From: Pankaj Gupta <pankaj.gupta@nxp.com>
To: gaurav.jain@nxp.com, sahil.malhotra@nxp.com,
kshitiz.varshney@nxp.com, horia.geanta@nxp.com,
linux-kernel@vger.kernel.org, V.Sethi@nxp.com
Cc: Pankaj Gupta <pankaj.gupta@nxp.com>
Subject: [RFC PATCH HBK: 1/8] keys-trusted: new cmd line option added
Date: Mon, 5 Sep 2022 20:06:24 +0530 [thread overview]
Message-ID: <20220905143631.2832-2-pankaj.gupta@nxp.com> (raw)
In-Reply-To: <20220905143631.2832-1-pankaj.gupta@nxp.com>
Two changes are done:
- new cmd line option "hw" needs to be suffix, to generate the
hw bound key.
for ex:
$:> keyctl add trusted <KEYNAME> 'new 32 hw' @s
$:> keyctl add trusted <KEYNAME> 'load $(cat <KEY_BLOB_FILE_NAME>) hw' @s
- For "new", generating the hw bounded trusted key, updating the input key
length as part of seal operation as well.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
include/keys/trusted-type.h | 2 ++
security/keys/trusted-keys/trusted_caam.c | 6 ++++++
security/keys/trusted-keys/trusted_core.c | 14 ++++++++++++++
3 files changed, 22 insertions(+)
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
index 4eb64548a74f..064266b936c7 100644
--- a/include/keys/trusted-type.h
+++ b/include/keys/trusted-type.h
@@ -22,6 +22,7 @@
#define MAX_BLOB_SIZE 512
#define MAX_PCRINFO_SIZE 64
#define MAX_DIGEST_SIZE 64
+#define HW_BOUND_KEY 1
struct trusted_key_payload {
struct rcu_head rcu;
@@ -29,6 +30,7 @@ struct trusted_key_payload {
unsigned int blob_len;
unsigned char migratable;
unsigned char old_format;
+ unsigned char is_hw_bound;
unsigned char key[MAX_KEY_SIZE + 1];
unsigned char blob[MAX_BLOB_SIZE];
};
diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c
index e3415c520c0a..fceb9a271c4d 100644
--- a/security/keys/trusted-keys/trusted_caam.c
+++ b/security/keys/trusted-keys/trusted_caam.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (C) 2021 Pengutronix, Ahmad Fatoum <kernel@pengutronix.de>
+ * Copyright 2022 NXP, Pankaj Gupta <pankaj.gupta@nxp.com>
*/
#include <keys/trusted_caam.h>
@@ -23,6 +24,7 @@ static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob)
.input = p->key, .input_len = p->key_len,
.output = p->blob, .output_len = MAX_BLOB_SIZE,
.key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
+ .is_hw_bound = p->is_hw_bound,
};
ret = caam_encap_blob(blobifier, &info);
@@ -30,6 +32,9 @@ static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob)
return ret;
p->blob_len = info.output_len;
+ if (p->is_hw_bound)
+ p->key_len = info.input_len;
+
return 0;
}
@@ -40,6 +45,7 @@ static int trusted_caam_unseal(struct trusted_key_payload *p, char *datablob)
.input = p->blob, .input_len = p->blob_len,
.output = p->key, .output_len = MAX_KEY_SIZE,
.key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1,
+ .is_hw_bound = p->is_hw_bound,
};
ret = caam_decap_blob(blobifier, &info);
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index c6fc50d67214..7f7cc2551b92 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -79,6 +79,8 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
int key_cmd;
char *c;
+ p->is_hw_bound = !HW_BOUND_KEY;
+
/* main command */
c = strsep(datablob, " \t");
if (!c)
@@ -94,6 +96,12 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
return -EINVAL;
p->key_len = keylen;
+ /* second argument is to determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if (c) {
+ if (strcmp(c, "hw") == 0)
+ p->is_hw_bound = HW_BOUND_KEY;
+ }
ret = Opt_new;
break;
case Opt_load:
@@ -107,6 +115,12 @@ static int datablob_parse(char **datablob, struct trusted_key_payload *p)
ret = hex2bin(p->blob, c, p->blob_len);
if (ret < 0)
return -EINVAL;
+ /* second argument is to determine if tied to HW */
+ c = strsep(datablob, " \t");
+ if (c) {
+ if (strcmp(c, "hw") == 0)
+ p->is_hw_bound = HW_BOUND_KEY;
+ }
ret = Opt_load;
break;
case Opt_update:
--
2.17.1
next prev parent reply other threads:[~2022-09-05 13:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-05 14:36 [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY Pankaj Gupta
2022-09-05 14:36 ` Pankaj Gupta [this message]
2022-09-05 14:36 ` [RFC PATCH HBK: 2/8] hw-bound-key: flag-is_hbk added to the tfm Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 3/8] sk_cipher: checking for hw bound operation Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 4/8] keys-trusted: re-factored caam based trusted key Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 5/8] caam blob-gen: moving blob_priv to caam_drv_private Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 6/8] KEYS: trusted: caam based black key Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 7/8] caam alg: symmetric key ciphers are updated Pankaj Gupta
2022-09-05 14:36 ` [RFC PATCH HBK: 8/8] dm-crypt: consumer-app setting the flag-is_hbk Pankaj Gupta
2022-09-06 6:51 [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY Pankaj Gupta
2022-09-06 6:51 ` [RFC PATCH HBK: 1/8] keys-trusted: new cmd line option added Pankaj Gupta
2022-09-06 13:01 ` Ben Boeckel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220905143631.2832-2-pankaj.gupta@nxp.com \
--to=pankaj.gupta@nxp.com \
--cc=V.Sethi@nxp.com \
--cc=gaurav.jain@nxp.com \
--cc=horia.geanta@nxp.com \
--cc=kshitiz.varshney@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sahil.malhotra@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).