On Fri, Jan 18, 2019 at 12:59:06PM -0800, James Bottomley wrote:
> On Fri, 2019-01-18 at 16:33 +0200, Jarkko Sakkinen wrote:
> > On Fri, Jan 11, 2019 at 07:28:58AM -0800, James Bottomley wrote:
> > > On Fri, 2019-01-11 at 16:02 +0200, Jarkko Sakkinen wrote:
> > > > On Tue, Jan 08, 2019 at 05:43:53P
On Fri, 2019-01-18 at 16:33 +0200, Jarkko Sakkinen wrote:
> On Fri, Jan 11, 2019 at 07:28:58AM -0800, James Bottomley wrote:
> > On Fri, 2019-01-11 at 16:02 +0200, Jarkko Sakkinen wrote:
> > > On Tue, Jan 08, 2019 at 05:43:53PM -0800, Andy Lutomirski wrote:
> > > > (Also, do we have a sensible stor
On Fri, Jan 11, 2019 at 07:28:58AM -0800, James Bottomley wrote:
> On Fri, 2019-01-11 at 16:02 +0200, Jarkko Sakkinen wrote:
> > On Tue, Jan 08, 2019 at 05:43:53PM -0800, Andy Lutomirski wrote:
> > > (Also, do we have a sensible story of how the TPM interacts with
> > > hibernation at all? Presuma
On Wed, Jan 09, 2019 at 10:34:42AM -0800, Andy Lutomirski wrote:
> I suppose I should go read the 2.0 spec. I’ve read the 1.2 spec, but I
> always assumed that 2.0 was essentially a superset of 1.2
> functionality.
They are essentially different protocols. No real compatibility.
> Can the kernel
On Thu, Jan 10, 2019 at 02:11:55AM +0800, joeyli wrote:
> > Well, I think here, if we were actually trying to solve the problem of
> > proving the hibernated image were the same one we would need to prove
> > some log of the kernel operation came to a particular value *after* the
> > hibernated ima
On Fri, 2019-01-11 at 16:02 +0200, Jarkko Sakkinen wrote:
> On Tue, Jan 08, 2019 at 05:43:53PM -0800, Andy Lutomirski wrote:
> > (Also, do we have a sensible story of how the TPM interacts with
> > hibernation at all? Presumably we should at least try to replay
> > the PCR operations that have occ
On Tue, Jan 08, 2019 at 05:43:53PM -0800, Andy Lutomirski wrote:
> (Also, do we have a sensible story of how the TPM interacts with
> hibernation at all? Presumably we should at least try to replay the
> PCR operations that have occurred so that we can massage the PCRs into
> the same state post-h
Hi!
> > > Note if someone has your laptop and the ability to boot their own
> > > kernels, they could always corrupt the kernel into decrypting the
> > > image or giving you the unsealed key, but there's no real way of
> > > preventing that even with PCR sealing or lockdown, so the basis for
> > >
On Wed, 2019-01-09 at 12:12 -0800, Andy Lutomirski wrote:
> On Wed, Jan 9, 2019 at 11:46 AM James Bottomley
> wrote:
[...]
> > > I’m not sure I follow. Here are the two properties I’d like to
> > > see:
> > >
> > > 1. If you have an encrypted hibernation image, the only thing you
> > > should be
On Wed, Jan 9, 2019 at 11:46 AM James Bottomley
wrote:
>
> On Wed, 2019-01-09 at 10:34 -0800, Andy Lutomirski wrote:
> > > > On Jan 8, 2019, at 10:49 PM, James Bottomley > > > senpartnership.com> wrote:
> > > >
> > If so, then a signature that the kernel would have prevented user
> > code from
On Wed, 2019-01-09 at 10:34 -0800, Andy Lutomirski wrote:
> > > On Jan 8, 2019, at 10:49 PM, James Bottomley > > senpartnership.com> wrote:
> > >
> > > On Tue, 2019-01-08 at 17:43 -0800, Andy Lutomirski wrote:
> > > [Adding Jarkko because this stuff relates to the TPM.]
> > > Anyway, if we're tal
>> On Jan 8, 2019, at 10:49 PM, James Bottomley
>> wrote:
>>
>> On Tue, 2019-01-08 at 17:43 -0800, Andy Lutomirski wrote:
>> [Adding Jarkko because this stuff relates to the TPM.]
>
>> Anyway, if we're talking about the TPM, it seems like the entire
>> "trusted key" mechanism in the kernel is mis
Am Mittwoch, 9. Januar 2019, 18:34:55 CET schrieb Eric Biggers:
Hi Eric,
> That would not meet my performance requirements as I want to precompute
> HKDF-Extract, and then do HKDF-Expand many times. Also the HKDF-Expand part
> should be thread-safe and not require allocating memory, especially n
Hi James
On Tue, Jan 08, 2019 at 10:49:39PM -0800, James Bottomley wrote:
> On Tue, 2019-01-08 at 17:43 -0800, Andy Lutomirski wrote:
> > [Adding Jarkko because this stuff relates to the TPM.]
> >
> > On Tue, Jan 8, 2019 at 4:44 PM James Bottomley
> > wrote:
> > >
> > > On Tue, 2019-01-08 at 15
On Wed, Jan 09, 2019 at 11:17:45AM +0100, Stephan Mueller wrote:
> Am Mittwoch, 9. Januar 2019, 09:21:04 CET schrieb Eric Biggers:
>
> Hi Eric,
> >
> > FWIW, it's been very slow going since I've been working on other projects
> > and I also need to be very sure to get the API changes right, but I
On Wed, 2019-01-09 at 08:05 +0100, Stephan Mueller wrote:
> Am Mittwoch, 9. Januar 2019, 07:58:28 CET schrieb James Bottomley:
>
> Hi James,
>
> > On Wed, 2019-01-09 at 07:45 +0100, Stephan Mueller wrote:
> > > Am Mittwoch, 9. Januar 2019, 01:44:31 CET schrieb James
> > > Bottomley:
> > >
> > >
Am Mittwoch, 9. Januar 2019, 09:21:04 CET schrieb Eric Biggers:
Hi Eric,
>
> FWIW, it's been very slow going since I've been working on other projects
> and I also need to be very sure to get the API changes right, but I still
> plan to change the KDF in fscrypt (a.k.a. ext4/f2fs/ubifs encryption
On Wed, Jan 09, 2019 at 08:05:21AM +0100, Stephan Mueller wrote:
> Am Mittwoch, 9. Januar 2019, 07:58:28 CET schrieb James Bottomley:
>
> Hi James,
>
> > On Wed, 2019-01-09 at 07:45 +0100, Stephan Mueller wrote:
> > > Am Mittwoch, 9. Januar 2019, 01:44:31 CET schrieb James Bottomley:
> > >
> > >
Am Mittwoch, 9. Januar 2019, 07:58:28 CET schrieb James Bottomley:
Hi James,
> On Wed, 2019-01-09 at 07:45 +0100, Stephan Mueller wrote:
> > Am Mittwoch, 9. Januar 2019, 01:44:31 CET schrieb James Bottomley:
> >
> > Hi James,
> >
> > > Actually, it would be enormously helpful if we could reuse
On Wed, 2019-01-09 at 07:45 +0100, Stephan Mueller wrote:
> Am Mittwoch, 9. Januar 2019, 01:44:31 CET schrieb James Bottomley:
>
> Hi James,
>
> > Actually, it would be enormously helpful if we could reuse these
> > pieces for the TPM as well.
>
> Could you please help me understand whether the
On Tue, 2019-01-08 at 17:43 -0800, Andy Lutomirski wrote:
> [Adding Jarkko because this stuff relates to the TPM.]
>
> On Tue, Jan 8, 2019 at 4:44 PM James Bottomley
> wrote:
> >
> > On Tue, 2019-01-08 at 15:54 -0800, Andy Lutomirski wrote:
> > > > On Jan 7, 2019, at 11:09 PM, Stephan Mueller >
Am Mittwoch, 9. Januar 2019, 01:44:31 CET schrieb James Bottomley:
Hi James,
> Actually, it would be enormously helpful if we could reuse these pieces
> for the TPM as well.
Could you please help me understand whether the KDFs in TPM are directly
usable as a standalone cipher primitive or does
Am Mittwoch, 9. Januar 2019, 00:54:22 CET schrieb Andy Lutomirski:
Hi Andy,
>
> I think that, if the crypto API is going to grow a KDF facility, it should
> be done right. Have a key type or flag or whatever that says “this key may
> *only* be used to derive keys using such-and-such algorithm”, a
[Adding Jarkko because this stuff relates to the TPM.]
On Tue, Jan 8, 2019 at 4:44 PM James Bottomley
wrote:
>
> On Tue, 2019-01-08 at 15:54 -0800, Andy Lutomirski wrote:
> > > On Jan 7, 2019, at 11:09 PM, Stephan Mueller
> > > wrote:
> > >
> > > Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb
On Tue, 2019-01-08 at 15:54 -0800, Andy Lutomirski wrote:
> > On Jan 7, 2019, at 11:09 PM, Stephan Mueller
> > wrote:
> >
> > Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb Herbert Xu:
> >
> > Hi Herbert,
> >
> > > Are we going to have multiple implementations for the same KDF?
> > > If not
> On Jan 7, 2019, at 11:09 PM, Stephan Mueller wrote:
>
> Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb Herbert Xu:
>
> Hi Herbert,
>
>> Are we going to have multiple implementations for the same KDF?
>> If not then the crypto API is not a good fit. To consolidate
>> multiple implementat
Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb Herbert Xu:
Hi Herbert,
> Are we going to have multiple implementations for the same KDF?
> If not then the crypto API is not a good fit. To consolidate
> multiple implementations of the same KDF, simply provide helpers
> for them.
It is unlikel
On Mon, Jan 07, 2019 at 04:52:00PM +0100, Stephan Mueller wrote:
>
> Would it make sense to polish these mentioned KDF patches and add them to the
> kernel crypto API? The sprawl of key derivation logic here and there which
> seemingly does not comply to any standard and thus possibly have issues
Am Montag, 7. Januar 2019, 16:33:27 CET schrieb joeyli:
Hi Herbert,
>
> > use an official KDF type like SP800-108 or HKDF?
> >
> > You find the counter-KDF according to SP800-108 in security/keys/dh.c
> > (search for functions *kdf*).
> >
> > Or we may start pulling in KDF support into the ker
Hi Stephan,
First, thanks for your review!
On Sun, Jan 06, 2019 at 09:01:27AM +0100, Stephan Mueller wrote:
> Am Donnerstag, 3. Januar 2019, 15:32:23 CET schrieb Lee, Chun-Yi:
>
> Hi Chun,
>
> > This patch adds a snapshot keys handler for using the key retention
> > service api to create keys
Am Sonntag, 6. Januar 2019, 09:01:27 CET schrieb Stephan Mueller:
Hi,
> > + memcpy(skey.key, ukp->data, ukp->datalen);
>
> Where would skey.key be destroyed again?
Now I see it - it is in patch 4. Please disregard my comment.
Ciao
Stephan
Am Donnerstag, 3. Januar 2019, 15:32:23 CET schrieb Lee, Chun-Yi:
Hi Chun,
> This patch adds a snapshot keys handler for using the key retention
> service api to create keys for snapshot image encryption and
> authentication.
>
> This handler uses TPM trusted key as the snapshot master key, and
This patch adds a snapshot keys handler for using the key retention
service api to create keys for snapshot image encryption and
authentication.
This handler uses TPM trusted key as the snapshot master key, and the
encryption key and authentication key are derived from the snapshot
key. The user d
33 matches
Mail list logo