Re: [PATCH 2/2] crypto: caam - support tagged keys for skcipher algorithms
From: Richard Weinberger
Date: Thu Jul 16 2020 - 10:13:12 EST
On Mon, Jul 13, 2020 at 12:09 AM Iuliana Prodan <iuliana.prodan@xxxxxxx> wrote:
>
> Tagged keys are keys that contain metadata indicating what
> they are and how to handle them using tag_object API.
>
> Add support, for tagged keys, to skcipher algorithms by
> adding new transformations, with _tk_ prefix to distinguish
> between plaintext and tagged keys.
>
> For job descriptors a new option (key_cmd_opt) was added for KEY command.
> Tagged keys can be loaded using only a KEY command with ENC=1
> and the proper setting of the EKT bit. The EKT bit in the
> KEY command indicates which encryption algorithm (AES-ECB or
> AES-CCM) should be used to decrypt the key. These options will be kept in
> key_cmd_opt.
>
> The tk_ transformations can be used directly by their name:
> struct sockaddr_alg sa = {
> .salg_family = AF_ALG,
> .salg_type = "skcipher", /* this selects the symmetric cipher */
> .salg_name = "tk(cbc(aes))" /* this is the cipher name */
> };
> or for dm-crypt, e.g. using dmsetup:
> dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk2p10)
> crypt capi:tk(cbc(aes))-plain :32:logon:seckey 0 /dev/mmcblk2p10 0 1
> sector_size:512".
How to use it with cryptsetup?
I'm asking because it is not clear to me why you are not implementing
a new kernel key type (KEYS subsystem)
to utilize tagged keys.
Many tools already support the keyctl userspace interface (cryptsetup,
fscrypt, ...).
--
Thanks,
//richard