eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Split logic for uploading keys in kernel key service.

Browse Source 
We can not link internal VK kernel key in custom user
keyring. There are two reasons for it:

The internal VK kernel key description can not be
acquired via API and it may change over time
(LUKS2 reencryption).

With recent SED OPAL support volume key becomes a 'blob'
containing up to two keys (dm-crypt key for SWE and key
for unlocking SED OPAL locking range). The internal
kernel key contains only dm-crypt (if required) but
custom user keyring needs to be provided with whole
volume key (blob).

Added user specified key description for the linked key
in custom user keyring. The linked key can be reached by
the specified description after successful activation (resume).
This commit is contained in:
Ondrej Kozina
2023-09-13 13:41:44 +02:00
committed by Milan Broz
parent 7ae109dccd
commit 51a1e218cf
15 changed files with 541 additions and 274 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
lib/libcryptsetup.h
View File

@@ -3073,14 +3073,27 @@ void *crypt_safe_realloc(void *data, size_t size);
void crypt_safe_memzero(void *data, size_t size);
/**
* Link the volume key to the specified keyring.
* Link the volume key to the specified kernel keyring.
*
* @param cd crypt device handle
* @param keyring_to_link_vk the ID of the keyring in which volume key should
* be linked, if @e NULL is specified, linking will be disabled (the key will
* be linked just to the thread keyring, which is destroyed on process exit)
* @param key_description the key description of volume key linked in desired keyring.
* @param key_type the key type used for the volume key. Currently only "user" and "logon" types are
* supported. if @e NULL is specified the default "user" type is applied.
* @param keyring_to_link_vk the keyring description of the keyring in which volume key should
* be linked, if @e NULL is specified, linking will be disabled.
*
* @note keyring_to_link_vk may be passed in various string formats:
* It can be kernel key numeric id of existing keyring written as a string,
* keyring name prefixed optionally be either "%:" or "%keyring:" substrings or keyctl
* special values for keyrings "@t", "@p", "@s" and so on. See keyctl(1) man page,
* section KEY IDENTIFIERS for more information. All other prefixes starting "%<type>:"
* are ignored.
*
* @note key_description "%<type>:" prefixes are ignored. Type is applied based on key_type parameter
* value.
*/
int crypt_set_keyring_to_link(struct crypt_device *cd, const char *keyring_to_link_vk);
int crypt_set_keyring_to_link(struct crypt_device *cd, const char *key_description,
const char *key_type_desc, const char *keyring_to_link_vk);
/**
* Set the type of volume key stored in keyring.