From: David Howells <dhowells@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: dhowells@redhat.com, d.kasatkin@samsung.com,
Mimi Zohar <zohar@us.ibm.com>,
keyrings@linux-nfs.org, linux-security-module@vger.kernel.org,
linux-kernel <linux-kernel@vger.kernel.org>,
David Safford <safford@linux.vnet.ibm.com>
Subject: Re: [RFC][PATCH 0/9] encrypted keys & key control op
Date: Mon, 11 Nov 2013 22:34:31 +0000 [thread overview]
Message-ID: <23408.1384209271@warthog.procyon.org.uk> (raw)
In-Reply-To: <1384172064.18684.55.camel@dhcp-9-2-203-236.watson.ibm.com>
Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > Further, the existence of encrypted_update() means that add_key() will
> > sometimes get things wrong with encrypted keys (add_key() will call
> > ->update() if a matching key already exists rather than creating a new
> > key).
>
> I see. The key_type structure defines a number of methods,
> including .instantiate and .update. I would have thought that
> only .update would be allowed to update an existing key.
That is correct. ->instantiate() is only called for a new key and ->update()
for an existing key.
> Instantiating a new key should create a new key or fail, not update a key.
That is subjective and depends on how you want your interface to work. If you
look upon it as the "key struct" is a box with some content and the content is
switchable, then does it matter?
And, yes, ->update() should probably have been called something like replace
or reinstantiate. The benefits of hindsight...
> I'm sure there is/was a good reason for add_key() to do both.
Yes. No race.
> > But you can't pre-search for the existence of a key and mould the payload
> > accordingly because that means you can race against both add_key() and
> > keyctl_unlink().
>
> Would this still be the case, if you differentiated between
> instantiating and updating a key?
Yes. Imagine, you try to add a key and it gets rejected because the key
already exists. You then try to update the existing key, but that gets
rejected because someone unlinked the key in the meantime. So you try and add
it again, but this now fails because someone added a new key. Repeat.
Or add_key() could immediately displace a key someone else just added, leaving
them with a key ID that disappeared as soon as it was returned due to an
add/add race.
The right behaviour can be argued in different ways.
> > My solution is to add a new keyctl function that allows the caller to
> > perform a type-specific operation on a key:
> >
> > long keyctl_control(key_serial_t key_id,
> > const char *command,
> > char *reply_buffer,
> > size_t reply_size);
>
> > This would then take a NUL-terminated string indicating the command and
> > arguments and potentially return a reply up to the buffer length.
>
> What is the usecase scenario that would require a reply_buffer?
I don't want to have to add a keyctl_control2() down the line that has a
reply_buffer if this one doesn't when someone finds a use it if it's easy
enough and small enough to provide the facility here. This is aimed at being
a general interface rather than being specifically for encrypted keys.
David
next prev parent reply other threads:[~2013-11-11 22:34 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-04 16:22 [RFC][PATCH 0/9] encrypted keys & key control op David Howells
2013-11-04 16:22 ` [PATCH 1/9] KEYS: The RSA public key algorithm needs to select MPILIB David Howells
2013-11-04 16:22 ` [PATCH 2/9] KEYS: Provide a generic instantiation function David Howells
2013-11-04 16:22 ` [PATCH 3/9] KEYS: struct key_preparsed_payload should have two payload pointers David Howells
2013-11-04 16:22 ` [PATCH 4/9] KEYS: Allow expiry time to be set when preparsing a key David Howells
2013-11-04 16:22 ` [PATCH 5/9] KEYS: Call ->free_preparse() even after ->preparse() returns an error David Howells
2013-11-04 16:23 ` [PATCH 6/9] KEYS: Trusted: Use key preparsing David Howells
2013-11-13 16:49 ` Mimi Zohar
2013-11-14 15:50 ` David Howells
2013-11-04 16:23 ` [PATCH 7/9] KEYS: Add a keyctl function to alter/control a key in type-dependent way David Howells
2013-11-04 16:23 ` [PATCH 8/9] KEYS: Implement keyctl control for encrypted keys David Howells
2013-11-04 16:23 ` [PATCH 9/9] KEYS: Fix encrypted key type update method David Howells
2013-11-13 18:45 ` Mimi Zohar
2013-11-14 17:59 ` David Howells
2013-11-17 3:51 ` Mimi Zohar
2013-11-17 9:17 ` David Howells
2013-11-17 13:43 ` Mimi Zohar
2013-11-06 17:20 ` [RFC][PATCH 0/9] encrypted keys & key control op Dmitry Kasatkin
2013-11-06 17:42 ` David Howells
2013-11-11 12:14 ` Mimi Zohar
2013-11-11 22:34 ` David Howells [this message]
2013-11-12 0:26 ` Mimi Zohar
2013-11-12 16:19 ` David Howells
2013-11-11 16:32 ` Mimi Zohar
2013-11-11 22:35 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23408.1384209271@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=d.kasatkin@samsung.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=safford@linux.vnet.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.