Hello Richard,

On 30.03.21 23:50, Richard Weinberger wrote:

Ahmad,

On Wed, Mar 17, 2021 at 3:08 PM Ahmad Fatoum [off-list ref] wrote:

quoted

    TABLE="0 $BLOCKS crypt $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards"
    echo $TABLE | dmsetup create mydev
    echo $TABLE | dmsetup load mydev

Do you also plan to add support for this to cryptsetup?

David and I have added (rough) support for our CAAM/DCP based keyrings
to cryptsetup:
https://github.com/sigma-star/cryptsetup/tree/rw/plain

I'm pretty sure with minimal changes it will work with your recent approach too.

I am using dmsetup directly in my project. I am not familiar with cryptsetup
plain. What benefits do you see with this over direct dmsetup?

What I'd like to see eventually is support for this with LUKS.
There is a RFE on trusted keys and cryptsetup on the project's repository[1].

The behavior I'd want it that the LUKS header would point at the trusted key
blob to use and load it into the kernel. This of course means that
you won't be able to have multiple keys for the encrypted partition.

[1]: https://gitlab.com/cryptsetup/cryptsetup/-/issues/443

Cheers,
Ahmad

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |