Add support for hardware-wrapped inline crypto keys#48
Merged
Conversation
Link to docs.kernel.org/ instead of www.kernel.org/doc/html/latest/. It makes the links shorter, and they point to the latest version.
It should say fscryptctl, not fscrypt.
Add a xzalloc() helper function to simplify error-checked allocations.
ebiggers
force-pushed
the
wrapped-keys
branch
from
b5416d8 to
27736e3
Compare
In preparation for supporting both raw keys (max size 64) and wrapped keys (max size 128), make read_key() take a max_size parameter. Also introduce a wipe_and_free() helper function.
The upcoming commands import_hw_wrapped_key, generate_hw_wrapped_key, and prepare_hw_wrapped_key will write the wrapped keys they produce to standard output. Add a full_write() helper function for them to use.
Import <linux/fscrypt.h> from Linux v6.16. This is needed to support adding hardware-wrapped keys.
Import <linux/blk-crypto.h> from Linux v6.16. Needed for the definition of the blk-crypto ioctls.
Update the 'fscryptctl add_key' command to accept hardware-wrapped keys. Previously, it only accepted raw keys. This relies on the support for FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED which is available in Linux 6.16 and later. For more details, see the Linux kernel commit https://git.kernel.org/linus/c07d3aede2b26830
ebiggers
force-pushed
the
wrapped-keys
branch
3 times, most recently
from
8ebbd97 to
b433594
Compare
Add fscryptctl commands that wrap the BLKCRYPTOIMPORTKEY, BLKCRYPTOGENERATEKEY, and BLKCRYPTOPREPAREKEY ioctls that were added in Linux 6.15. These are needed to use hardware-wrapped keys.
ebiggers
force-pushed
the
wrapped-keys
branch
from
b433594 to
9b84dc5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for hardware-wrapped inline crypto keys to
fscryptctl.This consists of:
BLKCRYPTOIMPORTKEY,BLKCRYPTOGENERATEKEY,BLKCRYPTOPREPAREKEYioctls that were added in Linux 6.15.fscryptctl add_key. This relies on the support forFSCRYPT_ADD_KEY_FLAG_HW_WRAPPEDwhich was added in Linux 6.16.