From: Dmitry Monakhov <dmonakhov@openvz.org>
To: keyrings@linux-nfs.org
Cc: ext4 development <linux-ext4@vger.kernel.org>, dhowells@redhat.com
Subject: [RFC] keyctl {clear,revoke} serialization with key-users
Date: Mon, 15 Jun 2015 18:51:28 +0300 [thread overview]
Message-ID: <87ioapt1fj.fsf@openvz.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2025 bytes --]
Hi,
I'm not an expert in security/keyring stuff but I want to solve an
issue which originally comes from ext4 in most convenient way
Description:
ext4 now use security/key infrastructure for data encryption (keytype = 'logon')
see: https://github.com/torvalds/linux/blob/master/fs/ext4/crypto_key.c
There are use-cases where key added and removed dynamically
#################
# User login and add user's key
e4crypt add_key -S /home/$USER # analog of keyctl add $SOME_ARG
# some activity
echo test > /home/$USER/my_file
#Logout
keyctl clear @s
############
But currently there is not synchronization between 'keyctl clear' and dirty page
buffers write-back, which result in data loss(because key no longer available).
There are several ways to synchronize key-management with key-usage
1) ext4 specific way via userspace
add 'del_key' command to e4crypto which will do:
ioctl(ext4_del_key) # sync and invalidate all inodes which referees given key
keyctl(KEYCTL_INVALIDATE,..) # wipe key from kernel
2) Generic keyring way:
Add kernel API to register event listeners for a key so any subsystem
may listen for such events and performs necessary actions once it happen.
For example:
key = request_key(....)
notify_changes_key(key, event_mask, my_callback)
keyring_clear() {
for_each_listener{
notify_key(callback, KEY_CLEAR)
}
First one is easy and clean also it preserves original keyring management assumptions,
but second one is more generic (since other fs will likely to implement
encryption in near future), the only visible changes of second option
is that callbacks must be synchronous so 'keyctl clear @s' may takes
long time. IMHO such implicit synchronization is good for 99% use-cases,
the only exception is 'emergency key clear' case where we do not
care about data consistency but do care about key to be wiped ASAP.
I would like to implement second option. Please rise your objections if any.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 472 bytes --]
next reply other threads:[~2015-06-15 15:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-15 15:51 Dmitry Monakhov [this message]
2015-06-17 16:18 ` [RFC] keyctl {clear,revoke} serialization with key-users David Howells
2015-06-18 10:43 ` Dmitry Monakhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ioapt1fj.fsf@openvz.org \
--to=dmonakhov@openvz.org \
--cc=dhowells@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).