7e70cb4978
Define a new kernel key-type called 'encrypted'. Encrypted keys are kernel generated random numbers, which are encrypted/decrypted with a 'trusted' symmetric key. Encrypted keys are created/encrypted/decrypted in the kernel. Userspace only ever sees/stores encrypted blobs. Changelog: - bug fix: replaced master-key rcu based locking with semaphore (reported by David Howells) - Removed memset of crypto_shash_digest() digest output - Replaced verification of 'key-type:key-desc' using strcspn(), with one based on string constants. - Moved documentation to Documentation/keys-trusted-encrypted.txt - Replace hash with shash (based on comments by David Howells) - Make lengths/counts size_t where possible (based on comments by David Howells) Could not convert most lengths, as crypto expects 'unsigned int' (size_t: on 32 bit is defined as unsigned int, but on 64 bit is unsigned long) - Add 'const' where possible (based on comments by David Howells) - allocate derived_buf dynamically to support arbitrary length master key (fixed by Roberto Sassu) - wait until late_initcall for crypto libraries to be registered - cleanup security/Kconfig - Add missing 'update' keyword (reported/fixed by Roberto Sassu) - Free epayload on failure to create key (reported/fixed by Roberto Sassu) - Increase the data size limit (requested by Roberto Sassu) - Crypto return codes are always 0 on success and negative on failure, remove unnecessary tests. - Replaced kzalloc() with kmalloc() Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: David Safford <safford@watson.ibm.com> Reviewed-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: James Morris <jmorris@namei.org>
57 lines
1.4 KiB
C
57 lines
1.4 KiB
C
#ifndef __ENCRYPTED_KEY_H
|
|
#define __ENCRYPTED_KEY_H
|
|
|
|
#define ENCRYPTED_DEBUG 0
|
|
|
|
#if ENCRYPTED_DEBUG
|
|
static inline void dump_master_key(const u8 *master_key,
|
|
unsigned int master_keylen)
|
|
{
|
|
print_hex_dump(KERN_ERR, "master key: ", DUMP_PREFIX_NONE, 32, 1,
|
|
master_key, master_keylen, 0);
|
|
}
|
|
|
|
static inline void dump_decrypted_data(struct encrypted_key_payload *epayload)
|
|
{
|
|
print_hex_dump(KERN_ERR, "decrypted data: ", DUMP_PREFIX_NONE, 32, 1,
|
|
epayload->decrypted_data,
|
|
epayload->decrypted_datalen, 0);
|
|
}
|
|
|
|
static inline void dump_encrypted_data(struct encrypted_key_payload *epayload,
|
|
unsigned int encrypted_datalen)
|
|
{
|
|
print_hex_dump(KERN_ERR, "encrypted data: ", DUMP_PREFIX_NONE, 32, 1,
|
|
epayload->encrypted_data, encrypted_datalen, 0);
|
|
}
|
|
|
|
static inline void dump_hmac(const char *str, const u8 *digest,
|
|
unsigned int hmac_size)
|
|
{
|
|
if (str)
|
|
pr_info("encrypted_key: %s", str);
|
|
print_hex_dump(KERN_ERR, "hmac: ", DUMP_PREFIX_NONE, 32, 1, digest,
|
|
hmac_size, 0);
|
|
}
|
|
#else
|
|
static inline void dump_master_key(const u8 *master_key,
|
|
unsigned int master_keylen)
|
|
{
|
|
}
|
|
|
|
static inline void dump_decrypted_data(struct encrypted_key_payload *epayload)
|
|
{
|
|
}
|
|
|
|
static inline void dump_encrypted_data(struct encrypted_key_payload *epayload,
|
|
unsigned int encrypted_datalen)
|
|
{
|
|
}
|
|
|
|
static inline void dump_hmac(const char *str, const u8 *digest,
|
|
unsigned int hmac_size)
|
|
{
|
|
}
|
|
#endif
|
|
#endif
|