s390/pkey: Add sysfs attributes to emit protected key blobs
Add binary read-only sysfs attributes for the pkey module that can be used to read random protected keys from. Keys are read from these attributes using a cat-like interface. A typical use case for those keys is to encrypt a swap device using the paes cipher. During processing of /etc/crypttab, the random protected key to encrypt the swap device is read from one of the attributes. The following attributes are added: protkey/aes_128 protkey/aes_192 protkey/aes_256 protkey/aes_128_xts protkey/aes_256_xts Each attribute emits a protected key blob for the corresponding key size and cipher mode. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This commit is contained in:
Ingo Franzki
Martin Schwidefsky
Родитель
0534bde7de
Коммит
d632c0478d
|
|
@ -1254,6 +1254,132 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
|
|||
/*
|
||||
* Sysfs and file io operations
|
||||
*/
|
||||
|
||||
/*
|
||||
* Sysfs attribute read function for all protected key binary attributes.
|
||||
* The implementation can not deal with partial reads, because a new random
|
||||
* protected key blob is generated with each read. In case of partial reads
|
||||
* (i.e. off != 0 or count < key blob size) -EINVAL is returned.
|
||||
*/
|
||||
static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
|
||||
loff_t off, size_t count)
|
||||
{
|
||||
struct protaeskeytoken protkeytoken;
|
||||
struct pkey_protkey protkey;
|
||||
int rc;
|
||||
|
||||
if (off != 0 || count < sizeof(protkeytoken))
|
||||
return -EINVAL;
|
||||
if (is_xts)
|
||||
if (count < 2 * sizeof(protkeytoken))
|
||||
return -EINVAL;
|
||||
|
||||
memset(&protkeytoken, 0, sizeof(protkeytoken));
|
||||
protkeytoken.type = TOKTYPE_NON_CCA;
|
||||
protkeytoken.version = TOKVER_PROTECTED_KEY;
|
||||
protkeytoken.keytype = keytype;
|
||||
|
||||
rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
protkeytoken.len = protkey.len;
|
||||
memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
|
||||
|
||||
memcpy(buf, &protkeytoken, sizeof(protkeytoken));
|
||||
|
||||
if (is_xts) {
|
||||
rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
protkeytoken.len = protkey.len;
|
||||
memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
|
||||
|
||||
memcpy(buf + sizeof(protkeytoken), &protkeytoken,
|
||||
sizeof(protkeytoken));
|
||||
|
||||
return 2 * sizeof(protkeytoken);
|
||||
}
|
||||
|
||||
return sizeof(protkeytoken);
|
||||
}
|
||||
|
||||
static ssize_t protkey_aes_128_read(struct file *filp,
|
||||
struct kobject *kobj,
|
||||
struct bin_attribute *attr,
|
||||
char *buf, loff_t off,
|
||||
size_t count)
|
||||
{
|
||||
return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
|
||||
off, count);
|
||||
}
|
||||
|
||||
static ssize_t protkey_aes_192_read(struct file *filp,
|
||||
struct kobject *kobj,
|
||||
struct bin_attribute *attr,
|
||||
char *buf, loff_t off,
|
||||
size_t count)
|
||||
{
|
||||
return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
|
||||
off, count);
|
||||
}
|
||||
|
||||
static ssize_t protkey_aes_256_read(struct file *filp,
|
||||
struct kobject *kobj,
|
||||
struct bin_attribute *attr,
|
||||
char *buf, loff_t off,
|
||||
size_t count)
|
||||
{
|
||||
return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
|
||||
off, count);
|
||||
}
|
||||
|
||||
static ssize_t protkey_aes_128_xts_read(struct file *filp,
|
||||
struct kobject *kobj,
|
||||
struct bin_attribute *attr,
|
||||
char *buf, loff_t off,
|
||||
size_t count)
|
||||
{
|
||||
return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
|
||||
off, count);
|
||||
}
|
||||
|
||||
static ssize_t protkey_aes_256_xts_read(struct file *filp,
|
||||
struct kobject *kobj,
|
||||
struct bin_attribute *attr,
|
||||
char *buf, loff_t off,
|
||||
size_t count)
|
||||
{
|
||||
return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
|
||||
off, count);
|
||||
}
|
||||
|
||||
static BIN_ATTR_RO(protkey_aes_128, sizeof(struct protaeskeytoken));
|
||||
static BIN_ATTR_RO(protkey_aes_192, sizeof(struct protaeskeytoken));
|
||||
static BIN_ATTR_RO(protkey_aes_256, sizeof(struct protaeskeytoken));
|
||||
static BIN_ATTR_RO(protkey_aes_128_xts, 2 * sizeof(struct protaeskeytoken));
|
||||
static BIN_ATTR_RO(protkey_aes_256_xts, 2 * sizeof(struct protaeskeytoken));
|
||||
|
||||
static struct bin_attribute *protkey_attrs[] = {
|
||||
&bin_attr_protkey_aes_128,
|
||||
&bin_attr_protkey_aes_192,
|
||||
&bin_attr_protkey_aes_256,
|
||||
&bin_attr_protkey_aes_128_xts,
|
||||
&bin_attr_protkey_aes_256_xts,
|
||||
NULL
|
||||
};
|
||||
|
||||
static struct attribute_group protkey_attr_group = {
|
||||
.name = "protkey",
|
||||
.bin_attrs = protkey_attrs,
|
||||
};
|
||||
|
||||
static const struct attribute_group *pkey_attr_groups[] = {
|
||||
&protkey_attr_group,
|
||||
NULL,
|
||||
};
|
||||
|
||||
static const struct file_operations pkey_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = nonseekable_open,
|
||||
|
|
@ -1266,6 +1392,7 @@ static struct miscdevice pkey_dev = {
|
|||
.minor = MISC_DYNAMIC_MINOR,
|
||||
.mode = 0666,
|
||||
.fops = &pkey_fops,
|
||||
.groups = pkey_attr_groups,
|
||||
};
|
||||
|
||||
/*
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче