From: Mimi Zohar <zohar@linux.ibm.com>
To: Dave Jiang <dave.jiang@intel.com>, dan.j.williams@intel.com
Cc: dhowells@redhat.com, zohar@linux.vnet.ibm.com, linux-nvdimm@lists.01.org
Subject: Re: [PATCH v13 04/17] keys-encrypted: add nvdimm key format type to encrypted keys
Date: Wed, 12 Dec 2018 05:51:12 -0500 [thread overview]
Message-ID: <1544611872.4028.11.camel@linux.ibm.com> (raw)
In-Reply-To: <154455993868.26509.7086774475607953609.stgit@djiang5-desk3.ch.intel.com>
On Tue, 2018-12-11 at 13:25 -0700, Dave Jiang wrote:
> Adding nvdimm key format type to encrypted keys in order to limit the size
> of the key to 32bytes.
>
> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> Documentation/security/keys/trusted-encrypted.rst | 6 ++++
> security/keys/encrypted-keys/encrypted.c | 29 ++++++++++++++-------
> 2 files changed, 25 insertions(+), 10 deletions(-)
>
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 3bb24e09a332..e8a1c35cd277 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -76,7 +76,7 @@ Usage::
>
> Where::
>
> - format:= 'default | ecryptfs'
> + format:= 'default | ecryptfs | enc32'
> key-type:= 'trusted' | 'user'
>
>
> @@ -173,3 +173,7 @@ are anticipated. In particular the new format 'ecryptfs' has been defined in
> in order to use encrypted keys to mount an eCryptfs filesystem. More details
> about the usage can be found in the file
> ``Documentation/security/keys/ecryptfs.rst``.
> +
> +Another new format 'enc32' has been defined in order to support encrypted keys
> +with payload size of 32 bytes. This will initially be used for nvdimm security
> +but may expand to other usages that require 32 bytes payload.
> diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
> index d92cbf9687c3..fe0aefd06f83 100644
> --- a/security/keys/encrypted-keys/encrypted.c
> +++ b/security/keys/encrypted-keys/encrypted.c
> @@ -45,6 +45,7 @@ static const char hmac_alg[] = "hmac(sha256)";
> static const char blkcipher_alg[] = "cbc(aes)";
> static const char key_format_default[] = "default";
> static const char key_format_ecryptfs[] = "ecryptfs";
> +static const char key_format_enc32[] = "enc32";
> static unsigned int ivsize;
> static int blksize;
>
> @@ -54,6 +55,7 @@ static int blksize;
> #define HASH_SIZE SHA256_DIGEST_SIZE
> #define MAX_DATA_SIZE 4096
> #define MIN_DATA_SIZE 20
> +#define KEY_ENC32_PAYLOAD_LEN 32
>
> static struct crypto_shash *hash_tfm;
>
> @@ -62,12 +64,13 @@ enum {
> };
>
> enum {
> - Opt_error = -1, Opt_default, Opt_ecryptfs
> + Opt_error = -1, Opt_default, Opt_ecryptfs, Opt_enc32
> };
>
> static const match_table_t key_format_tokens = {
> {Opt_default, "default"},
> {Opt_ecryptfs, "ecryptfs"},
> + {Opt_enc32, "enc32"},
> {Opt_error, NULL}
> };
>
> @@ -195,6 +198,7 @@ static int datablob_parse(char *datablob, const char **format,
> key_format = match_token(p, key_format_tokens, args);
> switch (key_format) {
> case Opt_ecryptfs:
> + case Opt_enc32:
> case Opt_default:
> *format = p;
> *master_desc = strsep(&datablob, " \t");
> @@ -625,15 +629,22 @@ static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
> format_len = (!format) ? strlen(key_format_default) : strlen(format);
> decrypted_datalen = dlen;
> payload_datalen = decrypted_datalen;
> - if (format && !strcmp(format, key_format_ecryptfs)) {
> - if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
> - pr_err("encrypted_key: keylen for the ecryptfs format "
> - "must be equal to %d bytes\n",
> - ECRYPTFS_MAX_KEY_BYTES);
> - return ERR_PTR(-EINVAL);
> + if (format) {
> + if (!strcmp(format, key_format_ecryptfs)) {
> + if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
> + pr_err("encrypted_key: keylen for the ecryptfs format must be equal to %d bytes\n",
> + ECRYPTFS_MAX_KEY_BYTES);
> + return ERR_PTR(-EINVAL);
> + }
> + decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
> + payload_datalen = sizeof(struct ecryptfs_auth_tok);
> + } else if (!strcmp(format, key_format_enc32)) {
> + if (decrypted_datalen != KEY_ENC32_PAYLOAD_LEN) {
> + pr_err("encrypted_key: enc32 key payload incorrect length: %d\n",
> + decrypted_datalen);
> + return ERR_PTR(-EINVAL);
> + }
> }
> - decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
> - payload_datalen = sizeof(struct ecryptfs_auth_tok);
> }
>
> encrypted_datalen = roundup(decrypted_datalen, blksize);
>
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm
next prev parent reply other threads:[~2018-12-12 10:51 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 20:25 [PATCH v13 00/17] Adding security support for nvdimm Dave Jiang
2018-12-11 20:25 ` [PATCH v13 01/17] acpi/nfit: Add support for Intel DSM 1.8 commands Dave Jiang
2018-12-11 20:25 ` [PATCH v13 02/17] acpi/nfit, libnvdimm: Store dimm id as a member to struct nvdimm Dave Jiang
2018-12-11 20:25 ` [PATCH v13 03/17] keys: Export lookup_user_key to external users Dave Jiang
2018-12-11 20:25 ` [PATCH v13 04/17] keys-encrypted: add nvdimm key format type to encrypted keys Dave Jiang
2018-12-12 10:51 ` Mimi Zohar [this message]
2018-12-11 20:25 ` [PATCH v13 05/17] acpi/nfit, libnvdimm: Introduce nvdimm_security_ops Dave Jiang
2018-12-11 20:25 ` [PATCH v13 06/17] acpi/nfit, libnvdimm: Add freeze security support to Intel nvdimm Dave Jiang
2018-12-11 20:26 ` [PATCH v13 07/17] acpi/nfit, libnvdimm: Add unlock of nvdimm support for Intel DIMMs Dave Jiang
2018-12-11 20:26 ` [PATCH v13 08/17] acpi/nfit, libnvdimm: Add disable passphrase support to Intel nvdimm Dave Jiang
2018-12-11 20:26 ` [PATCH v13 09/17] acpi/nfit, libnvdimm: Add enable/update passphrase support for Intel nvdimms Dave Jiang
2018-12-11 20:26 ` [PATCH v13 10/17] acpi/nfit, libnvdimm: Add support for issue secure erase DSM to Intel nvdimm Dave Jiang
2018-12-11 20:26 ` [PATCH v13 11/17] libnvdimm/security: introduce NDD_SECURITY_BUSY flag Dave Jiang
2018-12-11 20:26 ` [PATCH v13 12/17] acpi/nfit, libnvdimm/security: Add security DSM overwrite support Dave Jiang
2018-12-11 23:44 ` Dan Williams
2018-12-12 0:33 ` Dave Jiang
2018-12-11 20:26 ` [PATCH v13 13/17] acpi/nfit, libnvdimm/security: add Intel DSM 1.8 master passphrase support Dave Jiang
2018-12-11 23:30 ` Dan Williams
2018-12-11 20:26 ` [PATCH v13 14/17] tools/testing/nvdimm: Add test support for Intel nvdimm security DSMs Dave Jiang
2018-12-11 20:26 ` [PATCH v13 15/17] tools/testing/nvdimm: Add overwrite support for nfit_test Dave Jiang
2018-12-11 20:26 ` [PATCH v13 16/17] tools/testing/nvdimm: add Intel DSM 1.8 " Dave Jiang
2018-12-11 20:26 ` [PATCH v13 17/17] libnvdimm/security: Add documentation for nvdimm security support Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1544611872.4028.11.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=dhowells@redhat.com \
--cc=linux-nvdimm@lists.01.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox