diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2018-11-02 01:23:59 +0300 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-11-02 01:23:59 +0300 |
| commit | baa888d25ea64d0c59344d474284ca99cfdd449a (patch) | |
| tree | 06b85d1c3b70a12ad5c8a49394d57c14d5a69993 /include/linux | |
| parent | 7260935d71b6d582376543844185add72848dde8 (diff) | |
| parent | 64ae16dfeefec670276607fa789ce096c7ebd7c4 (diff) | |
| download | linux-baa888d25ea64d0c59344d474284ca99cfdd449a.tar.xz | |
Merge branch 'next-keys2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull keys updates from James Morris:
"Provide five new operations in the key_type struct that can be used to
provide access to asymmetric key operations. These will be implemented
for the asymmetric key type in a later patch and may refer to a key
retained in RAM by the kernel or a key retained in crypto hardware.
int (*asym_query)(const struct kernel_pkey_params *params,
struct kernel_pkey_query *info);
int (*asym_eds_op)(struct kernel_pkey_params *params,
const void *in, void *out);
int (*asym_verify_signature)(struct kernel_pkey_params *params,
const void *in, const void *in2);
Since encrypt, decrypt and sign are identical in their interfaces,
they're rolled together in the asym_eds_op() operation and there's an
operation ID in the params argument to distinguish them.
Verify is different in that we supply the data and the signature
instead and get an error value (or 0) as the only result on the
expectation that this may well be how a hardware crypto device may
work"
* 'next-keys2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (22 commits)
KEYS: asym_tpm: Add support for the sign operation [ver #2]
KEYS: asym_tpm: Implement tpm_sign [ver #2]
KEYS: asym_tpm: Implement signature verification [ver #2]
KEYS: asym_tpm: Implement the decrypt operation [ver #2]
KEYS: asym_tpm: Implement tpm_unbind [ver #2]
KEYS: asym_tpm: Add loadkey2 and flushspecific [ver #2]
KEYS: Move trusted.h to include/keys [ver #2]
KEYS: trusted: Expose common functionality [ver #2]
KEYS: asym_tpm: Implement encryption operation [ver #2]
KEYS: asym_tpm: Implement pkey_query [ver #2]
KEYS: Add parser for TPM-based keys [ver #2]
KEYS: asym_tpm: extract key size & public key [ver #2]
KEYS: asym_tpm: add skeleton for asym_tpm [ver #2]
crypto: rsa-pkcs1pad: Allow hash to be optional [ver #2]
KEYS: Implement PKCS#8 RSA Private Key parser [ver #2]
KEYS: Implement encrypt, decrypt and sign for software asymmetric key [ver #2]
KEYS: Allow the public_key struct to hold a private key [ver #2]
KEYS: Provide software public key query function [ver #2]
KEYS: Make the X.509 and PKCS7 parsers supply the sig encoding type [ver #2]
KEYS: Provide missing asymmetric key subops for new key type ops [ver #2]
...
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/key-type.h | 11 | ||||
| -rw-r--r-- | include/linux/keyctl.h | 46 |
2 files changed, 57 insertions, 0 deletions
diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 05d8fb5a06c4..bc9af551fc83 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -17,6 +17,9 @@ #ifdef CONFIG_KEYS +struct kernel_pkey_query; +struct kernel_pkey_params; + /* * key under-construction record * - passed to the request_key actor if supplied @@ -155,6 +158,14 @@ struct key_type { */ struct key_restriction *(*lookup_restriction)(const char *params); + /* Asymmetric key accessor functions. */ + int (*asym_query)(const struct kernel_pkey_params *params, + struct kernel_pkey_query *info); + int (*asym_eds_op)(struct kernel_pkey_params *params, + const void *in, void *out); + int (*asym_verify_signature)(struct kernel_pkey_params *params, + const void *in, const void *in2); + /* internal fields */ struct list_head link; /* link in types list */ struct lock_class_key lock_class; /* key->sem lock class */ diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h new file mode 100644 index 000000000000..c7c48c79ce0e --- /dev/null +++ b/include/linux/keyctl.h @@ -0,0 +1,46 @@ +/* keyctl kernel bits + * + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#ifndef __LINUX_KEYCTL_H +#define __LINUX_KEYCTL_H + +#include <uapi/linux/keyctl.h> + +struct kernel_pkey_query { + __u32 supported_ops; /* Which ops are supported */ + __u32 key_size; /* Size of the key in bits */ + __u16 max_data_size; /* Maximum size of raw data to sign in bytes */ + __u16 max_sig_size; /* Maximum size of signature in bytes */ + __u16 max_enc_size; /* Maximum size of encrypted blob in bytes */ + __u16 max_dec_size; /* Maximum size of decrypted blob in bytes */ +}; + +enum kernel_pkey_operation { + kernel_pkey_encrypt, + kernel_pkey_decrypt, + kernel_pkey_sign, + kernel_pkey_verify, +}; + +struct kernel_pkey_params { + struct key *key; + const char *encoding; /* Encoding (eg. "oaep" or "raw" for none) */ + const char *hash_algo; /* Digest algorithm used (eg. "sha1") or NULL if N/A */ + char *info; /* Modified info string to be released later */ + __u32 in_len; /* Input data size */ + union { + __u32 out_len; /* Output buffer size (enc/dec/sign) */ + __u32 in2_len; /* 2nd input data size (verify) */ + }; + enum kernel_pkey_operation op : 8; +}; + +#endif /* __LINUX_KEYCTL_H */ |