From c74ae8957471ecf27bd8e70fb55f6841bcf3c618 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Wed, 9 Dec 2020 12:43:57 +0000 Subject: [PATCH] kernel: package kmod-keys-encrypted and kmod-keys-trusted Add kernel module packages for handling encrypted and TPM trusted keys on the kernel chain. Signed-off-by: Daniel Golle --- package/kernel/linux/modules/other.mk | 41 +++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/package/kernel/linux/modules/other.mk b/package/kernel/linux/modules/other.mk index 41de6ac2ba..421b1b536c 100644 --- a/package/kernel/linux/modules/other.mk +++ b/package/kernel/linux/modules/other.mk @@ -1103,6 +1103,47 @@ endef $(eval $(call KernelPackage,echo)) +define KernelPackage/keys-encrypted + SUBMENU:=$(OTHER_MENU) + TITLE:=encrypted keys on kernel keyring + DEPENDS:=@KERNEL_KEYS +kmod-crypto-cbc +kmod-crypto-hmac +kmod-crypto-rng \ + +kmod-crypto-sha256 +kmod-keys-trusted + KCONFIG:=CONFIG_ENCRYPTED_KEYS + FILES:=$(LINUX_DIR)/security/keys/encrypted-keys/encrypted-keys.ko + AUTOLOAD:=$(call AutoLoad,01,encrypted-keys,1) +endef + +define KernelPackage/keys-encrypted/description + This module provides support for create/encrypting/decrypting keys + in the kernel. Encrypted keys are kernel generated random numbers, + which are encrypted/decrypted with a 'master' symmetric key. The + 'master' key can be either a trusted-key or user-key type. + Userspace only ever sees/stores encrypted blobs. +endef + +$(eval $(call KernelPackage,keys-encrypted)) + + +define KernelPackage/keys-trusted + SUBMENU:=$(OTHER_MENU) + TITLE:=TPM trusted keys on kernel keyring + DEPENDS:=@KERNEL_KEYS +kmod-crypto-hash +kmod-crypto-hmac +kmod-crypto-sha1 +kmod-tpm + KCONFIG:=CONFIG_TRUSTED_KEYS + FILES:=$(LINUX_DIR)/security/keys/trusted.ko + AUTOLOAD:=$(call AutoLoad,01,trusted-keys,1) +endef + +define KernelPackage/keys-trusted/description + This module provides support for creating, sealing, and unsealing + keys in the kernel. Trusted keys are random number symmetric keys, + generated and RSA-sealed by the TPM. The TPM only unseals the keys, + if the boot PCRs and other criteria match. Userspace will only ever + see encrypted blobs. +endef + +$(eval $(call KernelPackage,keys-trusted)) + + define KernelPackage/tpm SUBMENU:=$(OTHER_MENU) TITLE:=TPM Hardware Support -- 2.30.2