Commit 982e617a authored by Mimi Zohar's avatar Mimi Zohar

encrypted-keys: remove trusted-keys dependency

Encrypted keys are decrypted/encrypted using either a trusted-key or,
for those systems without a TPM, a user-defined key.  This patch
removes the trusted-keys and TCG_TPM dependencies.
Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
parent 61cf45d0
...@@ -38,7 +38,9 @@ config TRUSTED_KEYS ...@@ -38,7 +38,9 @@ config TRUSTED_KEYS
config ENCRYPTED_KEYS config ENCRYPTED_KEYS
tristate "ENCRYPTED KEYS" tristate "ENCRYPTED KEYS"
depends on KEYS && TRUSTED_KEYS depends on KEYS
select CRYPTO
select CRYPTO_HMAC
select CRYPTO_AES select CRYPTO_AES
select CRYPTO_CBC select CRYPTO_CBC
select CRYPTO_SHA256 select CRYPTO_SHA256
......
...@@ -3,3 +3,4 @@ ...@@ -3,3 +3,4 @@
# #
obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted.o ecryptfs_format.o obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted.o ecryptfs_format.o
obj-$(CONFIG_TRUSTED_KEYS) += masterkey_trusted.o
...@@ -298,31 +298,6 @@ static char *datablob_format(struct encrypted_key_payload *epayload, ...@@ -298,31 +298,6 @@ static char *datablob_format(struct encrypted_key_payload *epayload,
return ascii_buf; return ascii_buf;
} }
/*
* request_trusted_key - request the trusted key
*
* Trusted keys are sealed to PCRs and other metadata. Although userspace
* manages both trusted/encrypted key-types, like the encrypted key type
* data, trusted key type data is not visible decrypted from userspace.
*/
static struct key *request_trusted_key(const char *trusted_desc,
u8 **master_key, size_t *master_keylen)
{
struct trusted_key_payload *tpayload;
struct key *tkey;
tkey = request_key(&key_type_trusted, trusted_desc, NULL);
if (IS_ERR(tkey))
goto error;
down_read(&tkey->sem);
tpayload = rcu_dereference(tkey->payload.data);
*master_key = tpayload->key;
*master_keylen = tpayload->key_len;
error:
return tkey;
}
/* /*
* request_user_key - request the user key * request_user_key - request the user key
* *
...@@ -469,6 +444,12 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload, ...@@ -469,6 +444,12 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload,
goto out; goto out;
if (IS_ERR(mkey)) { if (IS_ERR(mkey)) {
int ret = PTR_ERR(epayload);
if (ret == -ENOTSUPP)
pr_info("encrypted_key: key %s not supported",
epayload->master_desc);
else
pr_info("encrypted_key: key %s not found", pr_info("encrypted_key: key %s not found",
epayload->master_desc); epayload->master_desc);
goto out; goto out;
......
...@@ -2,6 +2,17 @@ ...@@ -2,6 +2,17 @@
#define __ENCRYPTED_KEY_H #define __ENCRYPTED_KEY_H
#define ENCRYPTED_DEBUG 0 #define ENCRYPTED_DEBUG 0
#ifdef CONFIG_TRUSTED_KEYS
extern struct key *request_trusted_key(const char *trusted_desc,
u8 **master_key, size_t *master_keylen);
#else
static inline struct key *request_trusted_key(const char *trusted_desc,
u8 **master_key,
size_t *master_keylen)
{
return ERR_PTR(-EOPNOTSUPP);
}
#endif
#if ENCRYPTED_DEBUG #if ENCRYPTED_DEBUG
static inline void dump_master_key(const u8 *master_key, size_t master_keylen) static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
......
/*
* Copyright (C) 2010 IBM Corporation
* Copyright (C) 2010 Politecnico di Torino, Italy
* TORSEC group -- http://security.polito.it
*
* Authors:
* Mimi Zohar <zohar@us.ibm.com>
* Roberto Sassu <roberto.sassu@polito.it>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2 of the License.
*
* See Documentation/security/keys-trusted-encrypted.txt
*/
#include <linux/uaccess.h>
#include <linux/module.h>
#include <keys/trusted-type.h>
/*
* request_trusted_key - request the trusted key
*
* Trusted keys are sealed to PCRs and other metadata. Although userspace
* manages both trusted/encrypted key-types, like the encrypted key type
* data, trusted key type data is not visible decrypted from userspace.
*/
struct key *request_trusted_key(const char *trusted_desc,
u8 **master_key, size_t *master_keylen)
{
struct trusted_key_payload *tpayload;
struct key *tkey;
tkey = request_key(&key_type_trusted, trusted_desc, NULL);
if (IS_ERR(tkey))
goto error;
down_read(&tkey->sem);
tpayload = rcu_dereference(tkey->payload.data);
*master_key = tpayload->key;
*master_keylen = tpayload->key_len;
error:
return tkey;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment