From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Cc: linux-crypto@vger.kernel.org, keyrings@linux-nfs.org,
linux-ima-user@lists.sourceforge.net,
David Howells <dhowells@redhat.com>,
kernel@pengutronix.de, linux-ima-devel@lists.sourceforge.net,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [Linux-ima-user] [RFC] i.MX6 CAAM blob generator for IMA/EVM initialization
Date: Mon, 09 Nov 2015 15:29:41 -0500 [thread overview]
Message-ID: <1447100981.2728.23.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1447082306-19946-1-git-send-email-s.trumtrar@pengutronix.de>
On Mon, 2015-11-09 at 16:18 +0100, Steffen Trumtrar wrote:
> Hi!
>
> The RFC Patch attached after this cover letter is mostly for illustration
> purposes, so please don't waste too much time reviewing the code ;-)
>
> For context I'll try to describe the problem that this patch tries to solve.
>
> I need to be able to boot an EVM signed (and dongled) rootfs. The CAAM on
> the i.MX6 has support for an OTP key and can en/decrypt data.
> It also has a feature for generating red blobs: basically a chunk of data,
> that is encrypted with the OTP key, which can be saved on some medium as a
> secret to decrypt the EVM HMAC secret for one specific device.
>
> To open the rootfs, the secret is handed from the bootloader to the kernel
> as a base64 encoded string via the cmdline to an initramfs.
> In the initramfs the sysfs file "modifier" is set to something starting with
> "kernel:evm" and the base64 string is written to the sysfs file "blob".
> The CAAM than decodes the red blob and, in case of "kernel:evm", initializes
> the EVM or otherwise writes the result to "payload" if the modifier starts
> with "user:". Therefore a blob that was generated for EVM never leaves the
> kernel on decryption.
> Generation of blobs goes like: echoing "modifier" to something and echoing
> the payload to "payload". The red blob can than be read from "blob".
>
>
> So, the sysfs interface is not the best option, I guess. The question is:
> What is the right approach for a setup like this?
> I need to:
> - be able to encrypt the secret and store it somewhere
> - to load the stored secret and decrypt it later
> - initialize IMA/EVM with the secret
>
> Would something like
> - security/keys/encrypted-keys/encrypted.c
> be the correct approach?
Instead of using the CAAM for OTP encrypting/decrypting, can it be used
to load the EVM key directly? Dmitry's patches, which will be
upstreamed in 4.5
https://git.kernel.org/cgit/linux/kernel/git/zohar/linux-integrity.git/log/?h=for-next-4.5? adds support for a crypto device to directly load the EVM key.
FYI, the EVM key is an encrypted key, which encrypts/decrypts either a
trusted or user type key.
Mimi
next prev parent reply other threads:[~2015-11-09 20:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-09 15:18 [RFC] i.MX6 CAAM blob generator for IMA/EVM initialization Steffen Trumtrar
2015-11-09 15:18 ` [RFC] crypto: caam - add red blobifier Steffen Trumtrar
2015-11-09 20:29 ` Mimi Zohar [this message]
2016-01-27 10:04 ` [Linux-ima-user] [RFC] i.MX6 CAAM blob generator for IMA/EVM initialization Steffen Trumtrar
2016-01-28 15:41 ` Mimi Zohar
2016-01-28 16:27 ` Jan Lübbe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1447100981.2728.23.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=kernel@pengutronix.de \
--cc=keyrings@linux-nfs.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-ima-user@lists.sourceforge.net \
--cc=s.trumtrar@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).