creds-util: add a concept of "user-scoped" credentials

So far credentials are a concept for system services only: to encrypt or
decrypt credential you must be privileged, as only then you can access
the TPM and the host key.

Let's break this up a bit: let's add a "user-scoped" credential, that
are specific to users. Internally this works by adding another step to
the acquisition of the symmetric encryption key for the credential: if a
"user-scoped" credential is used we'll generate an symmetric encryption
key K as usual, but then we'll use it to calculate

    K' = HMAC(K, flags || uid || machine-id || username)

and then use the resulting K' as encryption key instead. This basically
includes the (public) user's identity in the encryption key, ensuring
that only if the right user credentials are specified the correct key
can be acquired.

1 files changed, 3 insertions, 0 deletions

diff --git a/mime/io.systemd.xml b/mime/io.systemd.xml
index f362006a47..8314569ed3 100644
--- a/mime/io.systemd.xml
+++ b/mime/io.systemd.xml
@@ -33,10 +33,13 @@
     <generic-icon name="security-high"/>
     <magic>
       <match type="string" value="Whxqht+dQJax1aZeCGLxm" offset="0"/>
+      <match type="string" value="VbntHThZTUOoMZ0uuzMqx" offset="0"/>
       <match type="string" value="DHzAexF2RZGcSwvqCLwg/" offset="0"/>
       <match type="string" value="+vfrk0HjQSyhpDb5Wik2L" offset="0"/>
       <match type="string" value="k6iUCUh0RJCQyvL8k8q1U" offset="0"/>
+      <match type="string" value="70rBNnmpSA6n22iJf58WX" offset="0"/>
       <match type="string" value="r0lQqEkTTrGnOEYwT/MMB" offset="0"/>
+      <match type="string" value="rbxMo++2QgG6iBtvLkCV6" offset="0"/>
       <match type="string" value="BYRp2vb1QySABUnaD46i+" offset="0"/>
     </magic>
   </mime-type>