Ideas inline. > Gesendet: Dienstag, 23. November 2021 um 11:21 Uhr > Von: "Stefan Thöni" <[email protected]> > An: "users" <[email protected]> > Betreff: CBE key encryption > > Hello Genodians, > > we are still working to add hardware-based encryption to CBE. To this > end, we have implemented a custom trust anchor and crypto engine. > Generating a key, encrypting this key on behalf of cbe_init and > decrypting it again on behalf of the vfs_cbe plugin works fine. > > But then the vfs_cbe requests to have a all zero key encrypted which due > to the ICV added by hardware black key handling fails. We cannot seam to Why is an all zero key invalid? In my understanding of crypto such a key should be possible as well or the implementation is insecure. > find out where the request originates or why vfs_cbe would ever encrypt > any key, let alone a key of all zeros. > > Any pointer or idea would by very welcome. You can compile vfs_cbe with profiling enabled and write a custom profile function, which uses /dev/log to mark entry and exit of functions. And in the encryption you check for an all zero key and log this event to /dev/log too. Then you can trace all calls in the log which led up to this event.
I hope you can make such a implementation (of logging profile and event marks) available as library because such debugging aid will be needed more universally. > > Kind regards > Stefan > _______________________________________________ > Genode users mailing list > [email protected] > https://lists.genode.org/listinfo/users _______________________________________________ Genode users mailing list [email protected] https://lists.genode.org/listinfo/users
