lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 10 Oct 2022 11:15:00 +0000
From:   Pankaj Gupta <pankaj.gupta@....com>
To:     'Herbert Xu' <herbert@...dor.apana.org.au>
CC:     "jarkko@...nel.org" <jarkko@...nel.org>,
        "a.fatoum@...gutronix.de" <a.fatoum@...gutronix.de>,
        "gilad@...yossef.com" <gilad@...yossef.com>,
        "Jason@...c4.com" <Jason@...c4.com>,
        "jejb@...ux.ibm.com" <jejb@...ux.ibm.com>,
        "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
        "dhowells@...hat.com" <dhowells@...hat.com>,
        "sumit.garg@...aro.org" <sumit.garg@...aro.org>,
        "david@...ma-star.at" <david@...ma-star.at>,
        "michael@...le.cc" <michael@...le.cc>,
        "john.ernberg@...ia.se" <john.ernberg@...ia.se>,
        "jmorris@...ei.org" <jmorris@...ei.org>,
        "serge@...lyn.com" <serge@...lyn.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "j.luebbe@...gutronix.de" <j.luebbe@...gutronix.de>,
        "ebiggers@...nel.org" <ebiggers@...nel.org>,
        "richard@....at" <richard@....at>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        Sahil Malhotra <sahil.malhotra@....com>,
        Kshitiz Varshney <kshitiz.varshney@....com>,
        Horia Geanta <horia.geanta@....com>,
        Varun Sethi <V.Sethi@....com>
Subject: RE: [EXT] Re: [PATCH v0 3/8] crypto: hbk flags & info added to the
 tfm



> -----Original Message-----
> From: Herbert Xu <herbert@...dor.apana.org.au>
> Sent: Friday, October 7, 2022 12:28 PM
> To: Pankaj Gupta <pankaj.gupta@....com>
> Cc: jarkko@...nel.org; a.fatoum@...gutronix.de; gilad@...yossef.com;
> Jason@...c4.com; jejb@...ux.ibm.com; zohar@...ux.ibm.com;
> dhowells@...hat.com; sumit.garg@...aro.org; david@...ma-star.at;
> michael@...le.cc; john.ernberg@...ia.se; jmorris@...ei.org;
> serge@...lyn.com; davem@...emloft.net; j.luebbe@...gutronix.de;
> ebiggers@...nel.org; richard@....at; keyrings@...r.kernel.org; linux-
> crypto@...r.kernel.org; linux-integrity@...r.kernel.org; linux-
> kernel@...r.kernel.org; linux-security-module@...r.kernel.org; Sahil Malhotra
> <sahil.malhotra@....com>; Kshitiz Varshney <kshitiz.varshney@....com>;
> Horia Geanta <horia.geanta@....com>; Varun Sethi <V.Sethi@....com>
> Subject: [EXT] Re: [PATCH v0 3/8] crypto: hbk flags & info added to the tfm
> 
> Caution: EXT Email
> 
> On Thu, Oct 06, 2022 at 06:38:32PM +0530, Pankaj Gupta wrote:
> > Consumer of the kernel crypto api, after allocating the transformation
> > (tfm), sets the:
> > - flag 'is_hbk'
> > - structure 'struct hw_bound_key_info hbk_info'
> > based on the type of key, the consumer is using.
> >
> > This helps:
> >
> > - This helps to influence the core processing logic
> >   for the encapsulated algorithm.
> > - This flag is set by the consumer after allocating
> >   the tfm and before calling the function crypto_xxx_setkey().
> >
> > Signed-off-by: Pankaj Gupta <pankaj.gupta@....com>
> > ---
> >  include/linux/crypto.h | 5 +++++
> >  1 file changed, 5 insertions(+)
> 
> Nack.  You still have not provided a convincing argument why this is necessary
> since there are plenty of existing drivers in the kernel already providing similar
> features.
> 
CAAM is used as a trusted source for trusted keyring. CAAM can expose these keys either as plain key or HBK(hardware bound key- managed by the hardware only and never visible in plain outside of hardware).

Thus, Keys that are inside CAAM-backed-trusted-keyring, can either be plain key or HBK. So the trusted-key-payload requires additional flag & info(key-encryption-protocol)  to help differentiate it from each other. Now when CAAM trusted-key is presented to the kernel crypto framework, the additional information associated with the key, needs to be passed to the hardware driver. Currently the kernel keyring and kernel crypto frameworks are associated for plain key, but completely dis-associated for HBK. This patch addresses this problem.

Similar capabilities (trusted source), are there in other crypto accelerators on NXP SoC(s). Having hardware specific crypto algorithm name, does not seems to be a scalable solution.

> Cheers,
> --
> Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2F&amp;data=05%7C01%7Cpankaj.gupta%40nxp.com
> %7C33055110772a4d4bb97508daa8317e93%7C686ea1d3bc2b4c6fa92cd99c5c3
> 01635%7C0%7C0%7C638007227793511347%7CUnknown%7CTWFpbGZsb3d8ey
> JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> 3000%7C%7C%7C&amp;sdata=H0fzzxQhsV%2FyPphBAHBDmzQfTFnjDE7jYstTM
> ok%2F09I%3D&amp;reserved=0
> PGP Key:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2Fpubkey.txt&amp;data=05%7C01%7Cpankaj.gupta%4
> 0nxp.com%7C33055110772a4d4bb97508daa8317e93%7C686ea1d3bc2b4c6fa9
> 2cd99c5c301635%7C0%7C0%7C638007227793667554%7CUnknown%7CTWFpb
> GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0%3D%7C3000%7C%7C%7C&amp;sdata=SclJ9G7jBWhOW%2Fm3Gt0jP1oicqVp
> 5ghH%2BDT8Vd5maag%3D&amp;reserved=0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ