Migration to trusted keys: sealing user-provided key?

Mimi Zohar zohar at linux.ibm.com
Sun Jan 31 14:29:29 UTC 2021

On Sun, 2021-01-31 at 15:14 +0100, Jan Lübbe wrote:
> On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote:


> > 
> > [1] The ima-evm-utils README contains EVM examples of "trusted" and
> > "user" based "encrypted" keys.
> I assume you refer to
> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143
> "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"?
> In both cases, the key used by EVM is a *newly generated* random key. The only
> difference is whether it's encrypted to a user key or a (random) trusted key.
The "encrypted" asymmetric key data doesn't change, "update" just
changes the key under which it is encrypted/decrypted.


    keyctl add encrypted name "new [format] key-type:master-key-name
    keyctl add encrypted name "load hex_blob" ring
    keyctl update keyid "update key-type:master-key-name"


More information about the Linux-security-module-archive mailing list