diff options
| author | Yael Tzur <yaelt@google.com> | 2022-02-15 09:19:53 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2022-02-21 19:47:45 -0500 |
| commit | cd3bc044af483422cc81a93f23c78c20c978b17c (patch) | |
| tree | 62b081ee07f758e6395d04416c874cd4c5fd9fab /security/commoncap.c | |
| parent | 8c54135e2e6da677291012813a26a5f1b2c8a90a (diff) | |
| download | linux-cd3bc044af483422cc81a93f23c78c20c978b17c.tar.bz2 | |
KEYS: encrypted: Instantiate key with user-provided decrypted data
For availability and performance reasons master keys often need to be
released outside of a Key Management Service (KMS) to clients. It
would be beneficial to provide a mechanism where the
wrapping/unwrapping of data encryption keys (DEKs) is not dependent
on a remote call at runtime yet security is not (or only minimally)
compromised. Master keys could be securely stored in the Kernel and
be used to wrap/unwrap keys from Userspace.
The encrypted.c class supports instantiation of encrypted keys with
either an already-encrypted key material, or by generating new key
material based on random numbers. This patch defines a new datablob
format: [<format>] <master-key name> <decrypted data length>
<decrypted data> that allows to inject and encrypt user-provided
decrypted data. The decrypted data must be hex-ascii encoded.
Signed-off-by: Yael Tzur <yaelt@google.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/commoncap.c')
0 files changed, 0 insertions, 0 deletions