doc: ReSTify keys-trusted-encrypted.txt
Adjusts for ReST markup and moves under keys security devel index. Cc: David Howells <dhowells@redhat.com> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
parent
3db38ed768
commit
5395d312df
@ -1,4 +0,0 @@
|
||||
00-INDEX
|
||||
- this file.
|
||||
keys-trusted-encrypted.txt
|
||||
- info on the Trusted and Encrypted keys in the kernel key ring service.
|
@ -1,8 +0,0 @@
|
||||
project = "The kernel security subsystem manual"
|
||||
|
||||
tags.add("subproject")
|
||||
|
||||
latex_documents = [
|
||||
('index', 'security.tex', project,
|
||||
'The kernel development community', 'manual'),
|
||||
]
|
@ -8,3 +8,4 @@ Kernel Keys
|
||||
core
|
||||
ecryptfs
|
||||
request-key
|
||||
trusted-encrypted
|
||||
|
@ -1,4 +1,6 @@
|
||||
Trusted and Encrypted Keys
|
||||
==========================
|
||||
Trusted and Encrypted Keys
|
||||
==========================
|
||||
|
||||
Trusted and Encrypted Keys are two new key types added to the existing kernel
|
||||
key ring service. Both of these new types are variable length symmetric keys,
|
||||
@ -20,7 +22,8 @@ By default, trusted keys are sealed under the SRK, which has the default
|
||||
authorization value (20 zeros). This can be set at takeownership time with the
|
||||
trouser's utility: "tpm_takeownership -u -z".
|
||||
|
||||
Usage:
|
||||
Usage::
|
||||
|
||||
keyctl add trusted name "new keylen [options]" ring
|
||||
keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring
|
||||
keyctl update key "update [options]"
|
||||
@ -64,19 +67,22 @@ The decrypted portion of encrypted keys can contain either a simple symmetric
|
||||
key or a more complex structure. The format of the more complex structure is
|
||||
application specific, which is identified by 'format'.
|
||||
|
||||
Usage:
|
||||
Usage::
|
||||
|
||||
keyctl add encrypted name "new [format] key-type:master-key-name keylen"
|
||||
ring
|
||||
keyctl add encrypted name "load hex_blob" ring
|
||||
keyctl update keyid "update key-type:master-key-name"
|
||||
|
||||
format:= 'default | ecryptfs'
|
||||
key-type:= 'trusted' | 'user'
|
||||
Where::
|
||||
|
||||
format:= 'default | ecryptfs'
|
||||
key-type:= 'trusted' | 'user'
|
||||
|
||||
|
||||
Examples of trusted and encrypted key usage:
|
||||
|
||||
Create and save a trusted key named "kmk" of length 32 bytes:
|
||||
Create and save a trusted key named "kmk" of length 32 bytes::
|
||||
|
||||
$ keyctl add trusted kmk "new 32" @u
|
||||
440502848
|
||||
@ -99,7 +105,7 @@ Create and save a trusted key named "kmk" of length 32 bytes:
|
||||
|
||||
$ keyctl pipe 440502848 > kmk.blob
|
||||
|
||||
Load a trusted key from the saved blob:
|
||||
Load a trusted key from the saved blob::
|
||||
|
||||
$ keyctl add trusted kmk "load `cat kmk.blob`" @u
|
||||
268728824
|
||||
@ -114,7 +120,7 @@ Load a trusted key from the saved blob:
|
||||
f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c22b
|
||||
e4a8aea2b607ec96931e6f4d4fe563ba
|
||||
|
||||
Reseal a trusted key under new pcr values:
|
||||
Reseal a trusted key under new pcr values::
|
||||
|
||||
$ keyctl update 268728824 "update pcrinfo=`cat pcr.blob`"
|
||||
$ keyctl print 268728824
|
||||
@ -135,11 +141,13 @@ compromised by a user level problem, and when sealed to specific boot PCR
|
||||
values, protects against boot and offline attacks. Create and save an
|
||||
encrypted key "evm" using the above trusted key "kmk":
|
||||
|
||||
option 1: omitting 'format'
|
||||
option 1: omitting 'format'::
|
||||
|
||||
$ keyctl add encrypted evm "new trusted:kmk 32" @u
|
||||
159771175
|
||||
|
||||
option 2: explicitly defining 'format' as 'default'
|
||||
option 2: explicitly defining 'format' as 'default'::
|
||||
|
||||
$ keyctl add encrypted evm "new default trusted:kmk 32" @u
|
||||
159771175
|
||||
|
||||
@ -150,7 +158,7 @@ option 2: explicitly defining 'format' as 'default'
|
||||
|
||||
$ keyctl pipe 159771175 > evm.blob
|
||||
|
||||
Load an encrypted key "evm" from saved blob:
|
||||
Load an encrypted key "evm" from saved blob::
|
||||
|
||||
$ keyctl add encrypted evm "load `cat evm.blob`" @u
|
||||
831684262
|
||||
@ -164,4 +172,4 @@ Other uses for trusted and encrypted keys, such as for disk and file encryption
|
||||
are anticipated. In particular the new format 'ecryptfs' has been defined in
|
||||
in order to use encrypted keys to mount an eCryptfs filesystem. More details
|
||||
about the usage can be found in the file
|
||||
'Documentation/security/keys-ecryptfs.txt'.
|
||||
``Documentation/security/keys-ecryptfs.txt``.
|
@ -7356,7 +7356,7 @@ M: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||||
L: linux-security-module@vger.kernel.org
|
||||
L: keyrings@vger.kernel.org
|
||||
S: Supported
|
||||
F: Documentation/security/keys-trusted-encrypted.txt
|
||||
F: Documentation/security/keys/trusted-encrypted.rst
|
||||
F: include/keys/trusted-type.h
|
||||
F: security/keys/trusted.c
|
||||
F: security/keys/trusted.h
|
||||
@ -7367,7 +7367,7 @@ M: David Safford <safford@us.ibm.com>
|
||||
L: linux-security-module@vger.kernel.org
|
||||
L: keyrings@vger.kernel.org
|
||||
S: Supported
|
||||
F: Documentation/security/keys-trusted-encrypted.txt
|
||||
F: Documentation/security/keys/trusted-encrypted.rst
|
||||
F: include/keys/encrypted-type.h
|
||||
F: security/keys/encrypted-keys/
|
||||
|
||||
|
@ -11,7 +11,7 @@
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2 of the License.
|
||||
*
|
||||
* See Documentation/security/keys-trusted-encrypted.txt
|
||||
* See Documentation/security/keys/trusted-encrypted.rst
|
||||
*/
|
||||
|
||||
#include <linux/uaccess.h>
|
||||
|
@ -11,7 +11,7 @@
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2 of the License.
|
||||
*
|
||||
* See Documentation/security/keys-trusted-encrypted.txt
|
||||
* See Documentation/security/keys/trusted-encrypted.rst
|
||||
*/
|
||||
|
||||
#include <linux/uaccess.h>
|
||||
|
@ -8,7 +8,7 @@
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2 of the License.
|
||||
*
|
||||
* See Documentation/security/keys-trusted-encrypted.txt
|
||||
* See Documentation/security/keys/trusted-encrypted.rst
|
||||
*/
|
||||
|
||||
#include <crypto/hash_info.h>
|
||||
|
Loading…
Reference in New Issue
Block a user