[RFC PATCH v8 0/4] Support for hardware-wrapped inline encryption keys

[Eric Biggers <ebiggers@kernel.org>]

[ This patchset is based on mainline commit aea6bf908d730b01 ]

This RFC patchset adds the block and fscrypt support for
hardware-wrapped inline encryption keys, a security feature supported by
Qualcomm and Google SoCs that has already been used by Android for
several years (with some slight differences, but same overall design).

I last sent this patchset in December 2022
(https://lore.kernel.org/r/20221216203636.81491-1-ebiggers@kernel.org).
This feature continues to be blocked on the lack of upstream-ready
development platform(s) for this feature.  However, it looks like at
least one of sm8650 and gs101 will get there soon, and *maybe* even is
there already (when I have a chance, I need to try out those SoCs with
the very latest upstream and pending-upstream patches).  So things are
looking more optimistic now.  Several months ago Gaurav Kashyap also
updated his patchset for the sm8650 support for this feature
(https://lore.kernel.org/r/20230719170423.220033-1-quic_gaurkash@quicinc.com).
Therefore, so that people have something fresh to work on, I've rebased
and am resending this block+fscrypt support patchset.  Note that this is
a prerequisite for any platform specific patchsets, e.g. the sm8650 one.

This feature is described in full detail in the included Documentation
changes.  But to summarize, hardware-wrapped keys are inline encryption
keys that are wrapped (encrypted) by a key internal to the hardware so
that they can only be unwrapped (decrypted) by the hardware.  Initially
keys are wrapped with a permanent hardware key, but during actual use
they are re-wrapped with a per-boot ephemeral key for improved security.
The hardware supports importing keys as well as generating keys itself.

This feature protects encryption keys from read-only compromises of
kernel memory, such as that which can occur during a cold boot attack.
It does this without limiting the number of keys that can be used, as
would be the case with solutions that didn't use key wrapping.

This differs from the existing support for hardware-wrapped keys in the
kernel crypto API (which also goes by names such as "hardware-bound
keys", depending on the driver) in the same way that the crypto API
differs from blk-crypto: the crypto API is for general crypto
operations, whereas blk-crypto is for inline storage encryption.

Changes in v8:
    - Rebased onto latest mainline (v6.6-14263-gaea6bf908d73).
    - Removed checks for HW-wrapped keys compatibility between block
      devices in multi-block-device filesystems, as these were
      incompatible with device-mapper.  Doing this validation, which is
      not needed for current HW, would require a more comphensive design

Changes in v7:
    - Rebased onto latest mainline.
    - Fixed a bug in fscrypt_prepare_inline_crypt_key().
    - Other cleanups.

Changes in v6:
    - Downgraded the patchset back to RFC status.
    - Exposed the supported key types in sysfs.
    - Shortened some field names, e.g. longterm_wrapped_key => lt_key.
    - Avoided adding a new use of struct request_queue by fs/crypto/.
    - Moved the blk-crypto ioctls to a new blk-crypto UAPI header file
      and fixed their numbering.
    - Other cleanups.

Changes in v5:
    - Dropped the RFC tag, now that these patches are actually testable.
    - Split the BLKCRYPTOCREATEKEY ioctl into BLKCRYPTOIMPORTKEY and
      BLKCRYPTOGENERATEKEY.  (I'm thinking that these operations are
      distinct enough that two separate ioctls would be best.)
    - Added some warning messages in fscrypt_derive_sw_secret().
    - Rebased onto v5.17-rc6.

Changes in v4:
    - Rebased onto v5.16-rc1 and dropped a few bits that were upstreamed.
    - Updated cover letter to link to Gaurav's UFS driver patchset.

Changes in v3:
    - Dropped some fscrypt cleanups that were applied.
    - Rebased on top of the latest linux-block and fscrypt branches.
    - Minor cleanups.

Changes in v2:
    - Added new ioctls for creating and preparing hardware-wrapped keys.
    - Rebased onto my patchset which renames blk_keyslot_manager to
      blk_crypto_profile.

Eric Biggers (4):
  blk-crypto: add basic hardware-wrapped key support
  blk-crypto: show supported key types in sysfs
  blk-crypto: add ioctls to create and prepare hardware-wrapped keys
  fscrypt: add support for hardware-wrapped keys

 Documentation/ABI/stable/sysfs-block          |  18 ++
 Documentation/block/inline-encryption.rst     | 245 +++++++++++++++++-
 Documentation/filesystems/fscrypt.rst         | 154 +++++++++--
 .../userspace-api/ioctl/ioctl-number.rst      |   4 +-
 block/blk-crypto-fallback.c                   |   5 +-
 block/blk-crypto-internal.h                   |  10 +
 block/blk-crypto-profile.c                    | 103 ++++++++
 block/blk-crypto-sysfs.c                      |  35 +++
 block/blk-crypto.c                            | 194 +++++++++++++-
 block/ioctl.c                                 |   5 +
 drivers/md/dm-table.c                         |   1 +
 drivers/mmc/host/cqhci-crypto.c               |   2 +
 drivers/ufs/core/ufshcd-crypto.c              |   1 +
 fs/crypto/fscrypt_private.h                   |  71 ++++-
 fs/crypto/hkdf.c                              |   4 +-
 fs/crypto/inline_crypt.c                      |  44 +++-
 fs/crypto/keyring.c                           | 122 ++++++---
 fs/crypto/keysetup.c                          |  54 +++-
 fs/crypto/keysetup_v1.c                       |   5 +-
 fs/crypto/policy.c                            |  11 +-
 include/linux/blk-crypto-profile.h            |  73 ++++++
 include/linux/blk-crypto.h                    |  75 +++++-
 include/uapi/linux/blk-crypto.h               |  44 ++++
 include/uapi/linux/fs.h                       |   6 +-
 include/uapi/linux/fscrypt.h                  |   7 +-
 25 files changed, 1193 insertions(+), 100 deletions(-)
 create mode 100644 include/uapi/linux/blk-crypto.h


base-commit: aea6bf908d730b01bd264a8821159db9463c111c
-- 
2.42.0