Split logic for uploading keys in kernel key service.

We can not link internal VK kernel key in custom user keyring. There are two reasons for it: The internal VK kernel key description can not be acquired via API and it may change over time (LUKS2 reencryption). With recent SED OPAL support volume key becomes a 'blob' containing up to two keys (dm-crypt key for SWE and key for unlocking SED OPAL locking range). The internal kernel key contains only dm-crypt (if required) but custom user keyring needs to be provided with whole volume key (blob). Added user specified key description for the linked key in custom user keyring. The linked key can be reached by the specified description after successful activation (resume).
2025-12-06 16:30:04 +01:00 · 2023-09-13 13:41:44 +02:00
parent 7ae109dccd
commit 51a1e218cf
15 changed files with 541 additions and 274 deletions
--- a/lib/utils_keyring.h
+++ b/lib/utils_keyring.h
@@ -25,6 +25,11 @@
 #include <stddef.h>
 #include <stdint.h>

+#ifndef HAVE_KEY_SERIAL_T
+#define HAVE_KEY_SERIAL_T
+typedef int32_t key_serial_t;
+#endif
+
 typedef enum { LOGON_KEY = 0, USER_KEY, BIG_KEY, TRUSTED_KEY, ENCRYPTED_KEY, INVALID_KEY } key_type_t;

 const char *key_type_name(key_type_t ktype);
@@ -54,7 +59,15 @@ int keyring_add_key_in_user_keyring(
 	const void *key,
 	size_t key_size);

+int keyring_add_key_in_keyring(
+	key_type_t ktype,
+	const char *key_desc,
+	const void *key,
+	size_t key_size,
+	key_serial_t keyring_id);
+
 int keyring_revoke_and_unlink_key(key_type_t ktype, const char *key_desc);
-int keyring_link_key_to_keyring(key_type_t ktype, const char *key_desc, int keyring_to_link);
+int keyring_add_key_to_custom_keyring(key_type_t ktype, const char *key_desc, const void *key,
+				      size_t key_size, key_serial_t keyring_to_link);

 #endif