RE: [RFC PATCH 0/2] Create CAAM HW key in linux keyring and use in dmcrypt

From: Franck Lenormand
Date: Thu Mar 07 2019 - 08:18:56 EST


> -----Original Message-----
> From: David Howells <dhowells@xxxxxxxxxx>
> Sent: Wednesday, March 6, 2019 6:30 PM
> To: Franck Lenormand <franck.lenormand@xxxxxxx>
> Cc: dhowells@xxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; linux-security-
> module@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; Horia Geanta
> <horia.geanta@xxxxxxx>; Silvano Di Ninno <silvano.dininno@xxxxxxx>;
> agk@xxxxxxxxxx; snitzer@xxxxxxxxxx; dm-devel@xxxxxxxxxx;
> jmorris@xxxxxxxxx; serge@xxxxxxxxxx
> Subject: Re: [RFC PATCH 0/2] Create CAAM HW key in linux keyring and use in
> dmcrypt
>
> Franck LENORMAND <franck.lenormand@xxxxxxx> wrote:
>
> > The capacity to generate or load keys already available in the Linux
> > key retention service does not allows to exploit CAAM capabilities
> > hence we need to create a new key_type. The new key type "caam_tk"
> allows to:
> > - Create a black key from random
> > - Create a black key from a red key
> > - Load a black blob to retrieve the black key
>
> Is it possible that this could be done through an existing key type, such as the
> asymmetric, trusted or encrypted key typed?
>
> David

Hello David,

I didn't know about asymmetric key type so I looked it up, from my
observation, it would not be possible to use it for the caam_tk as
we must perform operations on the data provided.
The name " asymmetric " is also misleading for the use we would have.

The trusted and encrypted does not provides the necessary
callbacks to do what we would need or require huge modifications.

I would like, for this series to focus on the change related to
dm-crypt. In effect, it is currently not possible to pass a key
from the asymmetric key type to it.

Franck