Re: [PATCH] KEYS: Add ECDH support

From: Denis Kenzior
Date: Sat Mar 30 2024 - 22:38:17 EST

Next message: xiongwei.song: "[PATCH 0/4] SLUB: improve filling cpu partial a bit in get_partial_node()"
Previous message: Andrii Nakryiko: "Re: [External] Re: [PATCH bpf-next v2 1/9] bpf: tracing: add support to record and check the accessed args"
In reply to: Eric Biggers: "Re: [PATCH] KEYS: Add ECDH support"
Next in thread: James Bottomley: "Re: [PATCH] KEYS: Add ECDH support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Eric,

Amusingly, the existing KEYCTL_DH_* APIs, and the KEYCTL_ECDH_* APIs proposed by
this patch, only operate on user keys that the process has READ access to. This
means that the keys can be trivially extracted by a shell script running in your
user session. That's *less* secure than using an isolated process...

I can see this being true for user or session keys, but I don't think this is true of process or thread specific keys. At least I couldn't read any keys out of a test app when I tried.

Regards,
-Denis

Next message: xiongwei.song: "[PATCH 0/4] SLUB: improve filling cpu partial a bit in get_partial_node()"
Previous message: Andrii Nakryiko: "Re: [External] Re: [PATCH bpf-next v2 1/9] bpf: tracing: add support to record and check the accessed args"
In reply to: Eric Biggers: "Re: [PATCH] KEYS: Add ECDH support"
Next in thread: James Bottomley: "Re: [PATCH] KEYS: Add ECDH support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]