lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 21 Sep 2022 11:07:07 +0000
From:   Varun Sethi <V.Sethi@....com>
To:     Herbert Xu <herbert@...dor.apana.org.au>
CC:     Pankaj Gupta <pankaj.gupta@....com>,
        "jarkko@...nel.org" <jarkko@...nel.org>,
        "a.fatoum@...gutronix.de" <a.fatoum@...gutronix.de>,
        "Jason@...c4.com" <Jason@...c4.com>,
        "jejb@...ux.ibm.com" <jejb@...ux.ibm.com>,
        "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
        "dhowells@...hat.com" <dhowells@...hat.com>,
        "sumit.garg@...aro.org" <sumit.garg@...aro.org>,
        "david@...ma-star.at" <david@...ma-star.at>,
        "michael@...le.cc" <michael@...le.cc>,
        "john.ernberg@...ia.se" <john.ernberg@...ia.se>,
        "jmorris@...ei.org" <jmorris@...ei.org>,
        "serge@...lyn.com" <serge@...lyn.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "j.luebbe@...gutronix.de" <j.luebbe@...gutronix.de>,
        "ebiggers@...nel.org" <ebiggers@...nel.org>,
        "richard@....at" <richard@....at>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        Sahil Malhotra <sahil.malhotra@....com>,
        Kshitiz Varshney <kshitiz.varshney@....com>,
        Horia Geanta <horia.geanta@....com>
Subject: RE: [EXT] Re: [RFC PATCH HBK: 2/8] hw-bound-key: flag-is_hbk added to
 the tfm

Hi Herbert,
Please find comments inline.



Regards
Varun

> -----Original Message-----
> From: Herbert Xu <herbert@...dor.apana.org.au>
> Sent: Tuesday, September 13, 2022 3:59 PM
> To: Varun Sethi <V.Sethi@....com>
> Cc: Pankaj Gupta <pankaj.gupta@....com>; jarkko@...nel.org;
> a.fatoum@...gutronix.de; Jason@...c4.com; jejb@...ux.ibm.com;
> zohar@...ux.ibm.com; dhowells@...hat.com; sumit.garg@...aro.org;
> david@...ma-star.at; michael@...le.cc; john.ernberg@...ia.se;
> jmorris@...ei.org; serge@...lyn.com; davem@...emloft.net;
> j.luebbe@...gutronix.de; ebiggers@...nel.org; richard@....at;
> keyrings@...r.kernel.org; linux-crypto@...r.kernel.org; linux-
> integrity@...r.kernel.org; linux-kernel@...r.kernel.org; linux-security-
> module@...r.kernel.org; Sahil Malhotra <sahil.malhotra@....com>; Kshitiz
> Varshney <kshitiz.varshney@....com>; Horia Geanta <horia.geanta@....com>
> Subject: Re: [EXT] Re: [RFC PATCH HBK: 2/8] hw-bound-key: flag-is_hbk added
> to the tfm
> 
> Caution: EXT Email
> 
> On Tue, Sep 13, 2022 at 10:01:13AM +0000, Varun Sethi wrote:
> >
> > [Varun] The proposed patchset makes things more scalable. With the
> hardware backed key flag, there's no need for the security co-processor driver
> to register separate set of algorithms. This makes things simpler and more
> scalable for the consumers (OpenSSL, AF_ALG, KTLS etc), as they can continue to
> use standard set of algorithms and leave the key specific complexity to the
> driver.
> 
> Users already need to specify which driver they are going to use in order to
> actually access the hardware keys instead of getting a software implementation
> of the same algorithm.
> 
> So I don't see what extra burdens are placed on them by the current regime.
[Varun] Problem with the current approach is that it's completely disconnected from the kernel keyrings. We are using the trusted key rings for storing the hardware backed keys. Now, for the hardware backed keys we can still continue to use the existing generic algorithms exposed by the crypto drivers. With our approach the driver can distinguish between a hardware backed key and a plain key, thus perform the relevant operation. 

As a part of our patchset we are also proposing modifications to the trusted keys, in order to store additional meta data associated with the key.  

> 
> Cheers,
> --
> Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2F&amp;data=05%7C01%7CV.Sethi%40nxp.com%7C9
> df35ead51ad4143067e08da9572d5d5%7C686ea1d3bc2b4c6fa92cd99c5c301635
> %7C0%7C0%7C637986617695149505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> %7C%7C%7C&amp;sdata=t5RXelrFDZZ7GdMyZeLcSR2hRN6O0Hs8uI2MpIwhCms
> %3D&amp;reserved=0
> PGP Key:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2Fpubkey.txt&amp;data=05%7C01%7CV.Sethi%40nxp.
> com%7C9df35ead51ad4143067e08da9572d5d5%7C686ea1d3bc2b4c6fa92cd99
> c5c301635%7C0%7C0%7C637986617695149505%7CUnknown%7CTWFpbGZsb3
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
> D%7C3000%7C%7C%7C&amp;sdata=V7NXYx5pYPjte6jlw1gpYCBPftJBZGpHBN44
> e3pD0ps%3D&amp;reserved=0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ