All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Martin Ross <mross@pobox.com>
Cc: corbet@lwn.net, dhowells@redhat.com, jejb@linux.ibm.com,
	jmorris@namei.org, keyrings@vger.kernel.org,
	linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, serge@hallyn.com,
	Yael Tiomkin <yaelt@google.com>, Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH v4] KEYS: encrypted: Instantiate key with user-provided decrypted data
Date: Wed, 26 Jan 2022 16:47:19 +0200	[thread overview]
Message-ID: <YfFe9+XDPDIdSqF1@iki.fi> (raw)
In-Reply-To: <CA++MVV3Jse4WZ-zr-SUWQz3Gk_dByU6JduVfUkvQNW+jgm9O4Q@mail.gmail.com>

On Tue, Jan 18, 2022 at 01:26:05PM -0500, Martin Ross wrote:
> Hi Jarkko,
> 
> I have been working with Yael on this project so I thought I might add
> a bit of background here around the use case that this series of
> patches is trying to address.
> 
> At a high level we are trying to provide users of encryption that have
> key management hierarchies a better tradeoff between security and
> availability.  For available and performance reasons master keys often
> need to be released (or derived/wrapped keys created) outside of a KMS
> to clients (which may in turn further wrap those keys in a series of
> levels).  What we are trying to do is provide a mechanism where the
> wrapping/unwrapping of these keys is not dependent on a remote call at
> runtime.  e.g.  To unwrap a key if you are using AWS KMS or Google
> Service you need to make an RPC.  In practice to defend against
> availability or performance issues, designers end up building their
> own kms and effectively encrypting everything with a DEK.  The DEK
> encrypts same set as the master key thereby eliminating the security
> benefit of keeping the master key segregated in the first place.
> 
> We are building a mechanism to  create a security boundary in the
> kernel that allows these master keys to be stored in the kernel and
> used to wrap/unwrap keys via less trusted user processes.  The other
> goal here is to eliminate the complexity and statefulness required to
> do this today which would be to create a trusted daemon or process on
> the machine.  Concretely this means that since the user process will
> not have the master key the system designer has better options.  One
> obvious advantage is that any core dumps or code injection attacks
> won't be able to trivially grab the master key from the process or the
> linux keyring.  Once in the kernel this functionality can be
> transparently integrated into user space crypto libraries that have
> existing key management functionality.
> 
> Hope this helps and happy to answer any further questions!
> 
> M

Thank you.

It indeed does. I think it is a good explanation. Maybe the way to move
forward would be bring this context at leat a bit to the documentation
update?

/Jarkko


  reply	other threads:[~2022-01-26 14:47 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-18 18:26 [PATCH v4] KEYS: encrypted: Instantiate key with user-provided decrypted data Martin Ross
2022-01-26 14:47 ` Jarkko Sakkinen [this message]
2022-01-26 14:51   ` Jarkko Sakkinen
2022-01-26 20:56     ` Yael Tiomkin
2022-02-04  6:27       ` Jarkko Sakkinen
  -- strict thread matches above, loose matches on Subject: below --
2021-12-29 21:53 Yael Tiomkin
2021-12-30 10:07 ` Sumit Garg
2021-12-30 13:29   ` Mimi Zohar
2022-01-03  6:51     ` Sumit Garg
2022-01-05 20:18       ` Yael Tiomkin
2022-01-07  5:14         ` Sumit Garg
2022-01-07 12:53           ` Yael Tiomkin
2022-01-07 13:32             ` Sumit Garg
2022-01-13 19:14               ` Yael Tiomkin
2022-01-18  6:46                 ` Sumit Garg
2022-01-05 20:12 ` Jarkko Sakkinen
2022-01-06 18:30   ` Yael Tiomkin
2022-01-08 21:58 ` Jarkko Sakkinen
2022-01-10 16:04 ` Nayna
2022-01-13 19:01   ` Yael Tiomkin
2022-01-20 17:13     ` Nayna

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YfFe9+XDPDIdSqF1@iki.fi \
    --to=jarkko@kernel.org \
    --cc=corbet@lwn.net \
    --cc=dhowells@redhat.com \
    --cc=jejb@linux.ibm.com \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mross@pobox.com \
    --cc=serge@hallyn.com \
    --cc=yaelt@google.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.