lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID:
 <DB6PR04MB319062F2A19A250BA22C12D48F1A2@DB6PR04MB3190.eurprd04.prod.outlook.com>
Date: Tue, 30 Apr 2024 11:48:38 +0000
From: Kshitiz Varshney <kshitiz.varshney@....com>
To: David Gstir <david@...ma-star.at>
CC: Jarkko Sakkinen <jarkko@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>,
	James Bottomley <jejb@...ux.ibm.com>, Herbert Xu
	<herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, Shawn
 Guo <shawnguo@...nel.org>, Jonathan Corbet <corbet@....net>, Sascha Hauer
	<s.hauer@...gutronix.de>, "kernel@...gutronix.de" <kernel@...gutronix.de>,
	Fabio Estevam <festevam@...il.com>, dl-linux-imx <linux-imx@....com>, Ahmad
 Fatoum <a.fatoum@...gutronix.de>, sigma star Kernel Team
	<upstream+dcp@...ma-star.at>, David Howells <dhowells@...hat.com>, Li Yang
	<leoyang.li@....com>, Paul Moore <paul@...l-moore.com>, James Morris
	<jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, "Paul E. McKenney"
	<paulmck@...nel.org>, Randy Dunlap <rdunlap@...radead.org>, Catalin Marinas
	<catalin.marinas@....com>, "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>,
	Tejun Heo <tj@...nel.org>, "Steven Rostedt (Google)" <rostedt@...dmis.org>,
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
	"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
	"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
	"linux-arm-kernel@...ts.infradead.org"
	<linux-arm-kernel@...ts.infradead.org>, "linuxppc-dev@...ts.ozlabs.org"
	<linuxppc-dev@...ts.ozlabs.org>, "linux-security-module@...r.kernel.org"
	<linux-security-module@...r.kernel.org>, Richard Weinberger <richard@....at>,
	David Oberhollenzer <david.oberhollenzer@...ma-star.at>, Varun Sethi
	<V.Sethi@....com>, Gaurav Jain <gaurav.jain@....com>, Pankaj Gupta
	<pankaj.gupta@....com>
Subject: RE: [EXT] [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new
 trust source

Hi David,

> -----Original Message-----
> From: David Gstir <david@...ma-star.at>
> Sent: Monday, April 29, 2024 5:05 PM
> To: Kshitiz Varshney <kshitiz.varshney@....com>
> Cc: Jarkko Sakkinen <jarkko@...nel.org>; Mimi Zohar
> <zohar@...ux.ibm.com>; James Bottomley <jejb@...ux.ibm.com>; Herbert
> Xu <herbert@...dor.apana.org.au>; David S. Miller
> <davem@...emloft.net>; Shawn Guo <shawnguo@...nel.org>; Jonathan
> Corbet <corbet@....net>; Sascha Hauer <s.hauer@...gutronix.de>;
> kernel@...gutronix.de; Fabio Estevam <festevam@...il.com>; dl-linux-imx
> <linux-imx@....com>; Ahmad Fatoum <a.fatoum@...gutronix.de>; sigma
> star Kernel Team <upstream+dcp@...ma-star.at>; David Howells
> <dhowells@...hat.com>; Li Yang <leoyang.li@....com>; Paul Moore
> <paul@...l-moore.com>; James Morris <jmorris@...ei.org>; Serge E.
> Hallyn <serge@...lyn.com>; Paul E. McKenney <paulmck@...nel.org>;
> Randy Dunlap <rdunlap@...radead.org>; Catalin Marinas
> <catalin.marinas@....com>; Rafael J. Wysocki
> <rafael.j.wysocki@...el.com>; Tejun Heo <tj@...nel.org>; Steven Rostedt
> (Google) <rostedt@...dmis.org>; linux-doc@...r.kernel.org; linux-
> kernel@...r.kernel.org; linux-integrity@...r.kernel.org;
> keyrings@...r.kernel.org; linux-crypto@...r.kernel.org; linux-arm-
> kernel@...ts.infradead.org; linuxppc-dev@...ts.ozlabs.org; linux-security-
> module@...r.kernel.org; Richard Weinberger <richard@....at>; David
> Oberhollenzer <david.oberhollenzer@...ma-star.at>; Varun Sethi
> <V.Sethi@....com>; Gaurav Jain <gaurav.jain@....com>; Pankaj Gupta
> <pankaj.gupta@....com>
> Subject: Re: [EXT] [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new
> trust source
> 
> Caution: This is an external email. Please take care when clicking links or
> opening attachments. When in doubt, report the message using the 'Report
> this email' button
> 
> 
> Hi Kshitiz,
> 
> > On 09.04.2024, at 11:48, Kshitiz Varshney <kshitiz.varshney@....com>
> wrote:
> >
> > Hi Jarkko,
> >
> >
> >> -----Original Message-----
> >> From: Jarkko Sakkinen <jarkko@...nel.org>
> >> Sent: Wednesday, April 3, 2024 9:18 PM
> >> To: David Gstir <david@...ma-star.at>; Mimi Zohar
> >> <zohar@...ux.ibm.com>; James Bottomley <jejb@...ux.ibm.com>;
> Herbert
> >> Xu <herbert@...dor.apana.org.au>; David S. Miller
> >> <davem@...emloft.net>
> >> Cc: Shawn Guo <shawnguo@...nel.org>; Jonathan Corbet
> >> <corbet@....net>; Sascha Hauer <s.hauer@...gutronix.de>;
> Pengutronix
> >> Kernel Team <kernel@...gutronix.de>; Fabio Estevam
> >> <festevam@...il.com>; dl-linux-imx <linux-imx@....com>; Ahmad
> Fatoum
> >> <a.fatoum@...gutronix.de>; sigma star Kernel Team
> >> <upstream+dcp@...ma-star.at>; David Howells <dhowells@...hat.com>;
> Li
> >> Yang <leoyang.li@....com>; Paul Moore <paul@...l-moore.com>;
> James
> >> Morris <jmorris@...ei.org>; Serge E. Hallyn <serge@...lyn.com>; Paul
> E.
> >> McKenney <paulmck@...nel.org>; Randy Dunlap
> <rdunlap@...radead.org>;
> >> Catalin Marinas <catalin.marinas@....com>; Rafael J. Wysocki
> >> <rafael.j.wysocki@...el.com>; Tejun Heo <tj@...nel.org>; Steven
> >> Rostedt
> >> (Google) <rostedt@...dmis.org>; linux-doc@...r.kernel.org; linux-
> >> kernel@...r.kernel.org; linux-integrity@...r.kernel.org;
> >> keyrings@...r.kernel.org; linux-crypto@...r.kernel.org; linux-arm-
> >> kernel@...ts.infradead.org; linuxppc-dev@...ts.ozlabs.org;
> >> linux-security- module@...r.kernel.org; Richard Weinberger
> >> <richard@....at>; David Oberhollenzer
> >> <david.oberhollenzer@...ma-star.at>
> >> Subject: [EXT] Re: [PATCH v8 6/6] docs: trusted-encrypted: add DCP as
> >> new trust source
> >>
> >> Caution: This is an external email. Please take care when clicking
> >> links or opening attachments. When in doubt, report the message using
> >> the 'Report this email' button
> >>
> >>
> >> On Wed Apr 3, 2024 at 10:21 AM EEST, David Gstir wrote:
> >>> Update the documentation for trusted and encrypted KEYS with DCP as
> >>> new trust source:
> >>>
> >>> - Describe security properties of DCP trust source
> >>> - Describe key usage
> >>> - Document blob format
> >>>
> >>> Co-developed-by: Richard Weinberger <richard@....at>
> >>> Signed-off-by: Richard Weinberger <richard@....at>
> >>> Co-developed-by: David Oberhollenzer
> >>> <david.oberhollenzer@...ma-star.at>
> >>> Signed-off-by: David Oberhollenzer
> >>> <david.oberhollenzer@...ma-star.at>
> >>> Signed-off-by: David Gstir <david@...ma-star.at>
> >>> ---
> >>> .../security/keys/trusted-encrypted.rst       | 53 +++++++++++++++++++
> >>> security/keys/trusted-keys/trusted_dcp.c      | 19 +++++++
> >>> 2 files changed, 72 insertions(+)
> >>>
> >>> diff --git a/Documentation/security/keys/trusted-encrypted.rst
> >>> b/Documentation/security/keys/trusted-encrypted.rst
> >>> index e989b9802f92..f4d7e162d5e4 100644
> >>> --- a/Documentation/security/keys/trusted-encrypted.rst
> >>> +++ b/Documentation/security/keys/trusted-encrypted.rst
> >>> @@ -42,6 +42,14 @@ safe.
> >>>          randomly generated and fused into each SoC at manufacturing
> time.
> >>>          Otherwise, a common fixed test key is used instead.
> >>>
> >>> +     (4) DCP (Data Co-Processor: crypto accelerator of various i.MX
> >>> + SoCs)
> >>> +
> >>> +         Rooted to a one-time programmable key (OTP) that is
> >>> + generally
> >> burnt
> >>> +         in the on-chip fuses and is accessible to the DCP
> >>> + encryption engine
> >> only.
> >>> +         DCP provides two keys that can be used as root of trust:
> >>> + the OTP
> >> key
> >>> +         and the UNIQUE key. Default is to use the UNIQUE key, but
> selecting
> >>> +         the OTP key can be done via a module parameter
> >> (dcp_use_otp_key).
> >>> +
> >>>   *  Execution isolation
> >>>
> >>>      (1) TPM
> >>> @@ -57,6 +65,12 @@ safe.
> >>>
> >>>          Fixed set of operations running in isolated execution environment.
> >>>
> >>> +     (4) DCP
> >>> +
> >>> +         Fixed set of cryptographic operations running in isolated
> execution
> >>> +         environment. Only basic blob key encryption is executed there.
> >>> +         The actual key sealing/unsealing is done on main
> >>> + processor/kernel
> >> space.
> >>> +
> >>>   * Optional binding to platform integrity state
> >>>
> >>>      (1) TPM
> >>> @@ -79,6 +93,11 @@ safe.
> >>>          Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs
> >>>          for platform integrity.
> >>>
> >>> +     (4) DCP
> >>> +
> >>> +         Relies on Secure/Trusted boot process (called HAB by vendor) for
> >>> +         platform integrity.
> >>> +
> >>>   *  Interfaces and APIs
> >>>
> >>>      (1) TPM
> >>> @@ -94,6 +113,11 @@ safe.
> >>>
> >>>          Interface is specific to silicon vendor.
> >>>
> >>> +     (4) DCP
> >>> +
> >>> +         Vendor-specific API that is implemented as part of the DCP
> >>> + crypto
> >> driver in
> >>> +         ``drivers/crypto/mxs-dcp.c``.
> >>> +
> >>>   *  Threat model
> >>>
> >>>      The strength and appropriateness of a particular trust source
> >>> for a given @@ -129,6 +153,13 @@ selected trust source:
> >>>      CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and
> ensure
> >> the device
> >>>      is probed.
> >>>
> >>> +  *  DCP (Data Co-Processor: crypto accelerator of various i.MX
> >>> + SoCs)
> >>> +
> >>> +     The DCP hardware device itself does not provide a dedicated
> >>> + RNG
> >> interface,
> >>> +     so the kernel default RNG is used. SoCs with DCP like the
> >>> + i.MX6ULL do
> >> have
> >>> +     a dedicated hardware RNG that is independent from DCP which
> >>> + can be
> >> enabled
> >>> +     to back the kernel RNG.
> >>> +
> >>> Users may override this by specifying ``trusted.rng=kernel`` on the
> >>> kernel  command-line to override the used RNG with the kernel's
> >>> random
> >> number pool.
> >>>
> >>> @@ -231,6 +262,19 @@ Usage::
> >>> CAAM-specific format.  The key length for new keys is always in bytes.
> >>> Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
> >>>
> >>> +Trusted Keys usage: DCP
> >>> +-----------------------
> >>> +
> >>> +Usage::
> >>> +
> >>> +    keyctl add trusted name "new keylen" ring
> >>> +    keyctl add trusted name "load hex_blob" ring
> >>> +    keyctl print keyid
> >>> +
> >>> +"keyctl print" returns an ASCII hex copy of the sealed key, which
> >>> +is in format specific to this DCP key-blob implementation.  The key
> >>> +length for new keys is always in bytes. Trusted Keys can be 32 -
> >>> +128 bytes
> >> (256 - 1024 bits).
> >>> +
> >>> Encrypted Keys usage
> >>> --------------------
> >>>
> >>> @@ -426,3 +470,12 @@ string length.
> >>> privkey is the binary representation of TPM2B_PUBLIC excluding the
> >>> initial TPM2B header which can be reconstructed from the ASN.1 octed
> >>> string length.
> >>> +
> >>> +DCP Blob Format
> >>> +---------------
> >>> +
> >>> +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
> >>> +   :doc: dcp blob format
> >>> +
> >>> +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
> >>> +   :identifiers: struct dcp_blob_fmt
> >>> diff --git a/security/keys/trusted-keys/trusted_dcp.c
> >>> b/security/keys/trusted-keys/trusted_dcp.c
> >>> index 16c44aafeab3..b5f81a05be36 100644
> >>> --- a/security/keys/trusted-keys/trusted_dcp.c
> >>> +++ b/security/keys/trusted-keys/trusted_dcp.c
> >>> @@ -19,6 +19,25 @@
> >>> #define DCP_BLOB_VERSION 1
> >>> #define DCP_BLOB_AUTHLEN 16
> >>>
> >>> +/**
> >>> + * DOC: dcp blob format
> >>> + *
> >>> + * The Data Co-Processor (DCP) provides hardware-bound AES keys
> >>> +using its
> >>> + * AES encryption engine only. It does not provide direct key
> >> sealing/unsealing.
> >>> + * To make DCP hardware encryption keys usable as trust source, we
> >>> +define
> >>> + * our own custom format that uses a hardware-bound key to secure
> >>> +the sealing
> >>> + * key stored in the key blob.
> >>> + *
> >>> + * Whenever a new trusted key using DCP is generated, we generate a
> >>> +random 128-bit
> >>> + * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce
> >>> +are used to
> >>> + * encrypt the trusted key payload using AES-128-GCM.
> >>> + *
> >>> + * The BEK itself is encrypted using the hardware-bound key using
> >>> +the DCP's AES
> >>> + * encryption engine with AES-128-ECB. The encrypted BEK, generated
> >>> +nonce,
> >>> + * BEK-encrypted payload and authentication tag make up the blob
> >>> +format together
> >>> + * with a version number, payload length and authentication tag.
> >>> + */
> >>> +
> >>> /**
> >>>  * struct dcp_blob_fmt - DCP BLOB format.
> >>>  *
> >>
> >> Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
> >>
> >> I can only test that this does not break a machine without the
> >> hardware feature.
> >>
> >> Is there anyone who could possibly peer test these patches?
> > I am already working on testing this patchset on i.MX6 platform.
> 
> Did you get around to testing this?
> I’d greatly appreciate a Tested-by for this. :-)
> 
> Thanks!
> BR, David

Currently, I am bit busy with other priority activities. It will take time to test this patch set.

Regards,
Kshitiz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ