git.ipfire.org Git - thirdparty/linux.git/commit

author	Yael Tzur <yaelt@google.com>
	Tue, 15 Feb 2022 14:19:53 +0000 (09:19 -0500)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Tue, 22 Feb 2022 00:47:45 +0000 (19:47 -0500)
commit	cd3bc044af483422cc81a93f23c78c20c978b17c
tree	62b081ee07f758e6395d04416c874cd4c5fd9fab	tree
parent	8c54135e2e6da677291012813a26a5f1b2c8a90a	commit \| diff

KEYS: encrypted: Instantiate key with user-provided decrypted data

For availability and performance reasons master keys often need to be
released outside of a Key Management Service (KMS) to clients. It
would be beneficial to provide a mechanism where the
wrapping/unwrapping of data encryption keys (DEKs) is not dependent
on a remote call at runtime yet security is not (or only minimally)
compromised. Master keys could be securely stored in the Kernel and
be used to wrap/unwrap keys from Userspace.

The encrypted.c class supports instantiation of encrypted keys with
either an already-encrypted key material, or by generating new key
material based on random numbers. This patch defines a new datablob
format: [<format>] <master-key name> <decrypted data length>
<decrypted data> that allows to inject and encrypt user-provided
decrypted data. The decrypted data must be hex-ascii encoded.

Signed-off-by: Yael Tzur <yaelt@google.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Documentation/security/keys/trusted-encrypted.rst		diff \| blob \| blame \| history
security/keys/Kconfig		diff \| blob \| blame \| history
security/keys/encrypted-keys/encrypted.c		diff \| blob \| blame \| history