From defd27f75df3a6eef84ac33adf89b1ce255e738c Mon Sep 17 00:00:00 2001 From: "Joe Richey joerichey@google.com" Date: Wed, 31 May 2017 17:54:35 -0700 Subject: actions: Simplify the callback mechanism This commit makes the callbacks for getting keys easier to understand. Functions which need keys now take a KeyFunc callback. This callback contains a ProtectorInfo parameter (basically a read-only version of metadata.ProtectorData) and a boolean which indicates if the call is being retried. The documentation is also updated to say which functions will retry the KeyFunc. For selecting a protector, there is now an OptionFunc callback which takes a slice of ProtectorOptions. A ProtectorOption is a ProtectorInfo along with additional information about a linked filesystem (if applicable). This commit also adds in methods for getting the protector options for a specific filesystem or policy. It also adds a function for getting the policy descriptor for a specific path. Change-Id: I41e0d94ffd44e7166b0c5cf1b5d18437960bdf90 --- crypto/key.go | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) (limited to 'crypto/key.go') diff --git a/crypto/key.go b/crypto/key.go index bd69b2d..852b213 100644 --- a/crypto/key.go +++ b/crypto/key.go @@ -36,18 +36,17 @@ import ( "fscrypt/util" ) -// Service Prefixes for keyring keys. As of kernel v4.8, all filesystems -// supporting encryption will use FS_KEY_DESC_PREFIX to indicate that a key in -// the keyring should be used with filesystem encryption. However, we also -// include the older service prefixes for legacy compatibility. const ( - ServiceDefault = unix.FS_KEY_DESC_PREFIX - // ServiceExt4 was used before v4.8 for ext4 filesystem encryption. - ServiceExt4 = "ext4:" - // ServiceExt4 was used before v4.6 for F2FS filesystem encryption. - ServiceF2FS = "f2fs:" + // DefaultService is the service which should be used for all encryption + // keys unless not possible for legacy reasons. For ext4 systems before + // v4.8 and f2fs systems before v4.6, filesystem specific services must + // be used (these legacy services will still work with later kernels). + DefaultService = unix.FS_KEY_DESC_PREFIX // keyType is always logon as required by filesystem encryption keyType = "logon" + // Keys need to readable and writable, but hidden from other processes. + keyProtection = unix.PROT_READ | unix.PROT_WRITE + keyMmapFlags = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS ) /* @@ -93,12 +92,6 @@ type Key struct { data []byte } -const ( - // Keys need to readable and writable, but hidden from other processes. - keyProtection = unix.PROT_READ | unix.PROT_WRITE - keyMmapFlags = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS -) - // newBlankKey constructs a blank key of a specified length and returns an error // if we are unable to allocate or lock the necessary memory. func newBlankKey(length int) (*Key, error) { -- cgit v1.2.3