[PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys

Ahmad Fatoum a.fatoum at pengutronix.de
Thu Apr 1 10:04:31 UTC 2021

Hello Richard,

On 30.03.21 23:50, Richard Weinberger wrote:
> Ahmad,
> On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum <a.fatoum at pengutronix.de> wrote:
>>     TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards"
>>     echo $TABLE | dmsetup create mydev
>>     echo $TABLE | dmsetup load mydev
> Do you also plan to add support for this to cryptsetup?
> David and I have added (rough) support for our CAAM/DCP based keyrings
> to cryptsetup:
> https://github.com/sigma-star/cryptsetup/tree/rw/plain
> I'm pretty sure with minimal changes it will work with your recent approach too.

I am using dmsetup directly in my project. I am not familiar with cryptsetup
plain. What benefits do you see with this over direct dmsetup?

What I'd like to see eventually is support for this with LUKS.
There is a RFE on trusted keys and cryptsetup on the project's repository[1].

The behavior I'd want it that the LUKS header would point at the trusted key
blob to use and load it into the kernel. This of course means that
you won't be able to have multiple keys for the encrypted partition.

[1]: https://gitlab.com/cryptsetup/cryptsetup/-/issues/443


Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

More information about the Linux-security-module-archive mailing list