dm crypt: support using trusted keys

Commit a36fb6790d6e ("dm crypt: support using encrypted keys") extended
dm-crypt to allow use of "encrypted" keys along with "user" and "logon".

Along the same lines, teach dm-crypt to support "trusted" keys as well.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst
index 1a6753b76dbb4f50fdeee43082473009a1a3480b..aa2d04d95df6cdfc43a2a6320b294376c8953950 100644 (file)
--- a/Documentation/admin-guide/device-mapper/dm-crypt.rst
+++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst
@@ -67,7 +67,7 @@ Parameters::
     the value passed in <key_size>.
 
 <key_type>
-    Either 'logon', 'user' or 'encrypted' kernel key type.
+    Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.
 
 <key_description>
     The kernel keyring key description crypt target should look for

diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
index 9e44c09f6410890f43faaad328e7edea0f5da986..f2014385d48bf9db28d58ee2e859fb1d42812378 100644 (file)
--- a/drivers/md/Kconfig
+++ b/drivers/md/Kconfig
@@ -270,6 +270,7 @@ config DM_CRYPT
        tristate "Crypt target support"
        depends on BLK_DEV_DM
        depends on (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
+       depends on (TRUSTED_KEYS || TRUSTED_KEYS=n)
        select CRYPTO
        select CRYPTO_CBC
        select CRYPTO_ESSIV

diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 1b3b1a806377449b80e83fc9a468cdf65b372397..ee20b586f5267f3fc44de9071315abfe349631c7 100644 (file)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -37,6 +37,7 @@
 #include <linux/key-type.h>
 #include <keys/user-type.h>
 #include <keys/encrypted-type.h>
+#include <keys/trusted-type.h>
 
 #include <linux/device-mapper.h>
 
@@ -2452,6 +2453,22 @@ static int set_key_encrypted(struct crypt_config *cc, struct key *key)
        return 0;
 }
 
+static int set_key_trusted(struct crypt_config *cc, struct key *key)
+{
+       const struct trusted_key_payload *tkp;
+
+       tkp = key->payload.data[0];
+       if (!tkp)
+               return -EKEYREVOKED;
+
+       if (cc->key_size != tkp->key_len)
+               return -EINVAL;
+
+       memcpy(cc->key, tkp->key, cc->key_size);
+
+       return 0;
+}
+
 static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
 {
        char *new_key_string, *key_desc;
@@ -2484,6 +2501,10 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
                   !strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
                type = &key_type_encrypted;
                set_key = set_key_encrypted;
+       } else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&
+                  !strncmp(key_string, "trusted:", key_desc - key_string + 1)) {
+               type = &key_type_trusted;
+               set_key = set_key_trusted;
        } else {
                return -EINVAL;
        }
@@ -3555,7 +3576,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
 
 static struct target_type crypt_target = {
        .name   = "crypt",
-       .version = {1, 22, 0},
+       .version = {1, 23, 0},
        .module = THIS_MODULE,
        .ctr    = crypt_ctr,
        .dtr    = crypt_dtr,