Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp3809044pxt; Tue, 10 Aug 2021 11:47:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyu5I91pUURQ6WGvUHHG5DhParfuUKM6bj1040C/oEYDvALsfDpjkFAdQenGaDvuhNU2DOW X-Received: by 2002:a05:6402:128d:: with SMTP id w13mr6349923edv.297.1628621252723; Tue, 10 Aug 2021 11:47:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628621252; cv=none; d=google.com; s=arc-20160816; b=Y6i6JUH21hH+8gOuKNAHalsGA+RnajV4ickHIdXzp6W3Wa+qas0z81KnIFART0FJbQ QAW6gPoi1rEVdfkHkBEdCvY80RPdVudZi93v1yFBiYIU+abRvfBZ4CdCwAIa8KbMjEUK Q72hF3puiCvM3uoWDs8E/Qep7jtPrt3NWfWaf/72gIJ6FhNEAiBbqOEOvnJha46iCOlz JdiF9957LmVFfY2dvJKfvjcIqxhUhYU4Wz4nRRPMa4k6CgliVB+WVZQUgWOfVQGqSFHq Naf4jyo7HNptoAFQsyV7pNOZ08XzlBW0nwDOB9Nj5coea97tYjRMyRzF2aHMZyGOq67Q MJqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=fHWYYiONJWKMfr3zB4zsHs4iHw5UCLjt4ONyhpzg8dg=; b=j6aDnLA0eIwbEKC2/1o1RdFaYxq8vpUTaUvDRoWJqLkQ7sBBdazRevjSSuf8wuM0xa RlIwCAqMYT219EtlqQmYKxqQXiyzyu7BCUZTbXf4zXDnTzzF9UtcjW1E0ZdLmAi96NEK N/pV22C4YfdRSxGmjh2iqcpl2t/BAhVu6cj5YkrDZW2iOPYsb4hlhJbqy8eLlS0L9PPS vdeqx2KqOPXlGQSK5Rr3Rm5p50XfDJYAyQWe75/uLRucCRJZLplsDkt+023GgeBBd3Eb 0ZfBbRLr2cim9ZDbvh7EVt4LAbIfEIIV9qqmeuwUaOzVO6M38t2/GTJ5qDHfGeSmtG3S q6ZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=l1Rt9QxH; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v22si21120845eji.44.2021.08.10.11.47.00; Tue, 10 Aug 2021 11:47:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=l1Rt9QxH; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231301AbhHJSrP (ORCPT + 99 others); Tue, 10 Aug 2021 14:47:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:60310 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231221AbhHJSrP (ORCPT ); Tue, 10 Aug 2021 14:47:15 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 669DC60EB9; Tue, 10 Aug 2021 18:46:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1628621211; bh=ZerG9ye3QrY9ea4A77UJpFKD2UzPAh9muW0NUHyjOAw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=l1Rt9QxHC6wZEhya68OxA5XzIdmNieElZTJLUGQucOgjQEU5wyP3DkbEQEwzVqrB9 DEvPrkxIx8u1VURhaRjYSBXGAleiEZihH/xyU1UN9+JDhgTFVyycVo20+dDeCke2It ng0JMSA4ZwCoGBpSNMG1DmQNukqBNhT4CQey1LTQUs1cqSEDvRgJ8NIgkcR2rawF2e nel2oiBZNdFq9I+LhT/7QwvL3Thi9reuBL82YyStIi026qQ0fIpfPcI3TPLJETIvxt 8uS5i+pyOeHAbaQ9mAwGEAcsuJtzcULNYfSIzG2Sz3/08L1ozoWG31MKKSQo9TNFcm j3IgBKAwXhU6g== Date: Tue, 10 Aug 2021 11:46:49 -0700 From: Eric Biggers To: Jarkko Sakkinen Cc: Ahmad Fatoum , "Theodore Y. Ts'o" , Jaegeuk Kim , kernel@pengutronix.de, James Morris , "Serge E. Hallyn" , James Bottomley , Mimi Zohar , Sumit Garg , David Howells , linux-fscrypt@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] fscrypt: support trusted keys Message-ID: References: <20210806150928.27857-1-a.fatoum@pengutronix.de> <20210809094408.4iqwsx77u64usfx6@kernel.org> <20210810180636.vqwaeftv7alsodgn@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210810180636.vqwaeftv7alsodgn@kernel.org> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Aug 10, 2021 at 09:06:36PM +0300, Jarkko Sakkinen wrote: > > > > > > I don't think this is right, or at least it does not follow the pattern > > > in [*]. I.e. you should rather use trusted key to seal your fscrypt key. > > > > What's the benefit of the extra layer of indirection over just using a "trusted" > > key directly? The use case for "encrypted" keys is not at all clear to me. > > Because it is more robust to be able to use small amount of trusted keys, > which are not entirely software based. > > And since it's also a pattern on existing kernel features utilizing trusted > keys, the pressure here to explain why break the pattern, should be on the > side of the one who breaks it. This is a new feature, so it's on the person proposing the feature to explain why it's useful. The purpose of "encrypted" keys is not at all clear, and the documentation for them is heavily misleading. E.g.: "user space sees, stores, and loads only encrypted blobs" (Not necessarily true, as I've explained previously.) "Encrypted keys do not depend on a trust source" ... "The main disadvantage of encrypted keys is that if they are not rooted in a trusted key" (Not necessarily true, and in fact it seems they're only useful when they *do* depend on a trust source. At least that's the use case that is being proposed here, IIUC.) I do see a possible use for the layer of indirection that "encrypted" keys are, which is that it would reduce the overhead of having lots of keys be directly encrypted by the TPM/TEE/CAAM. Is this the use case? If so, it needs to be explained. - Eric