encrypted-keys: remove trusted-keys dependency
Encrypted keys are decrypted/encrypted using either a trusted-key or, for those systems without a TPM, a user-defined key. This patch removes the trusted-keys and TCG_TPM dependencies. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
This commit is contained in:
parent
61cf45d019
commit
982e617a31
5 changed files with 67 additions and 28 deletions
|
@ -38,7 +38,9 @@ config TRUSTED_KEYS
|
|||
|
||||
config ENCRYPTED_KEYS
|
||||
tristate "ENCRYPTED KEYS"
|
||||
depends on KEYS && TRUSTED_KEYS
|
||||
depends on KEYS
|
||||
select CRYPTO
|
||||
select CRYPTO_HMAC
|
||||
select CRYPTO_AES
|
||||
select CRYPTO_CBC
|
||||
select CRYPTO_SHA256
|
||||
|
|
|
@ -3,3 +3,4 @@
|
|||
#
|
||||
|
||||
obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted.o ecryptfs_format.o
|
||||
obj-$(CONFIG_TRUSTED_KEYS) += masterkey_trusted.o
|
||||
|
|
|
@ -298,31 +298,6 @@ static char *datablob_format(struct encrypted_key_payload *epayload,
|
|||
return ascii_buf;
|
||||
}
|
||||
|
||||
/*
|
||||
* request_trusted_key - request the trusted key
|
||||
*
|
||||
* Trusted keys are sealed to PCRs and other metadata. Although userspace
|
||||
* manages both trusted/encrypted key-types, like the encrypted key type
|
||||
* data, trusted key type data is not visible decrypted from userspace.
|
||||
*/
|
||||
static struct key *request_trusted_key(const char *trusted_desc,
|
||||
u8 **master_key, size_t *master_keylen)
|
||||
{
|
||||
struct trusted_key_payload *tpayload;
|
||||
struct key *tkey;
|
||||
|
||||
tkey = request_key(&key_type_trusted, trusted_desc, NULL);
|
||||
if (IS_ERR(tkey))
|
||||
goto error;
|
||||
|
||||
down_read(&tkey->sem);
|
||||
tpayload = rcu_dereference(tkey->payload.data);
|
||||
*master_key = tpayload->key;
|
||||
*master_keylen = tpayload->key_len;
|
||||
error:
|
||||
return tkey;
|
||||
}
|
||||
|
||||
/*
|
||||
* request_user_key - request the user key
|
||||
*
|
||||
|
@ -469,8 +444,14 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload,
|
|||
goto out;
|
||||
|
||||
if (IS_ERR(mkey)) {
|
||||
pr_info("encrypted_key: key %s not found",
|
||||
epayload->master_desc);
|
||||
int ret = PTR_ERR(epayload);
|
||||
|
||||
if (ret == -ENOTSUPP)
|
||||
pr_info("encrypted_key: key %s not supported",
|
||||
epayload->master_desc);
|
||||
else
|
||||
pr_info("encrypted_key: key %s not found",
|
||||
epayload->master_desc);
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
|
|
@ -2,6 +2,17 @@
|
|||
#define __ENCRYPTED_KEY_H
|
||||
|
||||
#define ENCRYPTED_DEBUG 0
|
||||
#ifdef CONFIG_TRUSTED_KEYS
|
||||
extern struct key *request_trusted_key(const char *trusted_desc,
|
||||
u8 **master_key, size_t *master_keylen);
|
||||
#else
|
||||
static inline struct key *request_trusted_key(const char *trusted_desc,
|
||||
u8 **master_key,
|
||||
size_t *master_keylen)
|
||||
{
|
||||
return ERR_PTR(-EOPNOTSUPP);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if ENCRYPTED_DEBUG
|
||||
static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
|
||||
|
|
44
security/keys/encrypted-keys/masterkey_trusted.c
Normal file
44
security/keys/encrypted-keys/masterkey_trusted.c
Normal file
|
@ -0,0 +1,44 @@
|
|||
/*
|
||||
* Copyright (C) 2010 IBM Corporation
|
||||
* Copyright (C) 2010 Politecnico di Torino, Italy
|
||||
* TORSEC group -- http://security.polito.it
|
||||
*
|
||||
* Authors:
|
||||
* Mimi Zohar <zohar@us.ibm.com>
|
||||
* Roberto Sassu <roberto.sassu@polito.it>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2 of the License.
|
||||
*
|
||||
* See Documentation/security/keys-trusted-encrypted.txt
|
||||
*/
|
||||
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/module.h>
|
||||
#include <keys/trusted-type.h>
|
||||
|
||||
/*
|
||||
* request_trusted_key - request the trusted key
|
||||
*
|
||||
* Trusted keys are sealed to PCRs and other metadata. Although userspace
|
||||
* manages both trusted/encrypted key-types, like the encrypted key type
|
||||
* data, trusted key type data is not visible decrypted from userspace.
|
||||
*/
|
||||
struct key *request_trusted_key(const char *trusted_desc,
|
||||
u8 **master_key, size_t *master_keylen)
|
||||
{
|
||||
struct trusted_key_payload *tpayload;
|
||||
struct key *tkey;
|
||||
|
||||
tkey = request_key(&key_type_trusted, trusted_desc, NULL);
|
||||
if (IS_ERR(tkey))
|
||||
goto error;
|
||||
|
||||
down_read(&tkey->sem);
|
||||
tpayload = rcu_dereference(tkey->payload.data);
|
||||
*master_key = tpayload->key;
|
||||
*master_keylen = tpayload->key_len;
|
||||
error:
|
||||
return tkey;
|
||||
}
|
Loading…
Reference in a new issue