| Message ID | 1560841387-920-2-git-send-email-frank.heimes@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | pkey: Indicate old mkvp only if old and current mkvp are different (LP: 1832625) | expand |
On 18.06.19 09:03, frank.heimes@canonical.com wrote: > From: Ingo Franzki <ifranzki@linux.ibm.com> > > BugLink: https://bugs.launchpad.net/bugs/1832625 > > When the CCA master key is set twice with the same master key, > then the old and the current master key are the same and thus the > verification patterns are the same, too. The check to report if a > secure key is currently wrapped by the old master key erroneously > reports old mkvp in this case. > > Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> > Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> > Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> > (cherry picked from commit ebb7c695d3bc7a4986b92edc8d9ef43491be183e) > Signed-off-by: Frank Heimes <frank.heimes@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/s390/crypto/pkey_api.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c > index 81bfcc9..03c643a 100644 > --- a/drivers/s390/crypto/pkey_api.c > +++ b/drivers/s390/crypto/pkey_api.c > @@ -1034,7 +1034,7 @@ int pkey_verifykey(const struct pkey_seckey *seckey, > rc = mkvp_cache_fetch(cardnr, domain, mkvp); > if (rc) > goto out; > - if (t->mkvp == mkvp[1]) { > + if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) { > DEBUG_DBG("%s secure key has old mkvp\n", __func__); > if (pattributes) > *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP; >
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> On Tue, Jun 18, 2019 at 09:03:07AM +0200, frank.heimes@canonical.com wrote: > From: Ingo Franzki <ifranzki@linux.ibm.com> > > BugLink: https://bugs.launchpad.net/bugs/1832625 > > When the CCA master key is set twice with the same master key, > then the old and the current master key are the same and thus the > verification patterns are the same, too. The check to report if a > secure key is currently wrapped by the old master key erroneously > reports old mkvp in this case. > > Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> > Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> > Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> > (cherry picked from commit ebb7c695d3bc7a4986b92edc8d9ef43491be183e) > Signed-off-by: Frank Heimes <frank.heimes@canonical.com> > --- > drivers/s390/crypto/pkey_api.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c > index 81bfcc9..03c643a 100644 > --- a/drivers/s390/crypto/pkey_api.c > +++ b/drivers/s390/crypto/pkey_api.c > @@ -1034,7 +1034,7 @@ int pkey_verifykey(const struct pkey_seckey *seckey, > rc = mkvp_cache_fetch(cardnr, domain, mkvp); > if (rc) > goto out; > - if (t->mkvp == mkvp[1]) { > + if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) { > DEBUG_DBG("%s secure key has old mkvp\n", __func__); > if (pattributes) > *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP; > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index 81bfcc9..03c643a 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -1034,7 +1034,7 @@ int pkey_verifykey(const struct pkey_seckey *seckey, rc = mkvp_cache_fetch(cardnr, domain, mkvp); if (rc) goto out; - if (t->mkvp == mkvp[1]) { + if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) { DEBUG_DBG("%s secure key has old mkvp\n", __func__); if (pattributes) *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;