Migration to trusted keys: sealing user-provided key?
Mimi Zohar
zohar at linux.ibm.com
Sun Jan 31 14:29:29 UTC 2021
On Sun, 2021-01-31 at 15:14 +0100, Jan Lübbe wrote:
> On Sun, 2021-01-31 at 07:09 -0500, Mimi Zohar wrote:
<snip>
> >
> > [1] The ima-evm-utils README contains EVM examples of "trusted" and
> > "user" based "encrypted" keys.
>
> I assume you refer to
> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/README#l143
> "Generate EVM encrypted keys" and "Generate EVM trusted keys (TPM based)"?
>
> In both cases, the key used by EVM is a *newly generated* random key. The only
> difference is whether it's encrypted to a user key or a (random) trusted key.
The "encrypted" asymmetric key data doesn't change, "update" just
changes the key under which it is encrypted/decrypted.
Usage::
keyctl add encrypted name "new [format] key-type:master-key-name
keylen"
ring
keyctl add encrypted name "load hex_blob" ring
keyctl update keyid "update key-type:master-key-name"
Mimi
More information about the Linux-security-module-archive
mailing list