Lines Matching full:trusted
2 Trusted and Encrypted Keys
5 Trusted and Encrypted Keys are two new key types added to the existing kernel
8 stores, and loads only encrypted blobs. Trusted Keys require the availability
13 Trusted Keys as Protected key
15 It is the secure way of keeping the keys in the kernel key-ring as Trusted-Key,
40 Trusted keys as protected keys, with trust source having the capability of
48 A trust source provides the source of security for Trusted Keys. This
54 consumer of the Trusted Keys to determine if the trust source is sufficiently
59 (1) TPM (Trusted Platform Module: hardware device)
64 (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
101 environment verified via Secure/Trusted boot process.
127 verifications match. A loaded Trusted Key can be updated with new
135 Relies on Secure/Trusted boot process for platform integrity. It can
145 Relies on Secure/Trusted boot process (called HAB by vendor) for
150 Relies on secure and trusted boot process of IBM Power systems for
187 Trusted Keys
224 Users may override this by specifying ``trusted.rng=kernel`` on the kernel
233 using a specified ‘master’ key. The ‘master’ key can either be a trusted-key or
235 rooted in a trusted key, they are only as secure as the user key encrypting
243 Trusted Keys usage: TPM
246 TPM 1.2: By default, trusted keys are sealed under the SRK, which has the
268 keyctl add trusted name "new keylen [options]" ring
269 keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring
297 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
300 Trusted Keys usage: TEE
305 keyctl add trusted name "new keylen" ring
306 keyctl add trusted name "load hex_blob" ring
311 in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
313 Trusted Keys usage: CAAM
316 Trusted Keys Usage::
318 keyctl add trusted name "new keylen" ring
319 keyctl add trusted name "load hex_blob" ring
324 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
326 Trusted Keys as Protected Keys Usage::
328 keyctl add trusted name "new keylen pk [options]" ring
329 keyctl add trusted name "load hex_blob [options]" ring
339 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
341 Trusted Keys usage: DCP
346 keyctl add trusted name "new keylen" ring
347 keyctl add trusted name "load hex_blob" ring
352 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
354 Trusted Keys usage: PKWM
359 keyctl add trusted name "new keylen [options]" ring
360 keyctl add trusted name "load hex_blob" ring
372 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
393 key-type:= 'trusted' | 'user'
395 Examples of trusted and encrypted key usage
398 Create and save a trusted key named "kmk" of length 32 bytes.
406 $ keyctl add trusted kmk "new 32" @u
413 440502848 --alswrv 500 500 \_ trusted: kmk
427 Load a trusted key from the saved blob::
429 $ keyctl add trusted kmk "load `cat kmk.blob`" @u
442 Create and save a trusted key as protected key named "kmk" of length 32 bytes.
446 $ keyctl add trusted kmk "new 32 pk key_enc_algo=1" @u
453 440502848 --alswrv 500 500 \_ trusted: kmk
467 Load a trusted key from the saved blob::
469 $ keyctl add trusted kmk "load `cat kmk.blob` key_enc_algo=1" @u
482 Reseal (TPM specific) a trusted key under new PCR values::
497 The initial consumer of trusted keys is EVM, which at boot time needs a high
499 trusted key provides strong guarantees that the EVM key has not been
502 encrypted key "evm" using the above trusted key "kmk":
506 $ keyctl add encrypted evm "new trusted:kmk 32" @u
511 $ keyctl add encrypted evm "new default trusted:kmk 32" @u
515 default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
527 default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
542 Other uses for trusted and encrypted keys, such as for disk and file encryption
587 The trusted key code only uses the TPM Sealed Data OID.
613 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
616 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c