2005-12-13 22:03:59

by David Brownell

[permalink] [raw]
Subject: Re: [patch 0/5] Add MMC password protection (lock/unlock) support

Hey, cool ... glad to see that's ready now!
I'll have to give it a try when I have a spare moment.

Is there a writeup on how to hook this up with the key retention
infrastructure? I know many folk are unfamiliar with that, and
I seem to recall a need for some userspace tweaks. (Like SHA1
hashing of passphrases to generate MMC keys, and maybe storing
keys in some per-user file using some user interface.)

- Dave


2005-12-14 22:48:29

by Anderson Lizardo

[permalink] [raw]
Subject: Re: [patch 0/5] Add MMC password protection (lock/unlock) support

On 12/13/05, David Brownell <[email protected]> wrote:
> Is there a writeup on how to hook this up with the key retention
> infrastructure? I know many folk are unfamiliar with that, and
> I seem to recall a need for some userspace tweaks. (Like SHA1
> hashing of passphrases to generate MMC keys, and maybe storing
> keys in some per-user file using some user interface.)

We have created a sample text-mode reference UI (using keyctl from the
keyutils[1] package to interface with the key retention service) that
shows how everything works together. We are setting up some web space
to put such UI (actually a set of shell scripts) and we will provide
links soon.

Regarding the userspace tweaks, we have not gone into this aspect, but
just provided the "core" kernel code. Usually, those integrating the
system will dictate policies regarding password hashing, persistent
caching etc. The policies for our reference UI were:

- no hashing (password is sent/stored clear-text)
- in-memory caching (so if the user reboots the system, the password
will have to be re-typed).

I think those policies can be done still on userspace, so the kernel
code remains "policy-free".

[1] http://people.redhat.com/~dhowells/keyutils/
--
Anderson Lizardo
Embedded Linux Lab - 10LE
Nokia Institute of Technology - INdT
Manaus - Brazil

2005-12-27 18:49:15

by Carlos Aguiar

[permalink] [raw]
Subject: Re: [patch 0/5] Add MMC password protection (lock/unlock) support

Anderson Lizardo wrote:

>On 12/13/05, David Brownell <[email protected]> wrote:
>
>
>>Is there a writeup on how to hook this up with the key retention
>>infrastructure? I know many folk are unfamiliar with that, and
>>I seem to recall a need for some userspace tweaks. (Like SHA1
>>hashing of passphrases to generate MMC keys, and maybe storing
>>keys in some per-user file using some user interface.)
>>
>>
>
>We have created a sample text-mode reference UI (using keyctl from the
>keyutils[1] package to interface with the key retention service) that
>shows how everything works together. We are setting up some web space
>to put such UI (actually a set of shell scripts) and we will provide
>links soon.
>
>Regarding the userspace tweaks, we have not gone into this aspect, but
>just provided the "core" kernel code. Usually, those integrating the
>system will dictate policies regarding password hashing, persistent
>caching etc. The policies for our reference UI were:
>
>- no hashing (password is sent/stored clear-text)
>- in-memory caching (so if the user reboots the system, the password
>will have to be re-typed).
>
>I think those policies can be done still on userspace, so the kernel
>code remains "policy-free".
>
>[1] http://people.redhat.com/~dhowells/keyutils/
>--
>Anderson Lizardo
>Embedded Linux Lab - 10LE
>Nokia Institute of Technology - INdT
>Manaus - Brazil
>
>
>
Hi all,

As promised, you can find a simple text-mode reference UI for the MMC
password protection
support, written in shell script, that shows how everything works
together on the links below:

http://www.indt.org.br/10le/mmc_pwd/mmc_reference_ui-20051215.tar.gz
http://www.indt.org.br/10le/mmc_pwd/mmc_test-20051215.sh


BR,

Carlos Aguiar.



--
Carlos Eduardo
Software Engineer
Nokia Institute of Technology - INdT
Embedded Linux Laboratory - 10LE
Phone: +55 92 2126-1079
Mobile: +55 92 8127-1797
E-mail: [email protected]