From: Ondrej Kozina <okozina@redhat.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>, dm-devel@redhat.com
Cc: mpatocka@redhat.com, snitzer@redhat.com, agk@redhat.com,
mbroz@redhat.com
Subject: Re: [PATCH v2] dm-crypt: add ability to use keys from the kernel key retention service
Date: Mon, 21 Nov 2016 13:23:03 +0100 [thread overview]
Message-ID: <bb229097-56f7-0ef8-88f0-db2246a2c0c9@redhat.com> (raw)
In-Reply-To: <ff5e69b1-f43c-35c8-6a32-4d7732919075@redhat.com>
On 11/17/2016 09:06 PM, Ondrej Kozina wrote:
> On 11/17/2016 05:35 PM, Andrey Ryabinin wrote:
>> On 11/16/2016 11:47 PM, Ondrej Kozina wrote:
>>> (Please still consider it to be RFC only, I need to modify the uspace teststuite
>>> again due to changes in key_string format. Also the changes to dm-crypt documentation
>>> will follow before final submit. Feature wide I'd consider the patch being complete
>>> unless any bugs would emerge)
>>>
>>> The kernel key service is a generic way to store keys for the use of
>>> other subsystems. Currently there is no way to use kernel keys in dm-crypt.
>>> This patch aims to fix that. Instead of key userspace may pass a key
>>> description with preceding ':'. So message that constructs encryption
>>> mapping now looks like this:
>>>
>>> <cipher> [<key>|:<key_string>] <iv_offset> <dev_path> <start> [<#opt_params> <opt_params>]
>>>
>>> where <key_string> is in format: <key_size>:<key_type>:<key_description>
>>>
>>> Currently we only support two elementary key types: 'user' and 'logon'.
>>> Keys may be loaded in dm-crypt either via <key_string> or using
>>> classical method and pass the key in hex representation directly.
>>>
>>
>> I think we need to hexify key description too, because it can contain spaces.
>
> I see. You're right the kernel key description may really contain
> whitespace chars, bummer. Well what I'm thinking atm is rejecting any
> keys with descriptions containing whitespaces. But let me ask Mike or
> Alasdair what do they think about it.
Answering myself:
so I looked at it once again in detail and I'm now convinced we actually
don't have to do anything about it (provided we'd agree on rejecting any
key_description containing whitespace):
every table is first processed by dm_split_args() before it's passed to
any target driver for further processing. That's true also for message
ioctls. In case you pass table (or message) with whitespace in
key_description it'll fail to construct such dm-crypt target because
number of arguments passed will not match the dm-crypt template.
key_string in format: ':32:logon:some:user key' is considered to be 2
arguments and not single one due to the whitespace.
next prev parent reply other threads:[~2016-11-21 12:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-09 13:56 [RFC] dm-crypt: add ability to use keys from the kernel key retention service Andrey Ryabinin
2016-08-10 11:16 ` Ondrej Kozina
2016-08-11 15:01 ` [dm-devel] " Andrey Ryabinin
2016-11-07 9:38 ` [PATCH 0/3] Modified kernel keyring support patch Ondrej Kozina
2016-11-07 9:38 ` [PATCH 1/3] dm-crypt: mark key as invalid until properly loaded Ondrej Kozina
2016-11-07 9:38 ` [PATCH 2/3] dm-crypt: add ability to use keys from the kernel key retention service Ondrej Kozina
2016-11-07 9:38 ` [PATCH 3/3] dm-crypt: modifications to previous patch Ondrej Kozina
2016-11-13 17:22 ` Milan Broz
2016-11-16 20:47 ` [PATCH v2] dm-crypt: add ability to use keys from the kernel key retention service Ondrej Kozina
2016-11-17 16:35 ` Andrey Ryabinin
2016-11-17 19:31 ` Milan Broz
2016-11-17 20:06 ` Ondrej Kozina
2016-11-18 16:55 ` Andrey Ryabinin
2016-11-21 12:23 ` Ondrej Kozina [this message]
2016-12-01 17:20 ` [PATCH] dm-crypt: reject key strings containing whitespace chars Ondrej Kozina
2016-11-21 14:58 ` [PATCH v3] dm-crypt: add ability to use keys from the kernel key retention service Ondrej Kozina
2016-11-21 15:40 ` Mike Snitzer
2016-11-23 20:51 ` [PATCH] dm-crypt: check key payload pointer not null Ondrej Kozina
2016-11-24 9:28 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bb229097-56f7-0ef8-88f0-db2246a2c0c9@redhat.com \
--to=okozina@redhat.com \
--cc=agk@redhat.com \
--cc=aryabinin@virtuozzo.com \
--cc=dm-devel@redhat.com \
--cc=mbroz@redhat.com \
--cc=mpatocka@redhat.com \
--cc=snitzer@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).