| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com>
Date: Mon, 6 Oct 2025 09:17:50 +0200
From: meenakshi.aggarwal@....com
To: horia.geanta@....com,
V.sethi@....com,
pankaj.gupta@....com,
gaurav.jain@....com,
herbert@...dor.apana.org.au
Cc: linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org,
Meenakshi Aggarwal <meenakshi.aggarwal@....com>
Subject: [PATCH 0/3] trusted-keys: Add support for protected keys using CAAM
From: Meenakshi Aggarwal <meenakshi.aggarwal@....com>
Overview:
This patch set adds:
- Support for creating and loading protected keys via `keyctl` interface.
- Documentation updates to describe protected key usage and options.
- CAAM-specific implementation for protected key encryption algorithms.
User can create protected/encrypted key using keyctl interface:
KEYNAME=dm_trust_key_hw
KEY="$(keyctl add trusted $KEYNAME 'new 32 pk key_enc_algo=1' @s)"
keyctl pipe $KEY >~/$KEYNAME.blob
keyctl list @s
dm-crypt can load the protected key buffer from the keyring and use it to
initialize encrypted volumes, ensuring that key material is never exposed in plaintext.
The Protected key buffer is passed to the CAAM driver via the kernel crypto API.
CAAM driver will decapsulate the protected key buffer and perform cipher operation.
Protected Keys are identified by a header structure:
struct caam_pkey_info {
u8 is_pkey;
u8 key_enc_algo;
u16 plain_key_sz;
u8 key_buf[];
};
This information is populated based on the parameters provided during key creation such as 'new 32 pk key_enc_algo=1'
Internal Workflow:
::
+------------------------+ +-------------------------------+
| Seal Function | | paes_skcipher_setkey() |
| - Constructs key buffer|---->| - Parses header and key_buf[] |
| - Adds header metadata | | - Initializes cipher context |
+------------------------+ +-------------------------------+
I welcome feedback and suggestions from the community.
Thank you for your time and consideration.
Best regards,
Meenakshi Aggarwal
Meenakshi Aggarwal (3):
Doc: trusted-keys as protected keys
KEYS: trusted: caam based protected key
crypto:caam: Add support of paes algorithm
.../security/keys/trusted-encrypted.rst | 87 +++++++++++-
drivers/crypto/caam/blob_gen.c | 86 +++++++++---
drivers/crypto/caam/caamalg.c | 128 ++++++++++++++++--
drivers/crypto/caam/caamalg_desc.c | 87 +++++++++++-
drivers/crypto/caam/caamalg_desc.h | 13 +-
drivers/crypto/caam/desc.h | 9 +-
drivers/crypto/caam/desc_constr.h | 8 +-
include/soc/fsl/caam-blob.h | 26 ++++
security/keys/trusted-keys/trusted_caam.c | 108 +++++++++++++++
9 files changed, 518 insertions(+), 34 deletions(-)
--
2.25.1
Powered by blists - more mailing lists