| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Jun 2024 10:39:49 +0300 From: Dmitry Baryshkov <dmitry.baryshkov@...aro.org> To: Gaurav Kashyap <quic_gaurkash@...cinc.com> Cc: linux-arm-msm@...r.kernel.org, linux-scsi@...r.kernel.org, andersson@...nel.org, ebiggers@...gle.com, neil.armstrong@...aro.org, srinivas.kandagatla@...aro.org, krzysztof.kozlowski+dt@...aro.org, conor+dt@...nel.org, robh+dt@...nel.org, linux-kernel@...r.kernel.org, linux-mmc@...r.kernel.org, kernel@...cinc.com, linux-crypto@...r.kernel.org, devicetree@...r.kernel.org, quic_omprsing@...cinc.com, quic_nguyenb@...cinc.com, bartosz.golaszewski@...aro.org, konrad.dybcio@...aro.org, ulf.hansson@...aro.org, jejb@...ux.ibm.com, martin.petersen@...cle.com, mani@...nel.org, davem@...emloft.net, herbert@...dor.apana.org.au, psodagud@...cinc.com, quic_apurupa@...cinc.com, sonalg@...cinc.com Subject: Re: [PATCH v5 03/15] qcom_scm: scm call for create, prepare and import keys On Sun, Jun 16, 2024 at 05:50:58PM GMT, Gaurav Kashyap wrote: > Storage encryption has two IOCTLs for creating, importing > and preparing keys for encryption. For wrapped keys, these > IOCTLs need to interface with Qualcomm's Trustzone, which > require these SCM calls. > > generate_key: This is used to generate and return a longterm > wrapped key. Trustzone achieves this by generating > a key and then wrapping it using hwkm, returning > a wrapped keyblob. > import_key: The functionality is similar to generate, but here, > a raw key is imported into hwkm and a longterm wrapped > keyblob is returned. > prepare_key: The longterm wrapped key from import or generate > is made further secure by rewrapping it with a per-boot > ephemeral wrapped key before installing it to the linux > kernel for programming to ICE. > > Tested-by: Neil Armstrong <neil.armstrong@...aro.org> > Signed-off-by: Gaurav Kashyap <quic_gaurkash@...cinc.com> > --- > drivers/firmware/qcom/qcom_scm.c | 175 +++++++++++++++++++++++++ > drivers/firmware/qcom/qcom_scm.h | 3 + > include/linux/firmware/qcom/qcom_scm.h | 5 + > 3 files changed, 183 insertions(+) > > diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c > index 8f23b459c525..61a1ace3c683 100644 > --- a/drivers/firmware/qcom/qcom_scm.c > +++ b/drivers/firmware/qcom/qcom_scm.c > @@ -1309,6 +1309,181 @@ int qcom_scm_derive_sw_secret(const u8 *wkey, size_t wkey_size, > } > EXPORT_SYMBOL_GPL(qcom_scm_derive_sw_secret); > > +/** > + * qcom_scm_generate_ice_key() - Generate a wrapped key for encryption. > + * @lt_key: the wrapped key returned after key generation > + * @lt_key_size: size of the wrapped key to be returned. > + * > + * Qualcomm wrapped keys need to be generated in a trusted environment. > + * A generate key IOCTL call is used to achieve this. These are longterm > + * in nature as they need to be generated and wrapped only once per > + * requirement. > + * > + * Adds support for the create key IOCTL to interface > + * with the secure environment to generate and return a wrapped key.. This is documentation to a function, not a changelog. Also the function helps implementing the IOCTL. Please describe the call itself and its behaviour. Something like: Generate a key using built-in entropy source (or using this-and-that PRNG) inside TZ. Wrap the key using the platform-specific (board-specific?) Key Encryption Key and return to the caller. The same comment applies to other SCM calls added in this patch. -- With best wishes Dmitry
Powered by blists - more mailing lists