Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4325703imb; Wed, 6 Mar 2019 10:34:03 -0800 (PST) X-Google-Smtp-Source: APXvYqzwzzyLIgmj35HFYivrSHQI2blzSpvnGW7OHQQJdFW2PslZG8x9yYs6KdI1Cah6Dcq6wElp X-Received: by 2002:a62:14c6:: with SMTP id 189mr8755885pfu.23.1551897243629; Wed, 06 Mar 2019 10:34:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551897243; cv=none; d=google.com; s=arc-20160816; b=BVqd8PVTJxyFRKSnoXYDsmudxohmCabA2J15esaN7DMlwEcP5+qhSFceN3pTOK4bQ2 y8sWldMo8cZTzqff+l6AlG+WuxRYL1JuB6T6hg7av5m4U0+wKKF4DFVBSXDFKBwmfS9Z TQB9wBDB6AbI45HygAgcp+rfzlmPyBCTL32zxLOscHJu3vbJ2N8I/kiqVw5A8uD3ljGO +kIOnlNkjoO3+krBMO57CgxB6RvrQHhaLvvlr2q5XQlO0b9UFi6hqObxRUYsv7B3EyNx U6KKP4rt0R+xQU0Pp92Dem60H4kc9IHXR00flxCGUgx0N0rg7SxIyaW4gaL70EeiFAIl uvlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :organization:references:in-reply-to:date:cc:to:from:subject :message-id; bh=/Z/xJBVZLwmoH7MoVxCPY3xJjJnn0p8RKj8Rdq668eI=; b=BPnxdmckE2L0qiK29tYhJx2RVpXyfGyjcmzovnwNbzdCfZ7jb2dSwip6V3eCsjT/gh dcWbOVIPTJkyA9f6tNUS6ATlW1aVG/jjQW8wLTocmwkqfJ3WE2ATOA9GeNJC8OwbgTVU SbN5iG7rbExRVHhJ1RahGfPxBdLO1aQcUk+cDEB16OuRBuvz14VagYos/20hSqElFLra RaUrECWkz+50zRe5+okGVt8JRXwQ+oiGlbXqZlu9I2zAza3vKh4yV+5cTYLM0vDCVfFt YCrfE4gt8MLYUuRoNAOmnwuOgI45h/SIS5D1INjC6V9XB+Jd+AJqKlsx9gq4GHBUbl0Q 2uWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r201si1882725pgr.445.2019.03.06.10.33.48; Wed, 06 Mar 2019 10:34:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728777AbfCFQrv convert rfc822-to-8bit (ORCPT + 99 others); Wed, 6 Mar 2019 11:47:51 -0500 Received: from metis.ext.pengutronix.de ([85.220.165.71]:42133 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726286AbfCFQrv (ORCPT ); Wed, 6 Mar 2019 11:47:51 -0500 Received: from rettich.hi.pengutronix.de ([2001:67c:670:100:1d::c3] helo=rettich) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1h1Zht-0003qt-OM; Wed, 06 Mar 2019 17:47:49 +0100 Received: from jlu by rettich with local (Exim 4.89) (envelope-from ) id 1h1Zhq-0002Je-NX; Wed, 06 Mar 2019 17:47:46 +0100 Message-ID: <1551890866.5086.125.camel@pengutronix.de> Subject: Re: [RFC PATCH 0/2] Create CAAM HW key in linux keyring and use in dmcrypt From: Jan =?ISO-8859-1?Q?L=FCbbe?= To: Franck LENORMAND , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Cc: horia.geanta@nxp.com, silvano.dininno@nxp.com, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, dhowells@redhat.com, jmorris@namei.org, serge@hallyn.com, David Gstir Date: Wed, 06 Mar 2019 17:47:46 +0100 In-Reply-To: <1551456599-10603-1-git-send-email-franck.lenormand@nxp.com> References: <1551456599-10603-1-git-send-email-franck.lenormand@nxp.com> Organization: Pengutronix Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT X-Mailer: Evolution 3.26.2-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::c3 X-SA-Exim-Mail-From: jlu@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Franck, thanks for working on this! On Fri, 2019-03-01 at 17:09 +0100, Franck LENORMAND wrote: > The creation of such structures and its use was not exposed to userspace so > it was complicated to use and required custom development. We would like to > ease this using interface which are known and used: > - Linux key retention service : Allow to generate or load keys in a > keyring which can be used by applications. > - dm-crypt : device mapper allowing to encrypt data. > > The capacity to generate or load keys already available in the Linux key > retention service does not allows to exploit CAAM capabilities hence we > need to create a new key_type. The new key type "caam_tk" allows to: > - Create a black key from random > - Create a black key from a red key > - Load a black blob to retrieve the black key On 2018-07-23, Udit Agarwal sent a series which seems related to this: [PATCH v2 1/2] security/keys/secure_key: Adds the secure key support based on CAAM. [PATCH v2 2/2] encrypted_keys: Adds support for secure key-type as master key. Is this series intended to continue that work and cover the same uses- cases? If I remember correctly, the CAAM also supports marking blobs to allow or disallow exporting the encapsulated key from the hardware. Or is this unneeded and we could encrypt/decrypt other (less critical) key material against the tk(cbc(aes)) CAAM key via the keyring mechanisms? Best regards, Jan -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |