The kernel key service is a generic way to store keys for the use of other subsystems. Currently there is no way to use kernel keys in dm-crypt. This patch aims to fix that. Instead of key userspace may pass a key description with preceding ':'. So message that constructs encryption mapping now looks like this:
<cipher> [<key>|:<key description>] <iv_offset> <dev_path> <start> [<#opt_params> <opt_params>] Note: userspace part for this is not implemented yet. https://jira.sw.ru/browse/PSBM-44218 Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com> --- Changes since v1: - Fixed memleak on crypt_decode_key() failure. drivers/md/dm-crypt.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 107 insertions(+), 9 deletions(-) diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index f717762..56ca046 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -12,6 +12,7 @@ #include <linux/module.h> #include <linux/init.h> #include <linux/kernel.h> +#include <linux/key.h> #include <linux/bio.h> #include <linux/blkdev.h> #include <linux/mempool.h> @@ -28,6 +29,7 @@ #include <crypto/hash.h> #include <crypto/md5.h> #include <crypto/algapi.h> +#include <keys/user-type.h> #include <linux/device-mapper.h> @@ -1487,21 +1489,112 @@ static int crypt_setkey_allcpus(struct crypt_config *cc) return err; } +#ifdef CONFIG_KEYS +static struct key *crypt_decode_get_keyring_key(char *key_desc) +{ + int ret; + struct key *key; + char *decoded_key_desc; + int key_desc_size = strlen(key_desc) >> 1; + + decoded_key_desc = kmalloc(key_desc_size + 1, GFP_KERNEL); + if (!decoded_key_desc) + return ERR_PTR(-ENOMEM); + + if (crypt_decode_key(decoded_key_desc, key_desc, key_desc_size) < 0) { + kfree(decoded_key_desc); + return ERR_PTR(-EINVAL); + } + + decoded_key_desc[key_desc_size] = '\0'; + + key = request_key(&key_type_user, decoded_key_desc, NULL); + kfree(decoded_key_desc); + if (IS_ERR(key)) + return key; + + ret = key_validate(key); + if (ret < 0) + return ERR_PTR(ret); + + return key; +} + +static int crypt_set_keyring_key(struct crypt_config *cc, char *key_desc) +{ + int ret = 0; + struct key *key; + const struct user_key_payload *ukp; + + key = crypt_decode_get_keyring_key(key_desc); + if (IS_ERR(key)) + return PTR_ERR(key); + + rcu_read_lock(); + ukp = user_key_payload(key); + if (cc->key_size != ukp->datalen) { + ret = -EINVAL; + goto out; + } + memcpy(cc->key, ukp->data, cc->key_size); +out: + rcu_read_unlock(); + key_put(key); + return ret; +} + +static int get_key_size(char *key_desc) +{ + int ret; + struct key *key; + + if (key_desc[0] != ':') + return strlen(key_desc) >> 1; + + key = crypt_decode_get_keyring_key(key_desc + 1); + if (IS_ERR(key)) + return PTR_ERR(key); + + rcu_read_lock(); + ret = user_key_payload(key)->datalen; + rcu_read_unlock(); + key_put(key); + return ret; +} +#else +static int crypt_set_keyring_key(struct crypt_config *cc, char *key_desc) +{ + return -EINVAL; +} + +static int get_key_size(const char *key) +{ + return strlen(key) >> 1; +} +#endif + static int crypt_set_key(struct crypt_config *cc, char *key) { int r = -EINVAL; int key_string_len = strlen(key); - /* The key size may not be changed. */ - if (cc->key_size != (key_string_len >> 1)) - goto out; - /* Hyphen (which gives a key_size of zero) means there is no key. */ if (!cc->key_size && strcmp(key, "-")) goto out; - if (cc->key_size && crypt_decode_key(cc->key, key, cc->key_size) < 0) - goto out; + /* ':' means that the key is in kernel keyring */ + if (key[0] == ':') { + if (crypt_set_keyring_key(cc, key + 1)) + goto out; + } else { + /* The key size may not be changed. */ + if (cc->key_size != (key_string_len >> 1)) + goto out; + + if (cc->key_size && + crypt_decode_key(cc->key, key, cc->key_size) < 0) + goto out; + } set_bit(DM_CRYPT_KEY_VALID, &cc->flags); @@ -1725,12 +1818,13 @@ bad_mem: /* * Construct an encryption mapping: - * <cipher> <key> <iv_offset> <dev_path> <start> + * <cipher> [<key>|:<key description>] <iv_offset> <dev_path> <start> */ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) { struct crypt_config *cc; - unsigned int key_size, opt_params; + int key_size; + unsigned int opt_params; unsigned long long tmpll; int ret; size_t iv_size_padding; @@ -1747,7 +1841,11 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) return -EINVAL; } - key_size = strlen(argv[1]) >> 1; + key_size = get_key_size(argv[1]); + if (key_size < 0) { + ti->error = "Cannot get the key"; + return -EINVAL; + } cc = kzalloc(sizeof(*cc) + key_size * sizeof(u8), GFP_KERNEL); if (!cc) { -- 2.7.3 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
