Commit 363880c4 authored by Ahmad Fatoum's avatar Ahmad Fatoum Committed by Mike Snitzer

dm crypt: support using trusted keys

Commit 27f5411a ("dm crypt: support using encrypted keys") extended
dm-crypt to allow use of "encrypted" keys along with "user" and "logon".

Along the same lines, teach dm-crypt to support "trusted" keys as well.
Signed-off-by: default avatarAhmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
parent 831475cc
...@@ -67,7 +67,7 @@ Parameters:: ...@@ -67,7 +67,7 @@ Parameters::
the value passed in <key_size>. the value passed in <key_size>.
<key_type> <key_type>
Either 'logon', 'user' or 'encrypted' kernel key type. Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.
<key_description> <key_description>
The kernel keyring key description crypt target should look for The kernel keyring key description crypt target should look for
......
...@@ -270,6 +270,7 @@ config DM_CRYPT ...@@ -270,6 +270,7 @@ config DM_CRYPT
tristate "Crypt target support" tristate "Crypt target support"
depends on BLK_DEV_DM depends on BLK_DEV_DM
depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n) depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
depends on (TRUSTED_KEYS || TRUSTED_KEYS=n)
select CRYPTO select CRYPTO
select CRYPTO_CBC select CRYPTO_CBC
select CRYPTO_ESSIV select CRYPTO_ESSIV
......
...@@ -37,6 +37,7 @@ ...@@ -37,6 +37,7 @@
#include <linux/key-type.h> #include <linux/key-type.h>
#include <keys/user-type.h> #include <keys/user-type.h>
#include <keys/encrypted-type.h> #include <keys/encrypted-type.h>
#include <keys/trusted-type.h>
#include <linux/device-mapper.h> #include <linux/device-mapper.h>
...@@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) ...@@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key)
return 0; return 0;
} }
static int set_key_trusted(struct crypt_config *cc, struct key *key)
{
const struct trusted_key_payload *tkp;
tkp = key->payload.data[0];
if (!tkp)
return -EKEYREVOKED;
if (cc->key_size != tkp->key_len)
return -EINVAL;
memcpy(cc->key, tkp->key, cc->key_size);
return 0;
}
static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string) static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
{ {
char *new_key_string, *key_desc; char *new_key_string, *key_desc;
...@@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string ...@@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
!strncmp(key_string, "encrypted:", key_desc - key_string + 1)) { !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
type = &key_type_encrypted; type = &key_type_encrypted;
set_key = set_key_encrypted; set_key = set_key_encrypted;
} else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&
!strncmp(key_string, "trusted:", key_desc - key_string + 1)) {
type = &key_type_trusted;
set_key = set_key_trusted;
} else { } else {
return -EINVAL; return -EINVAL;
} }
...@@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) ...@@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
static struct target_type crypt_target = { static struct target_type crypt_target = {
.name = "crypt", .name = "crypt",
.version = {1, 22, 0}, .version = {1, 23, 0},
.module = THIS_MODULE, .module = THIS_MODULE,
.ctr = crypt_ctr, .ctr = crypt_ctr,
.dtr = crypt_dtr, .dtr = crypt_dtr,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment