i.MX Processors中的主题 Re: Unable to store keys in key ring using keyctl

Unable to store keys in key ring using keyctl

dpatil — Thu, 25 Nov 2021 09:43:09 GMT

Hi all,

I am following AN12714[latest version] for encryption storage using CAAM secure keys.

I have successfully generated keys using caam-keygen.

I successfully added a key based on the generated black key in the key retention service using "keyctl"

Following is the output:

root@imx7-var-som:/# cat /data/caam/randomkey | keyctl padd logon logkey: @s
765699361

but when I check using keyctl then same id doesn't appear

Following is output:

root@imx7-var-som:/# keyctl list @s
1 key in keyring:
24465593: --alswrv 0 65534 keyring: _uid.0

Can anyone tell me what is reason?

My kernel version is 5.4.127

and keyutils version is 1.6.1

Regards,

dpatil

Re: Unable to store keys in key ring using keyctl

Yuri — Wed, 01 Dec 2021 10:06:11 GMT

@dpatil
Hello,

in the app note NXP BSP imx-5.4.47-2.2.0 is mentioned.
What release (5.4.127) was used in Your case?

Please check Your configuration, using Appendix A (Configuration)
of the app note.

Regards,
Yuri.

Re: Unable to store keys in key ring using keyctl

dpatil — Wed, 01 Dec 2021 10:58:03 GMT

Hi Yuri,

Thanks for your reply.

My kernel configuration related to CAAM are as follows:

# CONFIG_CRYPTO_DEV_FSL_CAAM_DMA is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_COMMON=y
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_KEYBLOB_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_COUNT_THLD=255
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_TIME_THLD=2048
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API_TEST is not set
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
# CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST is not set

Please find kernel configuration in attachment let me know if anything is missing in kernel configuration

Re: Unable to store keys in key ring using keyctl

dpatil — Wed, 01 Dec 2021 11:14:21 GMT

Hi Yuri,

Please find the attached kernel configuration.

Configurations are set as per application note

Regards,

Dhananjay Patil

Re: Unable to store keys in key ring using keyctl

Yuri — Wed, 29 Dec 2021 05:04:53 GMT

@dpatil
Hello,

Is it possible to use NXP Linux BSP?

Regards,
Yuri.

Re: Unable to store keys in key ring using keyctl

michael_glembot — Fri, 13 May 2022 09:24:33 GMT

Hi @dpatil,

on 5.4.XX a session doesn't seem to be created automatically.

This should do the trick:

$ keyctl session

Another small note to @Yuri. Your answer is of poor quality.

Re: Unable to store keys in key ring using keyctl

craigmcqueenir — Mon, 24 Oct 2022 09:15:47 GMT

Alternatively maybe:

keyctl new_session

That creates a new session in the current process (eg current shell) rather than in a sub-shell.

Re: Unable to store keys in key ring using keyctl

craigmcqueenir — Sun, 30 Oct 2022 23:49:27 GMT

I found that keyctl new_session worked fine in a terminal login, but I wanted to make a kernel initramfs script to do root filesystem encryption.

I found that it failed within the context of an initramfs script, producing an error:

keyctl_session_to_parent: Operation not permitted

So far, I haven't figured out why it fails in this situation, or how to resolve it. I can create a user key for user root, rather than a session key, but I'd rather create a session key.

Looking in the keyctl_session_to_parent() function in the Linux source, it looks as though it might fail because (maybe; I haven't confirmed):

The initramfs script is running as PID 1 (init).
The parent process is PID 1 (init).
The initramfs script is running SUID/SGID.

Re: Unable to store keys in key ring using keyctl

Eximius — Fri, 28 Oct 2022 07:26:59 GMT

Adding it to the user session solved this problem for me. No new session necessary, just:

cat /data/caam/randomkey | keyctl padd logon logkey: @US