Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3916762pxb; Mon, 1 Feb 2021 07:56:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJwkqrmO2Nvzznn7mSmA3K/vZQNdvEJ4DrJlNGdtPJ32GvlwffWapOumo5M415k49A3f4D+0 X-Received: by 2002:a17:906:ecb6:: with SMTP id qh22mr10666014ejb.252.1612194976106; Mon, 01 Feb 2021 07:56:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612194976; cv=none; d=google.com; s=arc-20160816; b=bdDm50mGx9rK3DSITmUnFaxFnhx+Vq2cV7vaR/Z38xJYP9MBliEY92illEb0aB0oir fxsUmY58Yto0yr9PbddotBmJY0SFqps2dRic4/dvqFbLeFnQ1VkVFvwJ0dv0w+ubCM/M 56OWfsFw90vsm+/rN47D3T9F6oFO4m9wKiB/nGrSi/eWlfMLrwqrRrR+S7B7OWEOILdK Tzu9HEkqC89Lm1R/cuwlXMeHtQJaP/b6RcjeJlgoc2sL7/8gFcqw7jwxjx1HClmbPAwr Kz98SCzDB+KdEelpUOpZjwlDsgxXHa872F2nsFaO9IpoxlujWeHDxW4YzJ1eTCKlDCuN pCJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=/1ZwLLrzB6De9F7g26JXDAodp5eEYRVqTL+BXHjX1iQ=; b=tTEchskgrkGKhN8WZ/5t6CLBx3YoQ56vXr1AtROMAGvftPrcXTkTAQ0rLnhA+LPg0t Edx8X67XYNTovZMwhAH5Su559AH1FR2sIOnVrYuHO6uZw1Gt7peJfKboKDa8KDcG2eFt h6dkelhVv5pv4O/HCpJQmxKWpXztq4p3cjfAvqOMkzkJSeRPbvk0aw3oUBQ7eSpHsBhg oEaaHnh7sNyvdrioDwGSb68HqF1/HRIeA5VqzJsDwyNARJKurRT7sL4kAiRcdrtZaRvS 64x4dj9ewKP9XSqdCfW8Vcl/0S0ZssbIDT805pr+DFbjK9fwo61fIzjiwdAM7Ch4ebeG I/jg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d8si10144846ejk.549.2021.02.01.07.55.51; Mon, 01 Feb 2021 07:56:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232176AbhBAPyV (ORCPT + 99 others); Mon, 1 Feb 2021 10:54:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231896AbhBAPvs (ORCPT ); Mon, 1 Feb 2021 10:51:48 -0500 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 866BBC06174A for ; Mon, 1 Feb 2021 07:51:08 -0800 (PST) Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l6bTf-0008E3-O0; Mon, 01 Feb 2021 16:50:59 +0100 Received: from localhost ([127.0.0.1]) by ptx.hi.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1l6bTe-0007Gf-Md; Mon, 01 Feb 2021 16:50:58 +0100 Message-ID: <6b362abd95b116e26c65809a3a1525c7951ed0bd.camel@pengutronix.de> Subject: Re: Migration to trusted keys: sealing user-provided key? From: Jan =?ISO-8859-1?Q?L=FCbbe?= To: David Howells Cc: Mimi Zohar , Jarkko Sakkinen , Ahmad Fatoum , James Bottomley , keyrings@vger.kernel.org, Sumit Garg , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel@pengutronix.de Date: Mon, 01 Feb 2021 16:50:58 +0100 In-Reply-To: <4153718.1612179361@warthog.procyon.org.uk> References: <8b9477e150d7c939dc0def3ebb4443efcc83cd85.camel@pengutronix.de> <74830d4f-5a76-8ba8-aad0-0d79f7c01af9@pengutronix.de> <6dc99fd9ffbc5f405c5f64d0802d1399fc6428e4.camel@kernel.org> <4153718.1612179361@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::c0 X-SA-Exim-Mail-From: jlu@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2021-02-01 at 11:36 +0000, David Howells wrote: > Jan Lübbe wrote: > > > ... But at this point, you can still do 'keyctl read' on that key, exposing > > the key material to user space. > > I wonder if it would help to provide a keyctl function to mark a key as being > permanently unreadable - so that it overrides the READ permission bit. > > Alternatively, you can disable READ and SETATTR permission - but that then > prevents you from removing other perms if you want to :-/ That would mean using user type keys, right? Then we'd still have the core problem how a master key can be protected against simply reading it from flash/disk, as it would be unencrypted in this scenario. Maybe a bit of background: We're looking at the trusted/encrypted keys because we want to store the key material in an encrypted format, only loadable into the same system where they were generated and only if that's in a trusted state (to solve the master key problem above). This binding can be done with trusted keys via a TPM (and soon with Sumit's OP- TEE backend, or later based on SoC-specific hardware like NXP's CAAM). In the OP-TEE/CAAM case, the bootloader would ensure that the backend can only be used when booting a correctly authenticated kernel. Of course, that's not as flexible as TPMs with a custom policy, but much simpler and a good fit for many embedded use-cases. Best regards, Jan Lübbe -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |