Re: Support for other keyrings than logon in fscrypt?

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers3@gmail.com>
To: Richard Weinberger <richard@nod.at>
Cc: Theodore Ts'o <tytso@mit.edu>, Eric Biggers <ebiggers@google.com>,
	Jaegeuk Kim <jaegeuk@kernel.org>,
	Anand Jain <anand.jain@oracle.com>,
	David Gstir <david@sigma-star.at>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	David Howells <dhowells@redhat.com>
Subject: Re: Support for other keyrings than logon in fscrypt?
Date: Thu, 16 Feb 2017 19:31:07 -0800	[thread overview]
Message-ID: <20170217033107.GA634@zzz> (raw)
In-Reply-To: <c02c9409-d72d-bc65-2ce8-4c2bfa882bc2@nod.at>

On Wed, Feb 15, 2017 at 11:33:09PM +0100, Richard Weinberger wrote:
> > 
> > I used keyrings because it seemed like it was the "right thing" to do
> > since it's the kernel abstraction.  In fact the use of keyrings has
> > been a monster headache, because their semantics are just... weird,
> > and not a good fit for things like how the VFS cache works, for
> > example.
> > 
> > Among other things, there is no such thing as a globally accessible
> > keyring.  We could set up a per-file system specific keyring, which is
> > attached to the struct superblock, and then define root-only ioctl's
> > to explicitly add and remove keys from that file system specific key
> > ring.
> 
> Yes, I had something like that in mind.
> This would require only minimal changes to fs/crypto/keyinfo.c.
> 
> If you are fine with such a change I'd submit a patch.
> 

This may be reasonable, given that there is no true global keyring (though as
noted, a session keyring can in some cases be used to emulate one).  I also
agree that any ioctl to add global keys would for now need to be root-only.

Note that eventually it would be nice to add key verification.  This could be
done by storing a cryptographically secure hash of the actual master key, or
perhaps a MAC keyed by the master key that also authenticates the rest of the
encryption xattr including the nonce and encryption modes.  The filesystem would
use this to cryptographically enforce that the correct key is provided.  In that
situation, it would theoretically be safe to allow filesystem-level keys to be
added by untrusted users.  Of course, there would still have to be a limited
number of keys allowed per user (maybe tracked in user_struct, like some of the
other limits) to prevent a user from causing a denial of service by adding an
arbitrarily large number of keys.

Also, to support revocation without a full permissions system, the ioctl to add
a key could perhaps also return a randomly generated "revocation token" with a
secure length, e.g. 16+ bytes, which could later be provided to remove/revoke
the key.  (Of course, that's only useful if untrusted users can also add keys;
if only root can, then it's sufficient to simply make removal root-only too.)

Just some thoughts!

Eric

     prev parent reply	other threads:[~2017-02-17  3:31 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <fefccc95-8141-8693-b454-237e5189f9e9@nod.at>
2017-02-14 10:51 ` Support for other keyrings than logon in fscrypt? Richard Weinberger
2017-02-15  6:27   ` Eric Biggers
2017-02-15  9:27     ` Richard Weinberger
2017-02-15 22:34     ` Theodore Ts'o
2017-02-15 15:55   ` Theodore Ts'o
2017-02-15 22:33     ` Richard Weinberger
2017-02-17  3:31       ` Eric Biggers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170217033107.GA634@zzz \
    --to=ebiggers3@gmail.com \
    --cc=anand.jain@oracle.com \
    --cc=david@sigma-star.at \
    --cc=dhowells@redhat.com \
    --cc=ebiggers@google.com \
    --cc=jaegeuk@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=richard@nod.at \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).