Unable to store keys in key ring using keyctl

dpatil · ‎11-25-2021

Hi all,

I am following AN12714[latest version] for encryption storage using CAAM secure keys.

I have successfully generated keys using caam-keygen.

I successfully added a key based on the generated black key in the key retention service using "keyctl"

Following is the output:

root@imx7-var-som:/# cat /data/caam/randomkey | keyctl padd logon logkey: @s
765699361

but when I check using keyctl then same id doesn't appear

Following is output:

root@imx7-var-som:/# keyctl list @s
1 key in keyring:
24465593: --alswrv 0 65534 keyring: _uid.0

Can anyone tell me what is reason?

My kernel version is 5.4.127

and keyutils version is 1.6.1

Regards,

dpatil

michael_glembot · ‎05-13-2022

Hi @dpatil,

on 5.4.XX a session doesn't seem to be created automatically.

This should do the trick:

$ keyctl session

Another small note to @Yuri. Your answer is of poor quality.

craigmcqueenir · ‎10-24-2022

Alternatively maybe:

keyctl new_session

That creates a new session in the current process (eg current shell) rather than in a sub-shell.

craigmcqueenir · ‎10-28-2022

I found that keyctl new_session worked fine in a terminal login, but I wanted to make a kernel initramfs script to do root filesystem encryption.

I found that it failed within the context of an initramfs script, producing an error:

keyctl_session_to_parent: Operation not permitted

So far, I haven't figured out why it fails in this situation, or how to resolve it. I can create a user key for user root, rather than a session key, but I'd rather create a session key.

Looking in the keyctl_session_to_parent() function in the Linux source, it looks as though it might fail because (maybe; I haven't confirmed):

The initramfs script is running as PID 1 (init).
The parent process is PID 1 (init).
The initramfs script is running SUID/SGID.

Eximius · ‎10-28-2022

Adding it to the user session solved this problem for me. No new session necessary, just:

cat /data/caam/randomkey | keyctl padd logon logkey: @US

dpatil · ‎12-01-2021

Hi Yuri,

Thanks for your reply.

My kernel configuration related to CAAM are as follows:

# CONFIG_CRYPTO_DEV_FSL_CAAM_DMA is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_COMMON=y
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_KEYBLOB_API_DESC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
CONFIG_CRYPTO_DEV_FSL_CAAM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG=y
CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC=y
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_COUNT_THLD=255
CONFIG_CRYPTO_DEV_FSL_CAAM_INTC_TIME_THLD=2048
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y
# CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API_TEST is not set
# CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_TEST is not set
CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
CONFIG_CRYPTO_DEV_FSL_CAAM_SM_SLOTSIZE=7
# CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST is not set

Please find kernel configuration in attachment let me know if anything is missing in kernel configuration

Yuri · ‎12-01-2021

@dpatil
Hello,

in the app note NXP BSP imx-5.4.47-2.2.0 is mentioned.
What release (5.4.127) was used in Your case?

Please check Your configuration, using Appendix A (Configuration)
of the app note.

Regards,
Yuri.

dpatil · ‎12-01-2021

Hi Yuri,

Please find the attached kernel configuration.

Configurations are set as per application note

Regards,

Dhananjay Patil

Yuri · ‎12-28-2021

@dpatil
Hello,

Is it possible to use NXP Linux BSP?

Regards,
Yuri.

Unable to store keys in key ring using keyctl

Unable to store keys in key ring using keyctl

i.MX7Dual

Linux

Security