From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Kirill A. Shutemov" Date: Wed, 08 May 2019 14:43:43 +0000 Subject: [PATCH, RFC 23/62] keys/mktme: Introduce a Kernel Key Service for MKTME Message-Id: <20190508144422.13171-24-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit List-Id: References: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> In-Reply-To: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> To: Andrew Morton , x86@kernel.org, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Borislav Petkov , Peter Zijlstra , Andy Lutomirski , David Howells Cc: Kees Cook , Dave Hansen , Kai Huang , Jacob Pan , Alison Schofield , linux-mm@kvack.org, kvm@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, "Kirill A . Shutemov" From: Alison Schofield MKTME (Multi-Key Total Memory Encryption) is a technology that allows transparent memory encryption in upcoming Intel platforms. MKTME will support multiple encryption domains, each having their own key. The MKTME key service will manage the hardware encryption keys. It will map Userspace Keys to Hardware KeyIDs and program the hardware with the user requested encryption options. Here the mapping structure and associated helpers are introduced, as well as the key service initialization and registration. Signed-off-by: Alison Schofield Signed-off-by: Kirill A. Shutemov --- security/keys/Makefile | 1 + security/keys/mktme_keys.c | 98 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 security/keys/mktme_keys.c diff --git a/security/keys/Makefile b/security/keys/Makefile index 9cef54064f60..28799be801a9 100644 --- a/security/keys/Makefile +++ b/security/keys/Makefile @@ -30,3 +30,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += keyctl_pkey.o obj-$(CONFIG_BIG_KEYS) += big_key.o obj-$(CONFIG_TRUSTED_KEYS) += trusted.o obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ +obj-$(CONFIG_X86_INTEL_MKTME) += mktme_keys.o diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c new file mode 100644 index 000000000000..b5e8289f041b --- /dev/null +++ b/security/keys/mktme_keys.c @@ -0,0 +1,98 @@ +// SPDX-License-Identifier: GPL-3.0 + +/* Documentation/x86/mktme_keys.rst */ + +#include +#include +#include +#include +#include + +#include "internal.h" + +/* 1:1 Mapping between Userspace Keys (struct key) and Hardware KeyIDs */ +struct mktme_mapping { + unsigned int mapped_keyids; + struct key *key[]; +}; + +struct mktme_mapping *mktme_map; + +static inline long mktme_map_size(void) +{ + long size = 0; + + size += sizeof(*mktme_map); + size += sizeof(mktme_map->key[0]) * (mktme_nr_keyids + 1); + return size; +} + +int mktme_map_alloc(void) +{ + mktme_map = kvzalloc(mktme_map_size(), GFP_KERNEL); + if (!mktme_map) + return -ENOMEM; + return 0; +} + +int mktme_reserve_keyid(struct key *key) +{ + int i; + + if (mktme_map->mapped_keyids = mktme_nr_keyids) + return 0; + + for (i = 1; i <= mktme_nr_keyids; i++) { + if (mktme_map->key[i] = 0) { + mktme_map->key[i] = key; + mktme_map->mapped_keyids++; + return i; + } + } + return 0; +} + +void mktme_release_keyid(int keyid) +{ + mktme_map->key[keyid] = 0; + mktme_map->mapped_keyids--; +} + +int mktme_keyid_from_key(struct key *key) +{ + int i; + + for (i = 1; i <= mktme_nr_keyids; i++) { + if (mktme_map->key[i] = key) + return i; + } + return 0; +} + +struct key_type key_type_mktme = { + .name = "mktme", + .describe = user_describe, +}; + +static int __init init_mktme(void) +{ + int ret; + + /* Verify keys are present */ + if (mktme_nr_keyids < 1) + return 0; + + /* Mapping of Userspace Keys to Hardware KeyIDs */ + if (mktme_map_alloc()) + return -ENOMEM; + + ret = register_key_type(&key_type_mktme); + if (!ret) + return ret; /* SUCCESS */ + + kvfree(mktme_map); + + return -ENOMEM; +} + +late_initcall(init_mktme); -- 2.20.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.9 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DC47C04A6B for ; Wed, 8 May 2019 14:46:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6AB1D216B7 for ; Wed, 8 May 2019 14:46:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728681AbfEHOpL (ORCPT ); Wed, 8 May 2019 10:45:11 -0400 Received: from mga07.intel.com ([134.134.136.100]:33085 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728349AbfEHOor (ORCPT ); Wed, 8 May 2019 10:44:47 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 May 2019 07:44:45 -0700 X-ExtLoop1: 1 Received: from black.fi.intel.com ([10.237.72.28]) by orsmga007.jf.intel.com with ESMTP; 08 May 2019 07:44:40 -0700 Received: by black.fi.intel.com (Postfix, from userid 1000) id CED38A79; Wed, 8 May 2019 17:44:29 +0300 (EEST) From: "Kirill A. Shutemov" To: Andrew Morton , x86@kernel.org, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Borislav Petkov , Peter Zijlstra , Andy Lutomirski , David Howells Cc: Kees Cook , Dave Hansen , Kai Huang , Jacob Pan , Alison Schofield , linux-mm@kvack.org, kvm@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, "Kirill A . Shutemov" Subject: [PATCH, RFC 23/62] keys/mktme: Introduce a Kernel Key Service for MKTME Date: Wed, 8 May 2019 17:43:43 +0300 Message-Id: <20190508144422.13171-24-kirill.shutemov@linux.intel.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> References: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alison Schofield MKTME (Multi-Key Total Memory Encryption) is a technology that allows transparent memory encryption in upcoming Intel platforms. MKTME will support multiple encryption domains, each having their own key. The MKTME key service will manage the hardware encryption keys. It will map Userspace Keys to Hardware KeyIDs and program the hardware with the user requested encryption options. Here the mapping structure and associated helpers are introduced, as well as the key service initialization and registration. Signed-off-by: Alison Schofield Signed-off-by: Kirill A. Shutemov --- security/keys/Makefile | 1 + security/keys/mktme_keys.c | 98 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 security/keys/mktme_keys.c diff --git a/security/keys/Makefile b/security/keys/Makefile index 9cef54064f60..28799be801a9 100644 --- a/security/keys/Makefile +++ b/security/keys/Makefile @@ -30,3 +30,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += keyctl_pkey.o obj-$(CONFIG_BIG_KEYS) += big_key.o obj-$(CONFIG_TRUSTED_KEYS) += trusted.o obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ +obj-$(CONFIG_X86_INTEL_MKTME) += mktme_keys.o diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c new file mode 100644 index 000000000000..b5e8289f041b --- /dev/null +++ b/security/keys/mktme_keys.c @@ -0,0 +1,98 @@ +// SPDX-License-Identifier: GPL-3.0 + +/* Documentation/x86/mktme_keys.rst */ + +#include +#include +#include +#include +#include + +#include "internal.h" + +/* 1:1 Mapping between Userspace Keys (struct key) and Hardware KeyIDs */ +struct mktme_mapping { + unsigned int mapped_keyids; + struct key *key[]; +}; + +struct mktme_mapping *mktme_map; + +static inline long mktme_map_size(void) +{ + long size = 0; + + size += sizeof(*mktme_map); + size += sizeof(mktme_map->key[0]) * (mktme_nr_keyids + 1); + return size; +} + +int mktme_map_alloc(void) +{ + mktme_map = kvzalloc(mktme_map_size(), GFP_KERNEL); + if (!mktme_map) + return -ENOMEM; + return 0; +} + +int mktme_reserve_keyid(struct key *key) +{ + int i; + + if (mktme_map->mapped_keyids == mktme_nr_keyids) + return 0; + + for (i = 1; i <= mktme_nr_keyids; i++) { + if (mktme_map->key[i] == 0) { + mktme_map->key[i] = key; + mktme_map->mapped_keyids++; + return i; + } + } + return 0; +} + +void mktme_release_keyid(int keyid) +{ + mktme_map->key[keyid] = 0; + mktme_map->mapped_keyids--; +} + +int mktme_keyid_from_key(struct key *key) +{ + int i; + + for (i = 1; i <= mktme_nr_keyids; i++) { + if (mktme_map->key[i] == key) + return i; + } + return 0; +} + +struct key_type key_type_mktme = { + .name = "mktme", + .describe = user_describe, +}; + +static int __init init_mktme(void) +{ + int ret; + + /* Verify keys are present */ + if (mktme_nr_keyids < 1) + return 0; + + /* Mapping of Userspace Keys to Hardware KeyIDs */ + if (mktme_map_alloc()) + return -ENOMEM; + + ret = register_key_type(&key_type_mktme); + if (!ret) + return ret; /* SUCCESS */ + + kvfree(mktme_map); + + return -ENOMEM; +} + +late_initcall(init_mktme); -- 2.20.1