From 5276d408fd10669b3d8e623455778a675e8dc149 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Mon, 19 Feb 2024 10:21:06 +0100 Subject: [PATCH] zkey: Reject key generation and APQN association for PVSECRET-AES keys Keys of type PVSECRET-AES can not be generated using 'zkey generate'. Furthermore, APQNs can not be associated with keys of type PVSECRET-AES via 'zkey change'. Reject that with a proper error message. Signed-off-by: Ingo Franzki Reviewed-by: Jorg Schmidbauer Signed-off-by: Steffen Eiden --- zkey/keystore.c | 32 +++++++++++++++++++++++--------- zkey/zkey.1 | 7 +++++++ zkey/zkey.c | 5 +++++ 3 files changed, 35 insertions(+), 9 deletions(-) diff --git a/zkey/keystore.c b/zkey/keystore.c index cde0caf5..db62e0a6 100644 --- a/zkey/keystore.c +++ b/zkey/keystore.c @@ -2009,6 +2009,12 @@ int keystore_generate_key(struct keystore *keystore, const char *name, return -EINVAL; } + if (!is_secure_key_type(key_type)) { + warnx("Keys of type %s can not be generated. Use 'zkey " + "pvsecret import' instead", key_type); + return -EINVAL; + } + rc = _keystore_get_key_filenames(keystore, name, &file_names); if (rc != 0) goto out_free_key_filenames; @@ -2535,9 +2541,9 @@ int keystore_change_key(struct keystore *keystore, const char *name, const char *null_ptr = NULL; char *upd_volumes = NULL; size_t secure_key_size; + u8 *secure_key = NULL; u8 mkvp[MKVP_LENGTH]; char sect_size[30]; - u8 *secure_key; bool kms_bound; int rc; @@ -2589,13 +2595,6 @@ int keystore_change_key(struct keystore *keystore, const char *name, goto out; } - rc = _keystore_change_association(key_props, PROP_NAME_APQNS, - apqns, "APQN", - _keystore_apqn_check, - &apqn_check); - if (rc != 0) - goto out; - secure_key = read_secure_key(file_names.skey_filename, &secure_key_size, keystore->verbose); @@ -2604,11 +2603,24 @@ int keystore_change_key(struct keystore *keystore, const char *name, goto out; } + if (!is_secure_key(secure_key, secure_key_size)) { + warnx("No APQNs can be associated with keys of type %s", + get_key_type(secure_key, secure_key_size)); + rc = -EINVAL; + goto out; + } + + rc = _keystore_change_association(key_props, PROP_NAME_APQNS, + apqns, "APQN", + _keystore_apqn_check, + &apqn_check); + if (rc != 0) + goto out; + rc = get_master_key_verification_pattern(secure_key, secure_key_size, mkvp, keystore->verbose); - free(secure_key); if (rc) goto out; @@ -2742,6 +2754,8 @@ int keystore_change_key(struct keystore *keystore, const char *name, free(upd_volumes); if (upd_volume_type != NULL) free(upd_volume_type); + if (secure_key != NULL) + free(secure_key); if (rc != 0) pr_verbose(keystore, "Failed to change key '%s': %s", diff --git a/zkey/zkey.1 b/zkey/zkey.1 index ba71a839..baaf8478 100644 --- a/zkey/zkey.1 +++ b/zkey/zkey.1 @@ -402,6 +402,9 @@ additional information can be associated with a secure key using the .B \-\-sector\-size options. .PP +Keys of type \fBPVSECRET\-AES\fP do not use a cryptographic adapter, thus APQNs +can not be associated with them. +.PP .B Note: The \fBimport\fP command requires the CCA host library (libcsulcca.so) to be installed when secure keys of type \fBCCA\-AESCIPHER\fP are imported. @@ -564,6 +567,10 @@ APQNs that are associated with the key management system plugin. Other associated information is also changed in the key management system when changed using the change command. .PP +For keys of type \fBPVSECRET\-AES\fP you can not change or set the APQN +association. These keys do not use a cryptographic adapter, thus APQNs can not +be associated with them. +.PP .B Note: The secure key itself cannot be changed, only information about the secure key is changed. To rename a secure key, use the \fBrename\fP command. diff --git a/zkey/zkey.c b/zkey/zkey.c index 6e9b32af..36bdbcc0 100644 --- a/zkey/zkey.c +++ b/zkey/zkey.c @@ -2001,6 +2001,11 @@ static int command_generate(void) return command_generate_repository(); if (g.key_type == NULL) g.key_type = KEY_TYPE_CCA_AESDATA; + if (!is_secure_key_type(g.key_type)) { + warnx("Keys of type '%s' can not be generated. Use 'zkey " + "pvsecret import' instead", g.key_type); + return -EXIT_FAILURE; + } if (g.pos_arg != NULL) { if (g.volumes != NULL) { warnx("Option '--volumes|-l' is not valid for "