trusted-encrypted.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/security/keys/trusted-encrypted.rst

Lines Matching full:trusted
2 Trusted and Encrypted Keys
5 Trusted and Encrypted Keys are two new key types added to the existing kernel
8 stores, and loads only encrypted blobs.  Trusted Keys require the availability
17 A trust source provides the source of security for Trusted Keys.  This
23 consumer of the Trusted Keys to determine if the trust source is sufficiently
28      (1) TPM (Trusted Platform Module: hardware device)
33      (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
62          environment verified via Secure/Trusted boot process.
80          verifications match. A loaded Trusted Key can be updated with new
88          Relies on Secure/Trusted boot process for platform integrity. It can
98          Relies on Secure/Trusted boot process (called HAB by vendor) for
130 Trusted Keys
163 Users may override this by specifying ``trusted.rng=kernel`` on the kernel
172 using a specified ‘master’ key. The ‘master’ key can either be a trusted-key or
174 rooted in a trusted key, they are only as secure as the user key encrypting
182 Trusted Keys usage: TPM
185 TPM 1.2: By default, trusted keys are sealed under the SRK, which has the
207     keyctl add trusted name "new keylen [options]" ring
208     keyctl add trusted name "load hex_blob [pcrlock=pcrnum]" ring
236 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
239 Trusted Keys usage: TEE
244     keyctl add trusted name "new keylen" ring
245     keyctl add trusted name "load hex_blob" ring
250 in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
252 Trusted Keys usage: CAAM
257     keyctl add trusted name "new keylen" ring
258     keyctl add trusted name "load hex_blob" ring
263 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
265 Trusted Keys usage: DCP
270     keyctl add trusted name "new keylen" ring
271     keyctl add trusted name "load hex_blob" ring
276 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
297 	key-type:= 'trusted' | 'user'
299 Examples of trusted and encrypted key usage
302 Create and save a trusted key named "kmk" of length 32 bytes.
310     $ keyctl add trusted kmk "new 32" @u
317     440502848 --alswrv    500   500       \_ trusted: kmk
331 Load a trusted key from the saved blob::
333     $ keyctl add trusted kmk "load `cat kmk.blob`" @u
346 Reseal (TPM specific) a trusted key under new PCR values::
361 The initial consumer of trusted keys is EVM, which at boot time needs a high
363 trusted key provides strong guarantees that the EVM key has not been
366 encrypted key "evm" using the above trusted key "kmk":
370     $ keyctl add encrypted evm "new trusted:kmk 32" @u
375     $ keyctl add encrypted evm "new default trusted:kmk 32" @u
379     default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
391     default trusted:kmk 32 2375725ad57798846a9bbd240de8906f006e66c03af53b1b3
406 Other uses for trusted and encrypted keys, such as for disk and file encryption
451 The trusted key code only uses the TPM Sealed Data OID.
477 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
480 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c