• Yael Tzur's avatar
    KEYS: encrypted: Instantiate key with user-provided decrypted data · cd3bc044
    Yael Tzur authored
    For availability and performance reasons master keys often need to be
    released outside of a Key Management Service (KMS) to clients. It
    would be beneficial to provide a mechanism where the
    wrapping/unwrapping of data encryption keys (DEKs) is not dependent
    on a remote call at runtime yet security is not (or only minimally)
    compromised. Master keys could be securely stored in the Kernel and
    be used to wrap/unwrap keys from Userspace.
    
    The encrypted.c class supports instantiation of encrypted keys with
    either an already-encrypted key material, or by generating new key
    material based on random numbers. This patch defines a new datablob
    format: [<format>] <master-key name> <decrypted data length>
    <decrypted data> that allows to inject and encrypt user-provided
    decrypted data. The decrypted data must be hex-ascii encoded.
    Signed-off-by: default avatarYael Tzur <yaelt@google.com>
    Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    Reviewed-by: default avatarSumit Garg <sumit.garg@linaro.org>
    Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    cd3bc044
Kconfig 4.85 KB