From: Eric Biggers <ebiggers3@gmail.com>
To: Richard Weinberger <richard@nod.at>
Cc: Theodore Ts'o <tytso@mit.edu>, Eric Biggers <ebiggers@google.com>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Anand Jain <anand.jain@oracle.com>,
David Gstir <david@sigma-star.at>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: Support for other keyrings than logon in fscrypt?
Date: Tue, 14 Feb 2017 22:27:28 -0800 [thread overview]
Message-ID: <20170215062728.GA29850@zzz> (raw)
In-Reply-To: <657b45e3-322d-44c4-1ea6-e43ff76be785@nod.at>
Hi Richard,
On Tue, Feb 14, 2017 at 11:51:31AM +0100, Richard Weinberger wrote:
> AFACT fscrypt was designed for the Android/ChromeOS use-case to encrypt a home directory.
> For this case using keys of type logon makes perfectly sense.
> But there are cases where other types would be useful.
> Please consider the case where the whole filesystem is encrypted and an initramfs loads
> the encryption master key. Here a logon key is not suitable since different users might need
> it.
>
> I suggest adding support for different types to fscrypt_get_crypt_info().
> I.e. such that a filesystem can indicate in ->s_cop that a "global" key ring
> should be used.
>
> What do you think?
I think you may be confusing keys and keyrings. "logon" is a type of key, not a
type of keyring. The semantics of a "logon" key are that it can be created and
updated by userspace, but cannot be read by userspace. (See
Documentation/security/keys.txt.) Despite the name it does not need to be tied
to an actual user "logging in" per se, and you can add a "logon" key to any
keyring, either one of the special ones like a session keyring, or to a manually
created one.
Also, session keyrings do not need to be tied to other concepts of a "session";
a process can simply set one up, and it gets inherited by children. So it would
be possible for init to insert the key into its session keyring, and then all
processes would inherit it, unless they explicitly replace it.
If I'm not mistaken, Android actually uses a global keyring quite similarly to
that. I think the only real difference is that a privileged process on Android
adds and removes keys as users log in and out, whereas you'll need to add a key
at init time only.
Eric
next prev parent reply other threads:[~2017-02-15 6:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fefccc95-8141-8693-b454-237e5189f9e9@nod.at>
2017-02-14 10:51 ` Support for other keyrings than logon in fscrypt? Richard Weinberger
2017-02-15 6:27 ` Eric Biggers [this message]
2017-02-15 9:27 ` Richard Weinberger
2017-02-15 22:34 ` Theodore Ts'o
2017-02-15 15:55 ` Theodore Ts'o
2017-02-15 22:33 ` Richard Weinberger
2017-02-17 3:31 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170215062728.GA29850@zzz \
--to=ebiggers3@gmail.com \
--cc=anand.jain@oracle.com \
--cc=david@sigma-star.at \
--cc=ebiggers@google.com \
--cc=jaegeuk@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=richard@nod.at \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).