From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Cc: linux-crypto@vger.kernel.org, keyrings@linux-nfs.org,
linux-ima-user@lists.sourceforge.net,
David Howells <dhowells@redhat.com>,
kernel@pengutronix.de, linux-ima-devel@lists.sourceforge.net,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [Linux-ima-user] [RFC] i.MX6 CAAM blob generator for IMA/EVM initialization
Date: Mon, 09 Nov 2015 15:29:41 -0500 [thread overview]
Message-ID: <1447100981.2728.23.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1447082306-19946-1-git-send-email-s.trumtrar@pengutronix.de>
On Mon, 2015-11-09 at 16:18 +0100, Steffen Trumtrar wrote:
> Hi!
>
> The RFC Patch attached after this cover letter is mostly for illustration
> purposes, so please don't waste too much time reviewing the code ;-)
>
> For context I'll try to describe the problem that this patch tries to solve.
>
> I need to be able to boot an EVM signed (and dongled) rootfs. The CAAM on
> the i.MX6 has support for an OTP key and can en/decrypt data.
> It also has a feature for generating red blobs: basically a chunk of data,
> that is encrypted with the OTP key, which can be saved on some medium as a
> secret to decrypt the EVM HMAC secret for one specific device.
>
> To open the rootfs, the secret is handed from the bootloader to the kernel
> as a base64 encoded string via the cmdline to an initramfs.
> In the initramfs the sysfs file "modifier" is set to something starting with
> "kernel:evm" and the base64 string is written to the sysfs file "blob".
> The CAAM than decodes the red blob and, in case of "kernel:evm", initializes
> the EVM or otherwise writes the result to "payload" if the modifier starts
> with "user:". Therefore a blob that was generated for EVM never leaves the
> kernel on decryption.
> Generation of blobs goes like: echoing "modifier" to something and echoing
> the payload to "payload". The red blob can than be read from "blob".
>
>
> So, the sysfs interface is not the best option, I guess. The question is:
> What is the right approach for a setup like this?
> I need to:
> - be able to encrypt the secret and store it somewhere
> - to load the stored secret and decrypt it later
> - initialize IMA/EVM with the secret
>
> Would something like
> - security/keys/encrypted-keys/encrypted.c
> be the correct approach?
Instead of using the CAAM for OTP encrypting/decrypting, can it be used
to load the EVM key directly? Dmitry's patches, which will be
upstreamed in 4.5
https://git.kernel.org/cgit/linux/kernel/git/zohar/linux-integrity.git/log/?h=for-next-4.5? adds support for a crypto device to directly load the EVM key.
FYI, the EVM key is an encrypted key, which encrypts/decrypts either a
trusted or user type key.
Mimi
next prev parent reply other threads:[~2015-11-09 20:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-09 15:18 [RFC] i.MX6 CAAM blob generator for IMA/EVM initialization Steffen Trumtrar
2015-11-09 15:18 ` [RFC] crypto: caam - add red blobifier Steffen Trumtrar
2015-11-09 20:29 ` Mimi Zohar [this message]
2016-01-27 10:04 ` [Linux-ima-user] [RFC] i.MX6 CAAM blob generator for IMA/EVM initialization Steffen Trumtrar
2016-01-28 15:41 ` Mimi Zohar
2016-01-28 16:27 ` Jan Lübbe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1447100981.2728.23.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=kernel@pengutronix.de \
--cc=keyrings@linux-nfs.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-ima-user@lists.sourceforge.net \
--cc=s.trumtrar@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.