Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3904194pxb; Mon, 1 Feb 2021 07:36:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJyOO7JteHLPa/4EZzH1JiMaSGVKQ9fRNI1VeT19vP7NcFeaEZfmyb6g6kj3vbpHKdCzpZKo X-Received: by 2002:a17:906:c049:: with SMTP id bm9mr17607819ejb.535.1612193776354; Mon, 01 Feb 2021 07:36:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612193776; cv=none; d=google.com; s=arc-20160816; b=d63ftVnFJ4+qs6tOqwBLVBDpjZ9IhZ/QDwy3LmCUrbDhPZB+3iGv/RVatq4uA4nbaO 6jmCB1cyH6d7Qro324V7hk4O/S/pfEiQE78v0IiKfO6BNWM6Tmzr0qiqZC6uL+T20QAT Ze0ZtVLqo2R9xYqGJiRujE1mCOEmEVSqpj+T6m0igYD5dy6PsDk9tSW4B44/tdMWHp5N EsPPEqKJsaoptmi+F/NeP2yLrSV1thc1xRgeWDvMeDcQlwtTg6phdUJVvrqMt4ofqGg9 OHdrQVYngPqXCkzI8TATF8iZJNVVQggNfzhqQ/VAdFBM7HbZjh0udvdc6QAVGK4hfsqr 4PoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=wdNgUjChReqzdOrZy2T1yLj2kjMFG05tpiv+escWX9E=; b=OhEg+oMV8LYqCYqM1O0BxV74Z0WfkAXLazyOqwDsN6xfY6+2OdhNFZrwVkNxShDyMK 5UoCHki0AmVI6T6wHsdxCmV/taK+AcvIqll1oj+R3j6QzHds9O8iEP4lbJEiT7HO++hH Rx+ZnwbyQ74D9bYXSgnC/Q/b+AsEds7GJQy+BkOhuMVqi8P8q8gwzYnPHj3lNkP+A50j l9ZGIMeNflkQimt5+vBvq154fvXLuIWWnAxKjcOsIuYfJPpFFag5SgzsDcqRgzk0oWr1 M3/a2LcVdQSiirv7G0IyqR+4r1rXTbGkkBlz6jM4co5ISvofJYy9kI1sYD4CcCZLrJlx RDjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h15si844441ejd.725.2021.02.01.07.35.51; Mon, 01 Feb 2021 07:36:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231721AbhBAPfI (ORCPT + 99 others); Mon, 1 Feb 2021 10:35:08 -0500 Received: from metis.ext.pengutronix.de ([85.220.165.71]:56129 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231147AbhBAPee (ORCPT ); Mon, 1 Feb 2021 10:34:34 -0500 Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l6bAp-00061s-PF; Mon, 01 Feb 2021 16:31:31 +0100 Received: from localhost ([127.0.0.1]) by ptx.hi.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1l6bAp-0006V4-2s; Mon, 01 Feb 2021 16:31:31 +0100 Message-ID: <64472434a367060ddce6e03425156b8312a5ad6c.camel@pengutronix.de> Subject: Re: Migration to trusted keys: sealing user-provided key? From: Jan =?ISO-8859-1?Q?L=FCbbe?= To: Mimi Zohar , Jarkko Sakkinen , Ahmad Fatoum , James Bottomley , David Howells , keyrings@vger.kernel.org, Sumit Garg Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel@pengutronix.de Date: Mon, 01 Feb 2021 16:31:30 +0100 In-Reply-To: References: <74830d4f-5a76-8ba8-aad0-0d79f7c01af9@pengutronix.de> <6dc99fd9ffbc5f405c5f64d0802d1399fc6428e4.camel@kernel.org> <8b9477e150d7c939dc0def3ebb4443efcc83cd85.camel@pengutronix.de> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::c0 X-SA-Exim-Mail-From: jlu@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2021-01-31 at 09:29 -0500, Mimi Zohar wrote: > On Sun, 2021-01-31 at 15:14 +0100, Jan Lübbe wrote: > > On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote: > > > > > > > > > [1] The ima-evm-utils README contains EVM examples of "trusted" and > > > "user" based "encrypted" keys. > > > > I assume you refer to > > https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143 > > "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"? > > > > In both cases, the key used by EVM is a *newly generated* random key. The only > > difference is whether it's encrypted to a user key or a (random) trusted key. > > The "encrypted" asymmetric key data doesn't change, "update" just > changes the key under which it is encrypted/decrypted. > > Usage:: > >     keyctl add encrypted name "new [format] key-type:master-key-name keylen" >         ring >     keyctl add encrypted name "load hex_blob" ring 'load' (as I understand the code) only accepts an encrypted blob. So the only way I see to have an encrypted key with a non-random key data would be: - create a random temporary master key and load a copy as a user key - encrypt the chosen key data with the temporary master key (using a new userspace reimplementation of the kernel encrypted key blob format) - use keyctl add encrypted dmcrypt "load " - create new trusted master key (OP-TEE or CAAM in our case) as - use keyctl update to switch to the new trusted master key - use keyctl pipe on the trusted and encrypted keys and store both for loading on later boots If we'd support importing a pre-existing key into a trusted or encrypted key, we'd do instead: - use keyctl add trusted dmcrypt "import " - use keyctl pipe on the trusted key and store it for loading on later boots This way, users wouldn't need to care which backend is used by trusted keys (TPM/OP-TEE/CAAM/...). That would make use-cases where a random key is not suitable as straight-forward as the those where a random key is OK. Best regards Jan >     keyctl update keyid "update key-type:master-key-name" -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |