From: Pankaj Gupta <pankaj.gupta@nxp.com>
To: jarkko@kernel.org, a.fatoum@pengutronix.de, gilad@benyossef.com,
Jason@zx2c4.com, jejb@linux.ibm.com, zohar@linux.ibm.com,
dhowells@redhat.com, sumit.garg@linaro.org, david@sigma-star.at,
michael@walle.cc, john.ernberg@actia.se, jmorris@namei.org,
serge@hallyn.com, herbert@gondor.apana.org.au,
davem@davemloft.net, j.luebbe@pengutronix.de,
ebiggers@kernel.org, richard@nod.at, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, sahil.malhotra@nxp.com,
kshitiz.varshney@nxp.com, horia.geanta@nxp.com, V.Sethi@nxp.com
Cc: Pankaj Gupta <pankaj.gupta@nxp.com>
Subject: [PATCH v0 0/8] Hardware Bound key added to Trusted Key-Ring
Date: Thu, 6 Oct 2022 18:38:29 +0530 [thread overview]
Message-ID: <20221006130837.17587-1-pankaj.gupta@nxp.com> (raw)
Hardware Bound key(HBK), is never available as a plain key buffer outside of the hardware boundary.
Thus, it is un-usable, even if somehow fetched from kernel memory.
It ensures run-time security.
This patchset establishes a generic bridge between HBK & the kernel's trusted-keyring.
This patchset adds generic support for identifying if the key is HBK.
Note: Copy-paste this text-based block diagram to notepad, for better
clarity.
+---------------+
| |
| keyctl |
| |
+-------+-------+
|
|
+-----------------------+-------------------------+
| trusted keyring |
| +---------------+ |
| +-----------------+ |trusted-key | |
| | |-------->|payload (plain)| |
| | | +---------------+ |
|-->| trusted key | +---------------+ |
| | source as CAAM |-------->| trusted-key | |
| +-----------------+ | payload (HBK)| |
| +-------^-------+ |
+---------------------------------------|---------+
|
|
|
+----------------+ crypt_alloc_tfms +-------|------------------+
| Kernel |<------------------| DM-Crypt |
| Crypto-API | | +---------------------+ |
| |------------------>| |struct crypto_tfm: | |
+----------------+ crypto_tfm(HBK) | |- flag-is_hbk | |
| |- struct-hbk_info, | |
| |is copied from the | |
| |tkp structure | |
| +---------------------+ |
+------------|-------------+
|
|
|crypto_tfm(HBK)
|
+---------------|--------------+
| Hardware crypto driver |
| |
| Processing the incoming |
| key based on the flag |
| - as plain key, if is_hbk = 0|
| - as HBK, if is_hbk = 1 |
+------------------------------+
Major additions done: (in brief)
- Newly added:
-- flag-'is_hbk', and
-- struct hw_bound_key_info hbk_info,
added to the structures - tfm & trusted key payload.
- Enhanced the 'keyctl' command to generate the hardware bound key
as trusted key.
-- at the time of generating the HBK, the values: 'flag - is_hbk'
& structure 'hbk_info', in the trusted key payload, is set by
the hw driver, generating or loading the key in the trusted
key-ring.
- Applications like dm-crypt,
-- first fetch the key from trusted key-ring. As part of doing this,
application retains the values of: 'flag - is_hbk' & structure 'hbk_info'.
-- to use kernel crypto api, after allocating the transformation,
application sets the 'flag - is_hbk' & structure 'hbk_info',
to the tfm allocated from crypto_alloc_tfm().
- Newly added information to tfm, helps to influence the core processing logic
for the encapsulated algorithm.
First implementation is based on CAAM.
NXP built CAAM IP is the Cryptographic Acceleration and Assurance Module.
This is contain by the i.MX and QorIQ SoCs by NXP.
CAAM is a suitable backend (source) for kernel trusted keys.
This backend source can be used for run-time security as well by generating the hardware bound key.
Along with plain key, the CAAM generates black key. A black key is an encrypted key, which can only be decrypted inside CAAM.
Hence, CAAM's black key can only be used by CAAM. Thus it is declared as a hardware bound key.
Pankaj Gupta (8):
hw-bound-key: introducing the generic structure
keys-trusted: new cmd line option added
crypto: hbk flags & info added to the tfm
sk_cipher: checking for hw bound operation
keys-trusted: re-factored caam based trusted key
KEYS: trusted: caam based black key
caam alg: symmetric key ciphers are updated
dm-crypt: consumer-app setting the flag-is_hbk
crypto/skcipher.c | 3 +-
drivers/crypto/caam/blob_gen.c | 221 ++++++++++++++++++++--
drivers/crypto/caam/caamalg.c | 43 ++++-
drivers/crypto/caam/caamalg_desc.c | 8 +-
drivers/crypto/caam/desc.h | 8 +-
drivers/crypto/caam/desc_constr.h | 6 +-
drivers/md/dm-crypt.c | 12 +-
include/keys/trusted-type.h | 4 +
include/linux/crypto.h | 5 +
include/linux/hw_bound_key.h | 27 +++
include/soc/fsl/caam-blob.h | 38 ++--
security/keys/trusted-keys/trusted_caam.c | 8 +
security/keys/trusted-keys/trusted_core.c | 16 ++
13 files changed, 356 insertions(+), 43 deletions(-)
create mode 100644 include/linux/hw_bound_key.h
--
2.17.1
next reply other threads:[~2022-10-06 12:02 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-06 13:08 Pankaj Gupta [this message]
2022-10-06 13:08 ` [PATCH v0 1/8] hw-bound-key: introducing the generic structure Pankaj Gupta
2022-10-12 8:52 ` Jarkko Sakkinen
2022-10-12 8:53 ` Jarkko Sakkinen
2022-10-06 13:08 ` [PATCH v0 2/8] keys-trusted: new cmd line option added Pankaj Gupta
2022-10-06 12:37 ` Ben Boeckel
2022-10-06 13:08 ` [PATCH v0 3/8] crypto: hbk flags & info added to the tfm Pankaj Gupta
2022-10-07 6:58 ` Herbert Xu
2022-10-10 11:15 ` [EXT] " Pankaj Gupta
2022-10-10 15:15 ` Jason A. Donenfeld
2022-10-10 21:35 ` [EXT] " David Gstir
2022-10-11 9:03 ` [EXT] " Herbert Xu
2022-10-11 11:32 ` Pankaj Gupta
2022-10-11 20:01 ` Jason A. Donenfeld
2022-10-12 9:06 ` Herbert Xu
2022-10-14 19:19 ` Jason Gunthorpe
2022-10-20 4:26 ` Eric Biggers
2022-10-20 19:23 ` Jason Gunthorpe
2022-10-20 21:28 ` Eric Biggers
2022-10-20 23:42 ` Jason Gunthorpe
2022-10-11 11:05 ` Pankaj Gupta
2022-10-12 8:57 ` Jarkko Sakkinen
2022-10-06 13:08 ` [PATCH v0 4/8] sk_cipher: checking for hw bound operation Pankaj Gupta
2022-10-12 8:59 ` Jarkko Sakkinen
2022-10-06 13:08 ` [PATCH v0 5/8] keys-trusted: re-factored caam based trusted key Pankaj Gupta
2022-10-06 13:08 ` [PATCH v0 6/8] KEYS: trusted: caam based black key Pankaj Gupta
2022-10-06 12:42 ` Ben Boeckel
2022-10-06 12:52 ` James Bottomley
2022-10-06 13:08 ` [PATCH v0 7/8] caam alg: symmetric key ciphers are updated Pankaj Gupta
2022-10-12 9:01 ` Jarkko Sakkinen
2022-10-06 13:08 ` [PATCH v0 8/8] dm-crypt: consumer-app setting the flag-is_hbk Pankaj Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221006130837.17587-1-pankaj.gupta@nxp.com \
--to=pankaj.gupta@nxp.com \
--cc=Jason@zx2c4.com \
--cc=V.Sethi@nxp.com \
--cc=a.fatoum@pengutronix.de \
--cc=davem@davemloft.net \
--cc=david@sigma-star.at \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=gilad@benyossef.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=j.luebbe@pengutronix.de \
--cc=jarkko@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=john.ernberg@actia.se \
--cc=keyrings@vger.kernel.org \
--cc=kshitiz.varshney@nxp.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=michael@walle.cc \
--cc=richard@nod.at \
--cc=sahil.malhotra@nxp.com \
--cc=serge@hallyn.com \
--cc=sumit.garg@linaro.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).