Commit 363880c4 authored by Ahmad Fatoum's avatar Ahmad Fatoum Committed by Mike Snitzer
Browse files

dm crypt: support using trusted keys 



Commit 27f5411a ("dm crypt: support using encrypted keys") extended
dm-crypt to allow use of "encrypted" keys along with "user" and "logon".

Along the same lines, teach dm-crypt to support "trusted" keys as well.

Signed-off-by: default avatarAhmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
parent 831475cc

Documentation/admin-guide/device-mapper/dm-crypt.rst

+1 −1
Original line number Diff line number Diff line
@@ -67,7 +67,7 @@ Parameters:: 
    the value passed in <key_size>.



<key_type>

    Either 'logon', 'user' or 'encrypted' kernel key type.

    Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.



<key_description>

    The kernel keyring key description crypt target should look for

drivers/md/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -270,6 +270,7 @@ config DM_CRYPT 
	tristate "Crypt target support"

	depends on BLK_DEV_DM

	depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)

	depends on (TRUSTED_KEYS || TRUSTED_KEYS=n)

	select CRYPTO

	select CRYPTO_CBC

	select CRYPTO_ESSIV

drivers/md/dm-crypt.c

+22 −1
Original line number Diff line number Diff line
@@ -37,6 +37,7 @@ 
#include <linux/key-type.h>

#include <keys/user-type.h>

#include <keys/encrypted-type.h>

#include <keys/trusted-type.h>



#include <linux/device-mapper.h>
@@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key) 
	return 0;

}



static int set_key_trusted(struct crypt_config *cc, struct key *key)

{

	const struct trusted_key_payload *tkp;



	tkp = key->payload.data[0];

	if (!tkp)

		return -EKEYREVOKED;



	if (cc->key_size != tkp->key_len)

		return -EINVAL;



	memcpy(cc->key, tkp->key, cc->key_size);



	return 0;

}



static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)

{

	char *new_key_string, *key_desc;
@@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string 
		   !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {

		type = &key_type_encrypted;

		set_key = set_key_encrypted;

	} else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&

	           !strncmp(key_string, "trusted:", key_desc - key_string + 1)) {

		type = &key_type_trusted;

		set_key = set_key_trusted;

	} else {

		return -EINVAL;

	}
@@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) 


static struct target_type crypt_target = {

	.name   = "crypt",

	.version = {1, 22, 0},

	.version = {1, 23, 0},

	.module = THIS_MODULE,

	.ctr    = crypt_ctr,

	.dtr    = crypt_dtr,