[Ksummit-discuss] [TECH TOPIC] Containerisation, namespaces and keyrings

David Howells dhowells at redhat.com
Fri Jul 22 11:01:42 UTC 2016


I'm not sure this is the right venue for this, but keyrings will need to be
namespaced/containerised at some point.

The problem is that it's an icky problem given that different key types really
want to live in different namespaces, and upcalls may want to done in
different containers, depending on the key type.

For example, DNS resolver keys - should they be in the network, the filesystem
namespace or neither?  Should the upcall be in the current container or the
root container?

Authentication keys, such as used by kafs and AF_RXRPC - should they be in the
filesystem namespace (kafs is an fs), the network namespace (AF_RXRPC is a net
protocol) or the user namespace?

Should crypto keys, such as the asymmetric key type, be in the user namespace?
What about use by module signing?  Should key operations in the current
container have access to a blacklist in the root container?  Should key
verification in the current container have access to system keyrings?  The
TPM?

This might actually be right for a hallway track.

David


More information about the Ksummit-discuss mailing list