mirror of
https://github.com/systemd/systemd
synced 2024-11-05 18:25:39 +00:00
48d67957d5
So far credentials are a concept for system services only: to encrypt or decrypt credential you must be privileged, as only then you can access the TPM and the host key. Let's break this up a bit: let's add a "user-scoped" credential, that are specific to users. Internally this works by adding another step to the acquisition of the symmetric encryption key for the credential: if a "user-scoped" credential is used we'll generate an symmetric encryption key K as usual, but then we'll use it to calculate K' = HMAC(K, flags || uid || machine-id || username) and then use the resulting K' as encryption key instead. This basically includes the (public) user's identity in the encryption key, ensuring that only if the right user credentials are specified the correct key can be acquired.
46 lines
1.9 KiB
XML
46 lines
1.9 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info">
|
|
<mime-type type="application/x.systemd-sysext">
|
|
<sub-class-of type="application/vnd.efi.img"/>
|
|
<comment>System Extension DDI</comment>
|
|
<glob pattern="*.sysext.raw"/>
|
|
</mime-type>
|
|
<mime-type type="application/x.systemd-confext">
|
|
<sub-class-of type="application/vnd.efi.img"/>
|
|
<comment>Configuration Extension DDI</comment>
|
|
<glob pattern="*.confext.raw"/>
|
|
</mime-type>
|
|
<mime-type type="application/x.systemd-journal">
|
|
<comment>Journal Log File</comment>
|
|
<magic>
|
|
<match type="string" value="LPKSHHRH" offset="0"/>
|
|
</magic>
|
|
</mime-type>
|
|
<mime-type type="application/x.systemd-catalog">
|
|
<comment>Journal Message Catalog</comment>
|
|
<magic>
|
|
<match type="string" value="RHHHKSLP" offset="0"/>
|
|
</magic>
|
|
</mime-type>
|
|
<mime-type type="application/x.systemd-hwdb">
|
|
<comment>Hardware Database</comment>
|
|
<magic>
|
|
<match type="string" value="KSLPHHRH" offset="0"/>
|
|
</magic>
|
|
</mime-type>
|
|
<mime-type type="application/x.systemd-credential">
|
|
<comment>Encrypted Credential</comment>
|
|
<generic-icon name="security-high"/>
|
|
<magic>
|
|
<match type="string" value="Whxqht+dQJax1aZeCGLxm" offset="0"/>
|
|
<match type="string" value="VbntHThZTUOoMZ0uuzMqx" offset="0"/>
|
|
<match type="string" value="DHzAexF2RZGcSwvqCLwg/" offset="0"/>
|
|
<match type="string" value="+vfrk0HjQSyhpDb5Wik2L" offset="0"/>
|
|
<match type="string" value="k6iUCUh0RJCQyvL8k8q1U" offset="0"/>
|
|
<match type="string" value="70rBNnmpSA6n22iJf58WX" offset="0"/>
|
|
<match type="string" value="r0lQqEkTTrGnOEYwT/MMB" offset="0"/>
|
|
<match type="string" value="rbxMo++2QgG6iBtvLkCV6" offset="0"/>
|
|
<match type="string" value="BYRp2vb1QySABUnaD46i+" offset="0"/>
|
|
</magic>
|
|
</mime-type>
|
|
</mime-info>
|