From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org
Cc: keyrings@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Paul Crowley <paulcrowley@google.com>,
Paul Lawrence <paullawrence@google.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Ondrej Kozina <okozina@redhat.com>
Subject: Re: [PATCH v2] fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY
Date: Fri, 03 Jan 2020 16:57:27 +0000 [thread overview]
Message-ID: <20200103165727.GB19521@gmail.com> (raw)
In-Reply-To: <20191119222447.226853-1-ebiggers@kernel.org>
On Tue, Nov 19, 2019 at 02:24:47PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Extend the FS_IOC_ADD_ENCRYPTION_KEY ioctl to allow the raw key to be
> specified by a Linux keyring key, rather than specified directly.
>
> This is useful because fscrypt keys belong to a particular filesystem
> instance, so they are destroyed when that filesystem is unmounted.
> Usually this is desired. But in some cases, userspace may need to
> unmount and re-mount the filesystem while keeping the keys, e.g. during
> a system update. This requires keeping the keys somewhere else too.
>
> The keys could be kept in memory in a userspace daemon. But depending
> on the security architecture and assumptions, it can be preferable to
> keep them only in kernel memory, where they are unreadable by userspace.
>
> We also can't solve this by going back to the original fscrypt API
> (where for each file, the master key was looked up in the process's
> keyring hierarchy) because that caused lots of problems of its own.
>
> Therefore, add the ability for FS_IOC_ADD_ENCRYPTION_KEY to accept a
> Linux keyring key. This solves the problem by allowing userspace to (if
> needed) save the keys securely in a Linux keyring for re-provisioning,
> while still using the new fscrypt key management ioctls.
>
> This is analogous to how dm-crypt accepts a Linux keyring key, but the
> key is then stored internally in the dm-crypt data structures rather
> than being looked up again each time the dm-crypt device is accessed.
>
> Use a custom key type "fscrypt-provisioning" rather than one of the
> existing key types such as "logon". This is strongly desired because it
> enforces that these keys are only usable for a particular purpose: for
> fscrypt as input to a particular KDF. Otherwise, the keys could also be
> passed to any kernel API that accepts a "logon" key with any service
> prefix, e.g. dm-crypt, UBIFS, or (recently proposed) AF_ALG. This would
> risk leaking information about the raw key despite it ostensibly being
> unreadable. Of course, this mistake has already been made for multiple
> kernel APIs; but since this is a new API, let's do it right.
>
> This patch has been tested using an xfstest which I wrote to test it.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Applied to fscrypt.git#master for 5.6.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org
Cc: keyrings@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Paul Crowley <paulcrowley@google.com>,
Paul Lawrence <paullawrence@google.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Ondrej Kozina <okozina@redhat.com>
Subject: Re: [PATCH v2] fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY
Date: Fri, 3 Jan 2020 08:57:27 -0800 [thread overview]
Message-ID: <20200103165727.GB19521@gmail.com> (raw)
In-Reply-To: <20191119222447.226853-1-ebiggers@kernel.org>
On Tue, Nov 19, 2019 at 02:24:47PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Extend the FS_IOC_ADD_ENCRYPTION_KEY ioctl to allow the raw key to be
> specified by a Linux keyring key, rather than specified directly.
>
> This is useful because fscrypt keys belong to a particular filesystem
> instance, so they are destroyed when that filesystem is unmounted.
> Usually this is desired. But in some cases, userspace may need to
> unmount and re-mount the filesystem while keeping the keys, e.g. during
> a system update. This requires keeping the keys somewhere else too.
>
> The keys could be kept in memory in a userspace daemon. But depending
> on the security architecture and assumptions, it can be preferable to
> keep them only in kernel memory, where they are unreadable by userspace.
>
> We also can't solve this by going back to the original fscrypt API
> (where for each file, the master key was looked up in the process's
> keyring hierarchy) because that caused lots of problems of its own.
>
> Therefore, add the ability for FS_IOC_ADD_ENCRYPTION_KEY to accept a
> Linux keyring key. This solves the problem by allowing userspace to (if
> needed) save the keys securely in a Linux keyring for re-provisioning,
> while still using the new fscrypt key management ioctls.
>
> This is analogous to how dm-crypt accepts a Linux keyring key, but the
> key is then stored internally in the dm-crypt data structures rather
> than being looked up again each time the dm-crypt device is accessed.
>
> Use a custom key type "fscrypt-provisioning" rather than one of the
> existing key types such as "logon". This is strongly desired because it
> enforces that these keys are only usable for a particular purpose: for
> fscrypt as input to a particular KDF. Otherwise, the keys could also be
> passed to any kernel API that accepts a "logon" key with any service
> prefix, e.g. dm-crypt, UBIFS, or (recently proposed) AF_ALG. This would
> risk leaking information about the raw key despite it ostensibly being
> unreadable. Of course, this mistake has already been made for multiple
> kernel APIs; but since this is a new API, let's do it right.
>
> This patch has been tested using an xfstest which I wrote to test it.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Applied to fscrypt.git#master for 5.6.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org
Cc: Paul Lawrence <paullawrence@google.com>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Ondrej Mosnacek <omosnace@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
linux-f2fs-devel@lists.sourceforge.net,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, linux-mtd@lists.infradead.org,
Ondrej Kozina <okozina@redhat.com>,
Jaegeuk Kim <jaegeuk@kernel.org>,
linux-ext4@vger.kernel.org, Paul Crowley <paulcrowley@google.com>
Subject: Re: [f2fs-dev] [PATCH v2] fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY
Date: Fri, 3 Jan 2020 08:57:27 -0800 [thread overview]
Message-ID: <20200103165727.GB19521@gmail.com> (raw)
In-Reply-To: <20191119222447.226853-1-ebiggers@kernel.org>
On Tue, Nov 19, 2019 at 02:24:47PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Extend the FS_IOC_ADD_ENCRYPTION_KEY ioctl to allow the raw key to be
> specified by a Linux keyring key, rather than specified directly.
>
> This is useful because fscrypt keys belong to a particular filesystem
> instance, so they are destroyed when that filesystem is unmounted.
> Usually this is desired. But in some cases, userspace may need to
> unmount and re-mount the filesystem while keeping the keys, e.g. during
> a system update. This requires keeping the keys somewhere else too.
>
> The keys could be kept in memory in a userspace daemon. But depending
> on the security architecture and assumptions, it can be preferable to
> keep them only in kernel memory, where they are unreadable by userspace.
>
> We also can't solve this by going back to the original fscrypt API
> (where for each file, the master key was looked up in the process's
> keyring hierarchy) because that caused lots of problems of its own.
>
> Therefore, add the ability for FS_IOC_ADD_ENCRYPTION_KEY to accept a
> Linux keyring key. This solves the problem by allowing userspace to (if
> needed) save the keys securely in a Linux keyring for re-provisioning,
> while still using the new fscrypt key management ioctls.
>
> This is analogous to how dm-crypt accepts a Linux keyring key, but the
> key is then stored internally in the dm-crypt data structures rather
> than being looked up again each time the dm-crypt device is accessed.
>
> Use a custom key type "fscrypt-provisioning" rather than one of the
> existing key types such as "logon". This is strongly desired because it
> enforces that these keys are only usable for a particular purpose: for
> fscrypt as input to a particular KDF. Otherwise, the keys could also be
> passed to any kernel API that accepts a "logon" key with any service
> prefix, e.g. dm-crypt, UBIFS, or (recently proposed) AF_ALG. This would
> risk leaking information about the raw key despite it ostensibly being
> unreadable. Of course, this mistake has already been made for multiple
> kernel APIs; but since this is a new API, let's do it right.
>
> This patch has been tested using an xfstest which I wrote to test it.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Applied to fscrypt.git#master for 5.6.
- Eric
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org
Cc: Paul Lawrence <paullawrence@google.com>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Ondrej Mosnacek <omosnace@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
linux-f2fs-devel@lists.sourceforge.net,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, linux-mtd@lists.infradead.org,
Ondrej Kozina <okozina@redhat.com>,
Jaegeuk Kim <jaegeuk@kernel.org>,
linux-ext4@vger.kernel.org, Paul Crowley <paulcrowley@google.com>
Subject: Re: [PATCH v2] fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY
Date: Fri, 3 Jan 2020 08:57:27 -0800 [thread overview]
Message-ID: <20200103165727.GB19521@gmail.com> (raw)
In-Reply-To: <20191119222447.226853-1-ebiggers@kernel.org>
On Tue, Nov 19, 2019 at 02:24:47PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Extend the FS_IOC_ADD_ENCRYPTION_KEY ioctl to allow the raw key to be
> specified by a Linux keyring key, rather than specified directly.
>
> This is useful because fscrypt keys belong to a particular filesystem
> instance, so they are destroyed when that filesystem is unmounted.
> Usually this is desired. But in some cases, userspace may need to
> unmount and re-mount the filesystem while keeping the keys, e.g. during
> a system update. This requires keeping the keys somewhere else too.
>
> The keys could be kept in memory in a userspace daemon. But depending
> on the security architecture and assumptions, it can be preferable to
> keep them only in kernel memory, where they are unreadable by userspace.
>
> We also can't solve this by going back to the original fscrypt API
> (where for each file, the master key was looked up in the process's
> keyring hierarchy) because that caused lots of problems of its own.
>
> Therefore, add the ability for FS_IOC_ADD_ENCRYPTION_KEY to accept a
> Linux keyring key. This solves the problem by allowing userspace to (if
> needed) save the keys securely in a Linux keyring for re-provisioning,
> while still using the new fscrypt key management ioctls.
>
> This is analogous to how dm-crypt accepts a Linux keyring key, but the
> key is then stored internally in the dm-crypt data structures rather
> than being looked up again each time the dm-crypt device is accessed.
>
> Use a custom key type "fscrypt-provisioning" rather than one of the
> existing key types such as "logon". This is strongly desired because it
> enforces that these keys are only usable for a particular purpose: for
> fscrypt as input to a particular KDF. Otherwise, the keys could also be
> passed to any kernel API that accepts a "logon" key with any service
> prefix, e.g. dm-crypt, UBIFS, or (recently proposed) AF_ALG. This would
> risk leaking information about the raw key despite it ostensibly being
> unreadable. Of course, this mistake has already been made for multiple
> kernel APIs; but since this is a new API, let's do it right.
>
> This patch has been tested using an xfstest which I wrote to test it.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Applied to fscrypt.git#master for 5.6.
- Eric
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2020-01-03 16:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-19 22:24 [PATCH v2] fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY Eric Biggers
2019-11-19 22:24 ` Eric Biggers
2019-11-19 22:24 ` [f2fs-dev] " Eric Biggers
2019-11-19 22:24 ` Eric Biggers
2020-01-03 16:57 ` Eric Biggers [this message]
2020-01-03 16:57 ` Eric Biggers
2020-01-03 16:57 ` [f2fs-dev] " Eric Biggers
2020-01-03 16:57 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200103165727.GB19521@gmail.com \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=jaegeuk@kernel.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=okozina@redhat.com \
--cc=omosnace@redhat.com \
--cc=paulcrowley@google.com \
--cc=paullawrence@google.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.