trusted-encrypted.rst - OpenGrok cross reference for /Linux-v5.15/Documentation/security/keys/trusted-encrypted.rst

Lines Matching full:trusted
2 Trusted and Encrypted Keys
5 Trusted and Encrypted Keys are two new key types added to the existing kernel
8 stores, and loads only encrypted blobs.  Trusted Keys require the availability
17 A trust source provides the source of security for Trusted Keys.  This
23 consumer of the Trusted Keys to determine if the trust source is sufficiently
28      (1) TPM (Trusted Platform Module: hardware device)
33      (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
47          environment verified via Secure/Trusted boot process.
55          verifications match. A loaded Trusted Key can be updated with new
63          Relies on Secure/Trusted boot process for platform integrity. It can
87 Trusted Keys
112 ‘master’ key can either be a trusted-key or user-key type. The main disadvantage
113 of encrypted keys is that if they are not rooted in a trusted key, they are only
121 Trusted Keys usage: TPM
124 TPM 1.2: By default, trusted keys are sealed under the SRK, which has the
146     keyctl add trusted name "new keylen [options]" ring
147     keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring
175 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
178 Trusted Keys usage: TEE
183     keyctl add trusted name "new keylen" ring
184     keyctl add trusted name "load hex_blob" ring
189 in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
208 	key-type:= 'trusted' | 'user'
210 Examples of trusted and encrypted key usage
213 Create and save a trusted key named "kmk" of length 32 bytes.
221     $ keyctl add trusted kmk "new 32" @u
228     440502848 --alswrv    500   500       \_ trusted: kmk
242 Load a trusted key from the saved blob::
244     $ keyctl add trusted kmk "load `cat kmk.blob`" @u
257 Reseal (TPM specific) a trusted key under new PCR values::
272 The initial consumer of trusted keys is EVM, which at boot time needs a high
274 trusted key provides strong guarantees that the EVM key has not been
277 encrypted key "evm" using the above trusted key "kmk":
281     $ keyctl add encrypted evm "new trusted:kmk 32" @u
286     $ keyctl add encrypted evm "new default trusted:kmk 32" @u
290     default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
302     default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
306 Other uses for trusted and encrypted keys, such as for disk and file encryption
351 The trusted key code only uses the TPM Sealed Data OID.