| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Feb 2024 00:15:28 +0530
From: Om Prakash Singh <quic_omprsing@...cinc.com>
To: Gaurav Kashyap <quic_gaurkash@...cinc.com>,
<linux-arm-msm@...r.kernel.org>, <linux-scsi@...r.kernel.org>,
<andersson@...nel.org>, <ebiggers@...gle.com>,
<neil.armstrong@...aro.org>, <srinivas.kandagatla@...aro.org>,
<krzysztof.kozlowski+dt@...aro.org>, <conor+dt@...nel.org>,
<robh+dt@...nel.org>
CC: <linux-kernel@...r.kernel.org>, <linux-mmc@...r.kernel.org>,
<kernel@...cinc.com>, <linux-crypto@...r.kernel.org>,
<devicetree@...r.kernel.org>, <quic_nguyenb@...cinc.com>,
<bartosz.golaszewski@...aro.org>, <konrad.dybcio@...aro.org>,
<ulf.hansson@...aro.org>, <jejb@...ux.ibm.com>,
<martin.petersen@...cle.com>, <mani@...nel.org>, <davem@...emloft.net>,
<herbert@...dor.apana.org.au>
Subject: Re: [PATCH v4 06/15] soc: qcom: ice: support for generate, import and
prepare key
On 1/28/2024 4:44 AM, Gaurav Kashyap wrote:
> Wrapped key creation and management using HWKM is currently
> supported only through Qualcomm's Trustzone.
> Three new SCM calls have already been added in the scm layer
> for this purpose.
>
> This patch adds support for generate, prepare and import key
> apis in ICE module and hooks it up the scm calls defined for them.
> This will eventually plug into the new IOCTLS added for this
> usecase in the block layer.
>
> Signed-off-by: Gaurav Kashyap <quic_gaurkash@...cinc.com>
> Tested-by: Neil Armstrong <neil.armstrong@...aro.org>
> ---
> drivers/soc/qcom/ice.c | 66 ++++++++++++++++++++++++++++++++++++++++++
> include/soc/qcom/ice.h | 8 +++++
> 2 files changed, 74 insertions(+)
>
> diff --git a/drivers/soc/qcom/ice.c b/drivers/soc/qcom/ice.c
> index c3b852269dca..93654ae704bf 100644
> --- a/drivers/soc/qcom/ice.c
> +++ b/drivers/soc/qcom/ice.c
> @@ -21,6 +21,13 @@
>
> #define AES_256_XTS_KEY_SIZE 64
>
> +/*
> + * Wrapped key sizes that HWKM expects and manages is different for different
> + * versions of the hardware.
> + */
> +#define QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(v) \
> + ((v) == 1 ? 68 : 100)
> +
> /* QCOM ICE registers */
> #define QCOM_ICE_REG_VERSION 0x0008
> #define QCOM_ICE_REG_FUSE_SETTING 0x0010
> @@ -420,6 +427,65 @@ int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[],
> }
> EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret);
>
> +/**
> + * qcom_ice_generate_key() - Generate a wrapped key for inline encryption
> + * @lt_key: longterm wrapped key that is generated, which is
> + * BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size.
> + *
> + * Make a scm call into trustzone to generate a wrapped key for storage
> + * encryption using hwkm.
> + *
> + * Return: lt wrapped key size on success; err on failure.
> + */
you might consider to change return value based on comment on patch 3/15.
> +int qcom_ice_generate_key(struct qcom_ice *ice,
> + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> + return qcom_scm_generate_ice_key(lt_key,
> + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
> +}
> +EXPORT_SYMBOL_GPL(qcom_ice_generate_key);
> +
> +/**
> + * qcom_ice_prepare_key() - Prepare a longterm wrapped key for inline encryption
> + * @lt_key: longterm wrapped key that is generated or imported.
> + * @lt_key_size: size of the longterm wrapped_key
> + * @eph_key: wrapped key returned which has been wrapped with a per-boot ephemeral key,
> + * size of which is BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size.
> + *
> + * Make a scm call into trustzone to prepare a wrapped key for storage
> + * encryption by rewrapping the longterm wrapped key with a per boot ephemeral
> + * key using hwkm.
> + *
> + * Return: eph wrapped key size on success; err on failure.
> + */
> +int qcom_ice_prepare_key(struct qcom_ice *ice, const u8 *lt_key, size_t lt_key_size,
> + u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> + return qcom_scm_prepare_ice_key(lt_key, lt_key_size, eph_key,
> + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
> +}
> +EXPORT_SYMBOL_GPL(qcom_ice_prepare_key);
> +
> +/**
> + * qcom_ice_import_key() - Import a raw key for inline encryption
> + * @imp_key: raw key that has to be imported
> + * @imp_key_size: size of the imported key
> + * @lt_key: longterm wrapped key that is imported, which is
> + * BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size.
> + *
> + * Make a scm call into trustzone to import a raw key for storage encryption
> + * and generate a longterm wrapped key using hwkm.
> + *
> + * Return: lt wrapped key size on success; err on failure.
> + */
> +int qcom_ice_import_key(struct qcom_ice *ice, const u8 *imp_key, size_t imp_key_size,
> + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> + return qcom_scm_import_ice_key(imp_key, imp_key_size, lt_key,
> + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
> +}
> +EXPORT_SYMBOL_GPL(qcom_ice_import_key);
> +
> static struct qcom_ice *qcom_ice_create(struct device *dev,
> void __iomem *base)
> {
> diff --git a/include/soc/qcom/ice.h b/include/soc/qcom/ice.h
> index dabe0d3a1fd0..dcf277d196ff 100644
> --- a/include/soc/qcom/ice.h
> +++ b/include/soc/qcom/ice.h
> @@ -39,5 +39,13 @@ bool qcom_ice_hwkm_supported(struct qcom_ice *ice);
> int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[],
> unsigned int wkey_size,
> u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]);
> +int qcom_ice_generate_key(struct qcom_ice *ice,
> + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]);
> +int qcom_ice_prepare_key(struct qcom_ice *ice,
> + const u8 *lt_key, size_t lt_key_size,
> + u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]);
> +int qcom_ice_import_key(struct qcom_ice *ice,
> + const u8 *imp_key, size_t imp_key_size,
> + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]);
> struct qcom_ice *of_qcom_ice_get(struct device *dev);
> #endif /* __QCOM_ICE_H__ */
Powered by blists - more mailing lists