Linux on Z and LinuxONE

  • 1.  Protected key generation with DES wrapping key?

    Posted Tue July 21, 2020 10:41 AM
    Hi,

    I'm wondering if somebody knows how I can generate a protected key with the DES wrapping key on a Linux host?

    For the AES wrapping key, with pkey kernel module, I can get key tokens from /sys/devices/virtual/misc/pkey/protkey attributes; I confirmed, when I disable availability of AES wrapping key those attributes contain no data.

    However, no such attribute is available for the DES wrapping key, documented in the Principles of Operation, "Protection of cryptographic keys".

    The actual problem is that I want to observe any condition in a KVM guest when dea-wrapping-key=off is passed at start.

    Any suggestion appreciated. Thanks.

    ------------------------------
    Sebastian Mitterle
    ------------------------------


  • 2.  RE: Protected key generation with DES wrapping key?

    Posted Fri July 24, 2020 03:09 AM
    Edited by Sebastian Mitterle Fri July 24, 2020 03:23 AM
    In case somebody stumbles over same thing:
    • I could not confirm that any kernel driver or openssl-ibmca were using the wrapping key specific for DES, only AES.
    • I confirmed the support can be toggled with a custom kernel module - https://github.com/smitterl/keywrap. 


    ------------------------------
    Sebastian Mitterle
    ------------------------------



  • 3.  RE: Protected key generation with DES wrapping key?

    Posted Mon August 10, 2020 07:01 AM
    Reinhard Buendgen (Product Owner Security Linux on Z) confirmed to me that protected DES keys on Linux are not supported. (Triple) DES is considered legacy and no new projects should be started for it.

    ------------------------------
    Sebastian Mitterle
    ------------------------------