diff options
| author |   Yael Tzur <yaelt@google.com> | 2022-02-15 09:19:53 -0500 |
|---|---|---|
| committer |   Mimi Zohar <zohar@linux.ibm.com> | 2022-02-21 19:47:45 -0500 |
| commit | cd3bc044af483422cc81a93f23c78c20c978b17c (patch) | |
| tree | 62b081ee07f758e6395d04416c874cd4c5fd9fab /security/keys/Kconfig | |
| parent | ima: define ima_max_digest_data struct without a flexible array variable (diff) | |
| download | linux-dev-cd3bc044af483422cc81a93f23c78c20c978b17c.tar.xz linux-dev-cd3bc044af483422cc81a93f23c78c20c978b17c.zip | |
KEYS: encrypted: Instantiate key with user-provided decrypted data
For availability and performance reasons master keys often need to be
released outside of a Key Management Service (KMS) to clients. It
would be beneficial to provide a mechanism where the
wrapping/unwrapping of data encryption keys (DEKs) is not dependent
on a remote call at runtime yet security is not (or only minimally)
compromised. Master keys could be securely stored in the Kernel and
be used to wrap/unwrap keys from Userspace.
The encrypted.c class supports instantiation of encrypted keys with
either an already-encrypted key material, or by generating new key
material based on random numbers. This patch defines a new datablob
format: [<format>] <master-key name> <decrypted data length>
<decrypted data> that allows to inject and encrypt user-provided
decrypted data. The decrypted data must be hex-ascii encoded.
Signed-off-by: Yael Tzur <yaelt@google.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/keys/Kconfig')
| -rw-r--r-- | security/keys/Kconfig | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/security/keys/Kconfig b/security/keys/Kconfig index 969122c7b92f..0e30b361e1c1 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -98,10 +98,21 @@ config ENCRYPTED_KEYS select CRYPTO_RNG help This option provides support for create/encrypting/decrypting keys - in the kernel. Encrypted keys are kernel generated random numbers, - which are encrypted/decrypted with a 'master' symmetric key. The - 'master' key can be either a trusted-key or user-key type. - Userspace only ever sees/stores encrypted blobs. + in the kernel. Encrypted keys are instantiated using kernel + generated random numbers or provided decrypted data, and are + encrypted/decrypted with a 'master' symmetric key. The 'master' + key can be either a trusted-key or user-key type. Only encrypted + blobs are ever output to Userspace. + + If you are unsure as to whether this is required, answer N. + +config USER_DECRYPTED_DATA + bool "Allow encrypted keys with user decrypted data" + depends on ENCRYPTED_KEYS + help + This option provides support for instantiating encrypted keys using + user-provided decrypted data. The decrypted data must be hex-ascii + encoded. If you are unsure as to whether this is required, answer N. |