diff options
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/crypto_test.go | 10 | ||||
| -rw-r--r-- | crypto/key.go | 23 |
2 files changed, 13 insertions, 20 deletions
diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go index 2141fb8..a3a2880 100644 --- a/crypto/crypto_test.go +++ b/crypto/crypto_test.go @@ -236,7 +236,7 @@ func TestKeyLargeResize(t *testing.T) { // Adds and removes a key with various services. func TestAddRemoveKeys(t *testing.T) { - for _, service := range []string{ServiceDefault, ServiceExt4, ServiceF2FS} { + for _, service := range []string{DefaultService, "ext4:", "f2fs:"} { if err := InsertPolicyKey(fakeValidPolicyKey, fakeValidDescriptor, service); err != nil { t.Error(err) } @@ -248,12 +248,12 @@ func TestAddRemoveKeys(t *testing.T) { // Makes sure a key fails with bad descriptor, policy, or service func TestBadAddKeys(t *testing.T) { - if InsertPolicyKey(fakeInvalidPolicyKey, fakeValidDescriptor, ServiceDefault) == nil { - RemovePolicyKey(fakeValidDescriptor, ServiceDefault) + if InsertPolicyKey(fakeInvalidPolicyKey, fakeValidDescriptor, DefaultService) == nil { + RemovePolicyKey(fakeValidDescriptor, DefaultService) t.Error("InsertPolicyKey should fail with bad policy key") } - if InsertPolicyKey(fakeValidPolicyKey, fakeInvalidDescriptor, ServiceDefault) == nil { - RemovePolicyKey(fakeInvalidDescriptor, ServiceDefault) + if InsertPolicyKey(fakeValidPolicyKey, fakeInvalidDescriptor, DefaultService) == nil { + RemovePolicyKey(fakeInvalidDescriptor, DefaultService) t.Error("InsertPolicyKey should fail with bad descriptor") } if InsertPolicyKey(fakeValidPolicyKey, fakeValidDescriptor, "ext4") == nil { diff --git a/crypto/key.go b/crypto/key.go index bd69b2d..852b213 100644 --- a/crypto/key.go +++ b/crypto/key.go @@ -36,18 +36,17 @@ import ( "fscrypt/util" ) -// Service Prefixes for keyring keys. As of kernel v4.8, all filesystems -// supporting encryption will use FS_KEY_DESC_PREFIX to indicate that a key in -// the keyring should be used with filesystem encryption. However, we also -// include the older service prefixes for legacy compatibility. const ( - ServiceDefault = unix.FS_KEY_DESC_PREFIX - // ServiceExt4 was used before v4.8 for ext4 filesystem encryption. - ServiceExt4 = "ext4:" - // ServiceExt4 was used before v4.6 for F2FS filesystem encryption. - ServiceF2FS = "f2fs:" + // DefaultService is the service which should be used for all encryption + // keys unless not possible for legacy reasons. For ext4 systems before + // v4.8 and f2fs systems before v4.6, filesystem specific services must + // be used (these legacy services will still work with later kernels). + DefaultService = unix.FS_KEY_DESC_PREFIX // keyType is always logon as required by filesystem encryption keyType = "logon" + // Keys need to readable and writable, but hidden from other processes. + keyProtection = unix.PROT_READ | unix.PROT_WRITE + keyMmapFlags = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS ) /* @@ -93,12 +92,6 @@ type Key struct { data []byte } -const ( - // Keys need to readable and writable, but hidden from other processes. - keyProtection = unix.PROT_READ | unix.PROT_WRITE - keyMmapFlags = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS -) - // newBlankKey constructs a blank key of a specified length and returns an error // if we are unable to allocate or lock the necessary memory. func newBlankKey(length int) (*Key, error) { |