fscryptctl icon indicating copy to clipboard operation
fscryptctl copied to clipboard

Published 20 hours ago verified publisher icon google

fscryptctl: add support for adding key by serial (ID)

Open a3f opened this issue 4 years ago • 2 comments
trafficstars

Since Linux commit https://github.com/torvalds/linux/commit/93edd392ca ("fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY"), it's possible to pass the key ID of a "fscrypt-provisioning" key that Linux should retrieve the raw key material from instead of passing it directly from userspace.

This is useful to add fscrypt keys after unmounting and re-mounting. It would also prove useful should additional key types like trusted keys be allowed in future.

Thus add a new --serial parameter to add_key to facilitate this. --serial was chosen over --id to avoid confusion with the KEY_IDENTIFIER used in the remove_key, key_status and set_policy documentation, which it is not interchangeable with.

This is PR is applicable regardless of my patch for adding fscrypt support for trusted keys.

Should a revised version of that patch be applied, I'll create a new pull request to adjust the documentation here appropriately. There is no code change necessary however, because the API used for fscrypt-provisioning keys is reused.

a3f avatar Jul 27 '21 14:07 a3f

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

google-cla[bot] avatar Jul 27 '21 14:07 google-cla[bot]

@googlebot I signed it!

a3f avatar Aug 06 '21 10:08 a3f