diff options
| author | Joe Richey joerichey@google.com <joerichey@google.com> | 2017-05-31 17:54:35 -0700 |
|---|---|---|
| committer | Joe Richey joerichey@google.com <joerichey@google.com> | 2017-06-26 15:40:08 -0700 |
| commit | defd27f75df3a6eef84ac33adf89b1ce255e738c (patch) | |
| tree | 851a587fb4a12381e7a29e32759636021ecaf42c /crypto/key.go | |
| parent | d71b7f248e21f5254c32ecbf752a1dbe940a1177 (diff) | |
actions: Simplify the callback mechanism
This commit makes the callbacks for getting keys easier to understand.
Functions which need keys now take a KeyFunc callback. This callback
contains a ProtectorInfo parameter (basically a read-only version of
metadata.ProtectorData) and a boolean which indicates if the call is
being retried. The documentation is also updated to say which functions
will retry the KeyFunc.
For selecting a protector, there is now an OptionFunc callback which
takes a slice of ProtectorOptions. A ProtectorOption is a ProtectorInfo
along with additional information about a linked filesystem (if
applicable).
This commit also adds in methods for getting the protector options for a
specific filesystem or policy. It also adds a function for getting the
policy descriptor for a specific path.
Change-Id: I41e0d94ffd44e7166b0c5cf1b5d18437960bdf90
Diffstat (limited to 'crypto/key.go')
| -rw-r--r-- | crypto/key.go | 23 |
1 files changed, 8 insertions, 15 deletions
diff --git a/crypto/key.go b/crypto/key.go index bd69b2d..852b213 100644 --- a/crypto/key.go +++ b/crypto/key.go @@ -36,18 +36,17 @@ import ( "fscrypt/util" ) -// Service Prefixes for keyring keys. As of kernel v4.8, all filesystems -// supporting encryption will use FS_KEY_DESC_PREFIX to indicate that a key in -// the keyring should be used with filesystem encryption. However, we also -// include the older service prefixes for legacy compatibility. const ( - ServiceDefault = unix.FS_KEY_DESC_PREFIX - // ServiceExt4 was used before v4.8 for ext4 filesystem encryption. - ServiceExt4 = "ext4:" - // ServiceExt4 was used before v4.6 for F2FS filesystem encryption. - ServiceF2FS = "f2fs:" + // DefaultService is the service which should be used for all encryption + // keys unless not possible for legacy reasons. For ext4 systems before + // v4.8 and f2fs systems before v4.6, filesystem specific services must + // be used (these legacy services will still work with later kernels). + DefaultService = unix.FS_KEY_DESC_PREFIX // keyType is always logon as required by filesystem encryption keyType = "logon" + // Keys need to readable and writable, but hidden from other processes. + keyProtection = unix.PROT_READ | unix.PROT_WRITE + keyMmapFlags = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS ) /* @@ -93,12 +92,6 @@ type Key struct { data []byte } -const ( - // Keys need to readable and writable, but hidden from other processes. - keyProtection = unix.PROT_READ | unix.PROT_WRITE - keyMmapFlags = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS -) - // newBlankKey constructs a blank key of a specified length and returns an error // if we are unable to allocate or lock the necessary memory. func newBlankKey(length int) (*Key, error) { |