 3/4] mtd: rawnand: Add support for secure regions in NAND memory"
In reply to: Ahmad Fatoum: "Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys"
Next in thread: Ahmad Fatoum: "Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ahmad,

----- Ursprüngliche Mail -----
> Von: "Ahmad Fatoum" <a.fatoum@xxxxxxxxxxxxxx>
>> But using LUKS would mean that cryptsetup has access to the plain disc
>> encryption key material?
>> This would be a no-go for many systems out there, key material must not
>> accessible to userspace.
>> I know, distrusting userspace root is not easy, but doable. :)
>
> The LUKS2 format supports tokens. I see no reason why the encrypted blob
> couldn't be stored there along with the usual metadata. cryptsetup would
> then load it as kernel trusted key and use it for dmcrypt decryption.
>
> This will mean we have to part ways with features such as having multiple
> keys, but I think it's worth it to have a plug and play solution for
> trusted keys.

Ah, now I can follow your thoughts!
Yes, that would be nice to have. :)

I kind of assumed you want to use LUKS with passphrases and CAAM blobs.

Thanks,
//richard

Next message: Johannes Weiner: "Re: [PATCH v5 00/27] Memory Folios"
Previous message: Boris Brezillon: "Re: [PATCH v10 3/4] mtd: rawnand: Add support for secure regions in NAND memory"
In reply to: Ahmad Fatoum: "Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys"
Next in thread: Ahmad Fatoum: "Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]