Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2734123lqo; Tue, 14 May 2024 07:42:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWa+GmKqAfOmaGkj9H2rRewqp7E+fNGd/yesySirREj9JRWwyp4ZkwmuzBsvbCgm9w0kNwLETkSgWIIHojWJKa/F53AoOy+Gyhz6ikXtQ== X-Google-Smtp-Source: AGHT+IHRlAdgstLIBFjtR5C7aHOxBE6qEl9V7LU2P9VGdN0ln9JmaKFQWl0uz1VoqRAiiWMkz262 X-Received: by 2002:a05:6358:c006:b0:194:80bd:3e8c with SMTP id e5c5f4694b2df-19480bd4475mr93398955d.4.1715697728971; Tue, 14 May 2024 07:42:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715697728; cv=pass; d=google.com; s=arc-20160816; b=hwXTQTCA8HAemorOWWRcWIQ5FR+3UXV48z1Jd5P5kKOW6UYkprcxbLgv1csluvaDG9 wApsGEhiQKME5PTryEW218sNfaR3xtSYc7Wr6Mu/qTR6BkTVGutfrzWFdjMJ0XNVtpIa JppP2lVNR40Hi2wXzTRmTuCJlSgG4y0qfFhMofTm2FY+XJXTBdJ3uNDmnUC949PFgfn0 Li5Lf10UrC2BAz1AKXzaUmTfVczt7B+o7SHTNUfUxlANXk0GGNg4e6VxId7xUGerxP7i FHQ4I5mK6OA7GcrcoEKbjwzVr1xpNH6jqDKNSB8+kZi+C+D4Gme7sbd/HuClRGHA76jo Ygqw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=TV3+UMiVWq7CksEqEGh2EzKR9H0sUTyC5OVKuFe6yD8=; fh=rviui7cuV0p9xcMsippsDQ/1thKL4RM4elhcxgmRyKA=; b=Y84fWu0wrfrv8AymHqr67fer8TIeR6KVpzPmznp9d5ig+VFiN/OZMgGjl93yoQPX1+ nZPd8vWN3ki+03H3tNSylvBJRKFXyOgwte13oZ7IQ7JJcFUqvCXyGLichfjl7v9L15Ib zelfj6GO01cbpKCsmlGbX4W27FIXg5BmDVf6Pg8hPxJGHSY/gc3Ggb1XV48QdwzUK3ER UveCjft9T46GPA8cq/h8dEjtboKMSk2Ue7m8p5duuLAPtdFnaE8Zu7vqzVOOc/6rIbsq EPaFSBF+lwXl7ztO0oCvvxKNV3W2C7UADcBrQAbM/mj8auTNEpVHpC1ibdYDJTDVdkHO 3QnQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google09082023 header.b=ahPzsI+y; arc=pass (i=1 spf=pass spfdomain=cloudflare.com dkim=pass dkdomain=cloudflare.com dmarc=pass fromdomain=cloudflare.com); spf=pass (google.com: domain of linux-kernel+bounces-178819-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178819-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-63560ceec6bsi10483037a12.104.2024.05.14.07.42.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 07:42:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178819-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google09082023 header.b=ahPzsI+y; arc=pass (i=1 spf=pass spfdomain=cloudflare.com dkim=pass dkdomain=cloudflare.com dmarc=pass fromdomain=cloudflare.com); spf=pass (google.com: domain of linux-kernel+bounces-178819-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178819-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8E82E28454B for ; Tue, 14 May 2024 14:42:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 31A1717BB3D; Tue, 14 May 2024 14:42:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="ahPzsI+y" Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DFA79144D01 for ; Tue, 14 May 2024 14:42:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715697724; cv=none; b=hBhvepkFb5K2x762lx/ZRF3xBAPmNmFujhHWyFZxpU7BxrHPXaOrE2sDB+3JdRl41cowucBy3JzSHgRm2qw+NmWaoYbNFU5WbPiOtmblApEh69EWFmm8fVJmx7HjuhyXw7HCkMvKBTQoTbUtHG/gwujeS0hHyEyed4sJCRhYDRs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715697724; c=relaxed/simple; bh=cL6om3Frdqvkmjt2cViIjCpSlw/JksZfeTaan2+L4Ek=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=gD80WbM62kXcLhrd7mskCKdkskD4SNiAk833E3ZwXts9ceqhL8YNyI8g0vC0Rxg03BCVRHkttmz+qxP5EidqHJU0v/VWwSVX/cgRT0Jqur37kLLMonUhkAk72tSqxTY/u5Kga+lvBChI4I1UQgPPtvO0ftitcTXFMfldArrLGZg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=ahPzsI+y; arc=none smtp.client-ip=209.85.210.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Received: by mail-ot1-f50.google.com with SMTP id 46e09a7af769-6f120ae1ca3so4236a34.1 for ; Tue, 14 May 2024 07:42:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1715697722; x=1716302522; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=TV3+UMiVWq7CksEqEGh2EzKR9H0sUTyC5OVKuFe6yD8=; b=ahPzsI+y8yRGSReKmAnejjLYwAxwXKmfjciMP9//NnfbIRj6aJQAE77bQO3QoDvBb9 7Iiw4zK/nj4VYeCSWjgz0o53tBSu90gbEEtg7ftKCw5LVs/JkK96QPSehY9so7IsOuZi 7W8U7KWG/1abFd+zrjPiiLEY5MbZoAlKw4i1GIrYW6oqXOn/uNhQZi8tW3g7kffJlmrE z50dfy/FbmklCmQoxdvGcb8P4hYvokLsNIs7XZm+m8ZuHMUglE70qUFil+iosDh6VJr7 lIhAlLeBJaGSBtnfgXRM/owehx1O8cvesxlW3L4JjeymNCjAWBrh1lnNQGhn91AzQ8RD 79DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715697722; x=1716302522; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TV3+UMiVWq7CksEqEGh2EzKR9H0sUTyC5OVKuFe6yD8=; b=ApBY8FLtcHJxghvVgFOiRGfh29RTCc0YMc1hOaFpeifkeDSht8by6Q8HnKvVxK6JtY u/uHH8r8us8E/LNyf/t8TRQek/klk3+rm8GV993zfKv+FXX9FeXJyPZj2tUEnUclkeu2 UVnSQhnraebsyXLQj5Oc7M+AF494oVVDRZna0OcsJyhXvBYrrE1tvbYXpD/usJzYTvy0 lNHeBqgpgwgBkZTyX4YA4rA23Qt5uLcukhlWksy8qKuEl3jDKtDp/KxjG4dSgKpf4RHP Ec6243WHPUxPnN/tVSHSGctrzVqdziO7K/+pmtNLGP6+WN4pDBFxuKjz21USX1FqbDaT XviA== X-Forwarded-Encrypted: i=1; AJvYcCVbo3DcpYm1qKhbs0P/7c/SCofnDTa7IO+AVEuH0W8I9VJwIASrs+Qj+moGyRPl9DmrcrafFm+x05mRycNHClfM42kX/4fNO6k6dJnn X-Gm-Message-State: AOJu0YwHl5QhsHHs9JM/Vkk5hq2OELHFleyrKlj3UBNe1z60lsySudIo kkZ3fQ23wAlZCDWaz3FwqvTZVJQKkNjQeNt8PXaWRgygApcERbPTm2sqVVTzidSxKZuVN9nQJQr ldmztxwaHtgSqZCuWVYpTLJtGhYhNjW4LwUJrXg== X-Received: by 2002:a05:6830:18e7:b0:6f0:4847:a984 with SMTP id 46e09a7af769-6f0e9145ed3mr14588590a34.21.1715697721967; Tue, 14 May 2024 07:42:01 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240503221634.44274-1-ignat@cloudflare.com> In-Reply-To: From: Ignat Korchagin Date: Tue, 14 May 2024 15:41:50 +0100 Message-ID: Subject: Re: [RFC PATCH 0/2] TPM derived keys To: Jarkko Sakkinen Cc: James Bottomley , Mimi Zohar , David Howells , Paul Moore , James Morris , serge@hallyn.com, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, May 14, 2024 at 3:00=E2=80=AFPM Jarkko Sakkinen = wrote: > > On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote: > > For example, a cheap NAS box with no internal storage (disks connected > > externally via USB). We want: > > * disks to be encrypted and decryptable only by this NAS box > > So how this differs from LUKS2 style, which also systemd supports where > the encryption key is anchored to PCR's? If I took hard drive out of my > Linux box, I could not decrypt it in another machine because of this. It differs with the fact that the disk has a clearly identifiable LUKS2 header, which tells an adversary that this is a disk with some data that is encrypted. With derived keys and plain dm-crypt mode there is no LUKS header, so it is not possible to tell if it is an encrypted disk or a disk with just random data. Additionally, if I accidentally wipe the sector with the LUKS2 header - all my data is lost (because the data encryption key from the header is lost). With derived keys I can always decrypt at least some data, if the disk is available. > > * if someone steals one of the disks - we don't want them to see it > > has encrypted data (no LUKS header) > > So what happens when you reconnect? We recover/derive the encryption key and unlock the disk again. > > Additionally we may want to SSH into the NAS for configuration and we > > don't want the SSH server key to change after each boot (regardless if > > disks are connected or not). > > Right, interesting use case. Begin before any technical jargon exactly > with a great example like this. Then it is easier to start to anchoring > stuff and not be misleaded. > > BR, Jarkko