From: Pankaj Gupta <pankaj.gupta@nxp.com>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>,
Jarkko Sakkinen <jarkko@kernel.org>
Cc: Horia Geanta <horia.geanta@nxp.com>,
Aymen Sghaier <aymen.sghaier@nxp.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"kernel@pengutronix.de" <kernel@pengutronix.de>,
David Gstir <david@sigma-star.at>,
"tharvey@gateworks.com" <tharvey@gateworks.com>,
Matthias Schiffer <matthias.schiffer@ew.tq-group.com>,
James Bottomley <jejb@linux.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
James Morris <jmorris@namei.org>,
Eric Biggers <ebiggers@kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Jan Luebbe <j.luebbe@pengutronix.de>,
Richard Weinberger <richard@nod.at>,
Franck Lenormand <franck.lenormand@nxp.com>,
Sumit Garg <sumit.garg@linaro.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: RE: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface for blob generator
Date: Fri, 25 Feb 2022 12:20:54 +0000 [thread overview]
Message-ID: <DU2PR04MB863084B70239A69E4DE9D65B953E9@DU2PR04MB8630.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <a8cb99e0-fe01-2234-9839-fea28ca09f6d@pengutronix.de>
> -----Original Message-----
> From: Ahmad Fatoum <a.fatoum@pengutronix.de>
> Sent: Wednesday, February 23, 2022 9:50 PM
> To: Jarkko Sakkinen <jarkko@kernel.org>
> Cc: Horia Geanta <horia.geanta@nxp.com>; Aymen Sghaier
> <aymen.sghaier@nxp.com>; Herbert Xu <herbert@gondor.apana.org.au>;
> David S. Miller <davem@davemloft.net>; kernel@pengutronix.de; David Gstir
> <david@sigma-star.at>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> tharvey@gateworks.com; Matthias Schiffer <matthias.schiffer@ew.tq-
> group.com>; James Bottomley <jejb@linux.ibm.com>; Mimi Zohar
> <zohar@linux.ibm.com>; David Howells <dhowells@redhat.com>; James Morris
> <jmorris@namei.org>; Eric Biggers <ebiggers@kernel.org>; Serge E. Hallyn
> <serge@hallyn.com>; Jan Luebbe <j.luebbe@pengutronix.de>; Richard
> Weinberger <richard@nod.at>; Franck Lenormand
> <franck.lenormand@nxp.com>; Sumit Garg <sumit.garg@linaro.org>; linux-
> integrity@vger.kernel.org; keyrings@vger.kernel.org; linux-
> crypto@vger.kernel.org; linux-kernel@vger.kernel.org; linux-security-
> module@vger.kernel.org
> Subject: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface for blob
> generator
>
> Caution: EXT Email
>
> On 23.02.22 16:41, Jarkko Sakkinen wrote:
> > On Tue, Feb 22, 2022 at 08:58:18PM +0100, Ahmad Fatoum wrote:
> >> The NXP Cryptographic Acceleration and Assurance Module (CAAM) can be
> >> used to protect user-defined data across system reboot:
> >>
> >> - When the system is fused and boots into secure state, the master
> >> key is a unique never-disclosed device-specific key
> >> - random key is encrypted by key derived from master key
> >> - data is encrypted using the random key
> >> - encrypted data and its encrypted random key are stored alongside
> >> - This blob can now be safely stored in non-volatile memory
> >>
> >> On next power-on:
> >> - blob is loaded into CAAM
> >> - CAAM writes decrypted data either into memory or key register
> >>
> >> Add functions to realize encrypting and decrypting into memory
> >> alongside the CAAM driver.
> >>
> >> They will be used in a later commit as a source for the trusted key
> >> seal/unseal mechanism.
> >>
> >> Reviewed-by: David Gstir <david@sigma-star.at>
> >> Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com>
> >> Tested-By: Tim Harvey <tharvey@gateworks.com>
> >> Tested-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
> >> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> >> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> >> ---
> >> To: "Horia Geantă" <horia.geanta@nxp.com>
> >> To: Aymen Sghaier <aymen.sghaier@nxp.com>
> >> To: Herbert Xu <herbert@gondor.apana.org.au>
> >> To: "David S. Miller" <davem@davemloft.net>
> >> Cc: James Bottomley <jejb@linux.ibm.com>
> >> Cc: Jarkko Sakkinen <jarkko@kernel.org>
> >> Cc: Mimi Zohar <zohar@linux.ibm.com>
> >> Cc: David Howells <dhowells@redhat.com>
> >> Cc: James Morris <jmorris@namei.org>
> >> Cc: Eric Biggers <ebiggers@kernel.org>
> >> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> >> Cc: Jan Luebbe <j.luebbe@pengutronix.de>
> >> Cc: David Gstir <david@sigma-star.at>
> >> Cc: Richard Weinberger <richard@nod.at>
> >> Cc: Franck LENORMAND <franck.lenormand@nxp.com>
> >> Cc: Sumit Garg <sumit.garg@linaro.org>
> >> Cc: Tim Harvey <tharvey@gateworks.com>
> >> Cc: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
> >> Cc: Pankaj Gupta <pankaj.gupta@nxp.com>
> >> Cc: linux-integrity@vger.kernel.org
> >> Cc: keyrings@vger.kernel.org
> >> Cc: linux-crypto@vger.kernel.org
> >> Cc: linux-kernel@vger.kernel.org
> >> Cc: linux-security-module@vger.kernel.org
> >> ---
> >> drivers/crypto/caam/Kconfig | 3 +
> >> drivers/crypto/caam/Makefile | 1 +
> >> drivers/crypto/caam/blob_gen.c | 230
> +++++++++++++++++++++++++++++++++
> >> include/soc/fsl/caam-blob.h | 56 ++++++++
> >> 4 files changed, 290 insertions(+)
> >> create mode 100644 drivers/crypto/caam/blob_gen.c create mode
> >> 100644 include/soc/fsl/caam-blob.h
> >>
> >> diff --git a/drivers/crypto/caam/Kconfig
> >> b/drivers/crypto/caam/Kconfig index 84ea7cba5ee5..ea9f8b1ae981 100644
> >> --- a/drivers/crypto/caam/Kconfig
> >> +++ b/drivers/crypto/caam/Kconfig
> >> @@ -151,6 +151,9 @@ config CRYPTO_DEV_FSL_CAAM_RNG_API
> >> Selecting this will register the SEC4 hardware rng to
> >> the hw_random API for supplying the kernel entropy pool.
> >>
> >> +config CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> >> + bool
> >> +
> >> endif # CRYPTO_DEV_FSL_CAAM_JR
> >>
> >> endif # CRYPTO_DEV_FSL_CAAM
> >> diff --git a/drivers/crypto/caam/Makefile
> >> b/drivers/crypto/caam/Makefile index 3570286eb9ce..25f7ae5a4642
> >> 100644
> >> --- a/drivers/crypto/caam/Makefile
> >> +++ b/drivers/crypto/caam/Makefile
> >> @@ -21,6 +21,7 @@ caam_jr-
> $(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI)
> >> += caamalg_qi.o
> >> caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API) += caamhash.o
> >> caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API) += caamrng.o
> >> caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API) += caampkc.o
> >> pkc_desc.o
> >> +caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_BLOB_GEN) += blob_gen.o
> >>
> >> caam-$(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI) += qi.o ifneq
> >> ($(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI),)
> >> diff --git a/drivers/crypto/caam/blob_gen.c
> >> b/drivers/crypto/caam/blob_gen.c new file mode 100644 index
> >> 000000000000..513d3f90e438
> >> --- /dev/null
> >> +++ b/drivers/crypto/caam/blob_gen.c
> >> @@ -0,0 +1,230 @@
> >> +// SPDX-License-Identifier: GPL-2.0-only
> >> +/*
> >> + * Copyright (C) 2015 Pengutronix, Steffen Trumtrar
> >> +<kernel@pengutronix.de>
> >> + * Copyright (C) 2021 Pengutronix, Ahmad Fatoum
> >> +<kernel@pengutronix.de> */
> >> +
> >> +#include <linux/device.h>
> >> +#include <soc/fsl/caam-blob.h>
> >> +
> >> +#include "compat.h"
> >> +#include "desc_constr.h"
> >> +#include "desc.h"
> >> +#include "error.h"
> >> +#include "intern.h"
> >> +#include "jr.h"
> >> +#include "regs.h"
> >> +
> >> +struct caam_blob_priv {
> >> + struct device jrdev;
> >> +};
> >> +
> >> +struct caam_blob_job_result {
> >> + int err;
> >> + struct completion completion;
> >> +};
> >> +
> >> +static void caam_blob_job_done(struct device *dev, u32 *desc, u32
> >> +err, void *context) {
> >> + struct caam_blob_job_result *res = context;
> >> + int ecode = 0;
> >> +
> >> + dev_dbg(dev, "%s %d: err 0x%x\n", __func__, __LINE__, err);
> >> +
> >> + if (err)
> >> + ecode = caam_jr_strstatus(dev, err);
> >> +
> >> + res->err = ecode;
> >> +
> >> + /*
> >> + * Upon completion, desc points to a buffer containing a CAAM job
> >> + * descriptor which encapsulates data into an externally-storable
> >> + * blob.
> >> + */
> >> + complete(&res->completion);
> >> +}
> >> +
> >> +static u32 *caam_blob_alloc_desc(size_t keymod_len) {
> >> + size_t len;
> >> +
> >> + /* header + (key mod immediate) + 2x pointers + op */
> >> + len = 4 + (4 + ALIGN(keymod_len, 4)) + 2*(4 + 4 +
> >> + CAAM_PTR_SZ_MAX) + 4;
> >
> > Nit: the amount of magic numbers is overwhelming here. I neither
> > understand the statement nor how that comment should help me to
> understand it.
>
> header = 4
> (key mod immediate) = (4 + ALIGN(keymod_len, 4))
> 2x pointer = 2 * (4 + 4 + CAAM_PTR_SZ_MAX)
> op = 4
Instead of the function caam_blob_alloc_desc(), it will be great if the caller functions caam_encap_blob()/caam_encap_blob (), could add local array:
uint32_t desc[CAAM_DESC_BYTES_MAX];
>
> I haven't heard back from the CAAM maintainers yet since v1. Perhaps now is a
> good occasion to chime in? :-)
>
> @Jarkko, could you take a look at patch 5? That's the gist of the series and I
> have yet to get maintainer feedback on that one.
>
> Cheers,
> Ahmad
>
>
> >
> > BR, Jarkko
> >
>
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 |
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pen
> gutronix.de%2F&data=04%7C01%7Cpankaj.gupta%40nxp.com%7Cc97e9d4
> aaf304124407908d9f6e87101%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%
> 7C0%7C637812300459173929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&s
> data=CvnfIXR68DPRCaYrOYQKSv2eSBSNSSJYx2BQJee4yLg%3D&reserved=0
> |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2022-02-25 12:21 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-22 19:58 [PATCH v5 0/5] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys Ahmad Fatoum
2022-02-22 19:58 ` [PATCH v5 1/5] KEYS: trusted: allow use of TEE as backend without TCG_TPM support Ahmad Fatoum
2022-02-22 19:58 ` [PATCH v5 2/5] KEYS: trusted: allow users to use kernel RNG for key material Ahmad Fatoum
2022-02-23 15:42 ` Jarkko Sakkinen
2022-02-22 19:58 ` [PATCH v5 3/5] KEYS: trusted: allow trust sources " Ahmad Fatoum
2022-02-23 16:23 ` Ahmad Fatoum
2022-02-25 11:57 ` [EXT] " Pankaj Gupta
2022-03-02 4:43 ` Pankaj Gupta
2022-02-22 19:58 ` [PATCH v5 4/5] crypto: caam - add in-kernel interface for blob generator Ahmad Fatoum
2022-02-23 15:41 ` Jarkko Sakkinen
2022-02-23 16:20 ` Ahmad Fatoum
2022-02-25 12:20 ` Pankaj Gupta [this message]
2022-03-14 15:33 ` [EXT] " Ahmad Fatoum
2022-02-28 12:14 ` Jarkko Sakkinen
2022-03-16 16:44 ` Ahmad Fatoum
2022-02-22 19:58 ` [PATCH v5 5/5] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys Ahmad Fatoum
2022-02-25 12:43 ` [EXT] " Pankaj Gupta
2022-03-02 4:37 ` Pankaj Gupta
2022-03-07 4:48 ` Pankaj Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DU2PR04MB863084B70239A69E4DE9D65B953E9@DU2PR04MB8630.eurprd04.prod.outlook.com \
--to=pankaj.gupta@nxp.com \
--cc=a.fatoum@pengutronix.de \
--cc=aymen.sghaier@nxp.com \
--cc=davem@davemloft.net \
--cc=david@sigma-star.at \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=franck.lenormand@nxp.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=j.luebbe@pengutronix.de \
--cc=jarkko@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=kernel@pengutronix.de \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthias.schiffer@ew.tq-group.com \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
--cc=sumit.garg@linaro.org \
--cc=tharvey@gateworks.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.