From: Pankaj Gupta <pankaj.gupta@nxp.com>
To: gaurav.jain@nxp.com, sahil.malhotra@nxp.com,
kshitiz.varshney@nxp.com, horia.geanta@nxp.com,
linux-kernel@vger.kernel.org, V.Sethi@nxp.com
Cc: Pankaj Gupta <pankaj.gupta@nxp.com>
Subject: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY
Date: Mon, 5 Sep 2022 20:06:23 +0530 [thread overview]
Message-ID: <20220905143631.2832-1-pankaj.gupta@nxp.com> (raw)
Hardware Bound key(HBK), is never acessible as plain key outside of the
hardware boundary. Thus, it is un-usable, even if somehow fetched
from kernel memory. It ensures run-time security.
This patchset adds generic support for classing the Hardware Bound Key,
based on:
- Newly added flag-'is_hbk', added to the tfm.
Consumer of the kernel crypto api, after allocating
the transformation, sets this flag based on the basis
of the type of key consumer has.
- This helps to influence the core processing logic
for the encapsulated algorithm.
- This flag is set by the consumer after allocating
the tfm and before calling the function crypto_xxx_setkey().
First implementation is based on CAAM.
NXP built CAAM IP is the Cryptographic Acceleration and Assurance Module.
This is contain by the i.MX and QorIQ SoCs by NXP.
CAAM is a suitable backend (source) for kernel trusted keys.
This backend source can be used for run-time security as well
by generating the hardware bound key.
Along with plain key, the CAAM generates black key. A black key is an
encrypted key, which can only be decrypted inside CAAM. Hence, CAAM's
black key can only be used by CAAM. Thus it is declared as a hardware bound key.
Pankaj Gupta (8):
keys-trusted: new cmd line option added
hw-bound-key: flag-is_hbk added to the tfm
sk_cipher: checking for hw bound operation
keys-trusted: re-factored caam based trusted key
caam blob-gen: moving blob_priv to caam_drv_private
KEYS: trusted: caam based black key
caam alg: symmetric key ciphers are updated
dm-crypt: consumer-app setting the flag-is_hbk
crypto/skcipher.c | 3 +-
drivers/crypto/caam/blob_gen.c | 242 ++++++++++++++++++++--
drivers/crypto/caam/caamalg.c | 37 +++-
drivers/crypto/caam/caamalg_desc.c | 8 +-
drivers/crypto/caam/desc.h | 8 +-
drivers/crypto/caam/desc_constr.h | 6 +-
drivers/crypto/caam/intern.h | 6 +-
drivers/md/dm-crypt.c | 6 +-
include/keys/trusted-type.h | 2 +
include/linux/crypto.h | 2 +
include/soc/fsl/caam-blob.h | 44 ++--
security/keys/trusted-keys/trusted_caam.c | 6 +
security/keys/trusted-keys/trusted_core.c | 14 ++
13 files changed, 333 insertions(+), 51 deletions(-)
--
2.17.1
next reply other threads:[~2022-09-05 13:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-05 14:36 Pankaj Gupta [this message]
2022-09-05 14:36 ` [RFC PATCH HBK: 1/8] keys-trusted: new cmd line option added Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 2/8] hw-bound-key: flag-is_hbk added to the tfm Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 3/8] sk_cipher: checking for hw bound operation Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 4/8] keys-trusted: re-factored caam based trusted key Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 5/8] caam blob-gen: moving blob_priv to caam_drv_private Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 6/8] KEYS: trusted: caam based black key Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 7/8] caam alg: symmetric key ciphers are updated Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 8/8] dm-crypt: consumer-app setting the flag-is_hbk Pankaj Gupta
2022-09-06 6:51 [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY Pankaj Gupta
2022-09-06 7:12 ` Michael Walle
2022-09-06 8:58 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220905143631.2832-1-pankaj.gupta@nxp.com \
--to=pankaj.gupta@nxp.com \
--cc=V.Sethi@nxp.com \
--cc=gaurav.jain@nxp.com \
--cc=horia.geanta@nxp.com \
--cc=kshitiz.varshney@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sahil.malhotra@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).