Migration to trusted keys: sealing user-provided key?
David Howells
dhowells at redhat.com
Mon Feb 1 11:36:01 UTC 2021
Jan Lübbe <jlu at pengutronix.de> wrote:
> ... But at this point, you can still do 'keyctl read' on that key, exposing
> the key material to user space.
I wonder if it would help to provide a keyctl function to mark a key as being
permanently unreadable - so that it overrides the READ permission bit.
Alternatively, you can disable READ and SETATTR permission - but that then
prevents you from removing other perms if you want to :-/
David
More information about the Linux-security-module-archive
mailing list