Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp358470pxf;
        Thu, 1 Apr 2021 03:06:08 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw5Jkvj2fIf3vArXCtQIKGCxVEqiVgj6GWQip9clOFI46v3opExxmrRTInZf9aPNyan9mXD
X-Received: by 2002:a50:fc94:: with SMTP id f20mr8949439edq.370.1617271568052;
        Thu, 01 Apr 2021 03:06:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617271568; cv=none;
        d=google.com; s=arc-20160816;
        b=QfDCO/FL9ZWRg20MSFBKB8izPHhsY7ZNb1BT0mud8F/Rcs8tGFEtiohbPgEndccuNp
         HXHpAeaq7iYSM7VoCqLgtCuwHIL6j5ZuI7HP0wnelC07Chj+CskVx4nfpxeuaMpKcKm6
         V9chzE76u43+lcbgI75/XIORi2qBaj6phc4Kk9cbe8v56Pb/6lkwpzrhg5I5J5LoRUj1
         qhGztBtC7DMfdHliqAv0Z61yTD55xfMF5lLgGFiGDC5fLlGteS24dSqQTz5egdXa69wO
         nNy1hL/U6Y0J0PrOVb7Twb/gqhvCF9ROoHIR8VilYck/K07/1vnWjw4VKp1lx+69POcO
         DO6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=mgTwZenDuT6jJ9Aq2NqF30j3xmEEtgvaYU2vGrSsroc=;
        b=mLw7tv9BFtbei8AahzIuk28n6TL+NZsZwfqN7+u3z/TovCo+XAcl/Y8awksxAuaUiw
         9uPnKCFCpqF2Si/qSGpGCrT/NqTG+VEVlbaMwJa2HnfVDJP/8+PI2tMpnEeCFsJJDgUP
         xTbr11lIbLuhpr2VpJ8XpnQGTKX+cUdFLv2bV1xMN28tt6UNZAWj8chm8PdEVQBGa8mN
         /gG6UvgoIlJZideHWDuWXBGFdlqOBU6NvbZJxjmIcKCxkQALN30yehdyBr7l4d6nqzz0
         Dw9b5N7A1cCGlky4+MHL/rknvcgHQNTiOp2cB1N4ug9YBMMLPA9KGVqRc/iYedpaVwda
         xhYw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m12si3922541ejx.720.2021.04.01.03.05.45;
        Thu, 01 Apr 2021 03:06:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233710AbhDAKEn (ORCPT <rfc822;mahongyuan1997@gmail.com>
        + 99 others); Thu, 1 Apr 2021 06:04:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45900 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233629AbhDAKEi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Apr 2021 06:04:38 -0400
Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 737EEC061788
        for <linux-kernel@vger.kernel.org>; Thu,  1 Apr 2021 03:04:38 -0700 (PDT)
Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=[IPv6:::1])
        by metis.ext.pengutronix.de with esmtp (Exim 4.92)
        (envelope-from <a.fatoum@pengutronix.de>)
        id 1lRuBo-0000f3-JJ; Thu, 01 Apr 2021 12:04:36 +0200
Subject: Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP
 CAAM-based trusted keys
To:     Richard Weinberger <richard.weinberger@gmail.com>
Cc:     Jarkko Sakkinen <jarkko@kernel.org>,
        =?UTF-8?Q?Horia_Geant=c4=83?= <horia.geanta@nxp.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Aymen Sghaier <aymen.sghaier@nxp.com>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>,
        James Bottomley <jejb@linux.ibm.com>, kernel@pengutronix.de,
        David Howells <dhowells@redhat.com>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Steffen Trumtrar <s.trumtrar@pengutronix.de>,
        Udit Agarwal <udit.agarwal@nxp.com>,
        Jan Luebbe <j.luebbe@pengutronix.de>,
        David Gstir <david@sigma-star.at>,
        Franck LENORMAND <franck.lenormand@nxp.com>,
        Sumit Garg <sumit.garg@linaro.org>,
        linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        LSM <linux-security-module@vger.kernel.org>
References: <cover.56fff82362af6228372ea82e6bd7e586e23f0966.1615914058.git-series.a.fatoum@pengutronix.de>
 <CAFLxGvzWLje+_HFeb+hKNch4U1f5uypVUOuP=QrEPn_JNM+scg@mail.gmail.com>
 <ca2a7c17-3ed0-e52f-2e2f-c0f8bbe10323@pengutronix.de>
 <CAFLxGvyj1aZ_3MuxJC6onejchV_6A8WbNR1vTLpSBF5QTxvLyQ@mail.gmail.com>
From:   Ahmad Fatoum <a.fatoum@pengutronix.de>
Message-ID: <897df7dd-83a1-3e3e-1d9f-5a1adfd5b2fb@pengutronix.de>
Date:   Thu, 1 Apr 2021 12:04:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.0
MIME-Version: 1.0
In-Reply-To: <CAFLxGvyj1aZ_3MuxJC6onejchV_6A8WbNR1vTLpSBF5QTxvLyQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb
X-SA-Exim-Mail-From: a.fatoum@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false
X-PTX-Original-Recipient: linux-kernel@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello Richard,

On 30.03.21 23:50, Richard Weinberger wrote:
> Ahmad,
> 
> On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
> 
>>     TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards"
>>     echo $TABLE | dmsetup create mydev
>>     echo $TABLE | dmsetup load mydev
> 
> Do you also plan to add support for this to cryptsetup?
> 
> David and I have added (rough) support for our CAAM/DCP based keyrings
> to cryptsetup:
> https://github.com/sigma-star/cryptsetup/tree/rw/plain
> 
> I'm pretty sure with minimal changes it will work with your recent approach too.

I am using dmsetup directly in my project. I am not familiar with cryptsetup
plain. What benefits do you see with this over direct dmsetup?

What I'd like to see eventually is support for this with LUKS.
There is a RFE on trusted keys and cryptsetup on the project's repository[1].

The behavior I'd want it that the LUKS header would point at the trusted key
blob to use and load it into the kernel. This of course means that
you won't be able to have multiple keys for the encrypted partition.

[1]: https://gitlab.com/cryptsetup/cryptsetup/-/issues/443

Cheers,
Ahmad

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |