lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com>
Date: Mon,  6 Oct 2025 09:17:50 +0200
From: meenakshi.aggarwal@....com
To: horia.geanta@....com,
	V.sethi@....com,
	pankaj.gupta@....com,
	gaurav.jain@....com,
	herbert@...dor.apana.org.au
Cc: linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Meenakshi Aggarwal <meenakshi.aggarwal@....com>
Subject: [PATCH 0/3] trusted-keys: Add support for protected keys using CAAM

From: Meenakshi Aggarwal <meenakshi.aggarwal@....com>

Overview:
This patch set adds:
- Support for creating and loading protected keys via `keyctl` interface.
- Documentation updates to describe protected key usage and options.
- CAAM-specific implementation for protected key encryption algorithms.

User can create protected/encrypted key using keyctl interface:

KEYNAME=dm_trust_key_hw
KEY="$(keyctl add trusted $KEYNAME 'new 32 pk key_enc_algo=1' @s)"
keyctl pipe $KEY >~/$KEYNAME.blob
keyctl list @s

dm-crypt can load the protected key buffer from the keyring and use it to
initialize encrypted volumes, ensuring that key material is never exposed in plaintext.

The Protected key buffer is passed to the CAAM driver via the kernel crypto API.
CAAM driver will decapsulate the protected key buffer and perform cipher operation.

Protected Keys are identified by a header structure:

struct caam_pkey_info {
	u8  is_pkey;
	u8  key_enc_algo;
	u16 plain_key_sz;
	u8 key_buf[];
};

This information is populated based on the parameters provided during key creation such as 'new 32 pk key_enc_algo=1'

Internal Workflow:
::

 +------------------------+     +-------------------------------+
 |   Seal Function        |     | paes_skcipher_setkey()        |
 | - Constructs key buffer|---->| - Parses header and key_buf[] |
 | - Adds header metadata |     | - Initializes cipher context  |
 +------------------------+     +-------------------------------+

I welcome feedback and suggestions from the community.

Thank you for your time and consideration.

Best regards,
Meenakshi Aggarwal 

Meenakshi Aggarwal (3):
  Doc: trusted-keys as protected keys
  KEYS: trusted: caam based protected key
  crypto:caam: Add support of paes algorithm

 .../security/keys/trusted-encrypted.rst       |  87 +++++++++++-
 drivers/crypto/caam/blob_gen.c                |  86 +++++++++---
 drivers/crypto/caam/caamalg.c                 | 128 ++++++++++++++++--
 drivers/crypto/caam/caamalg_desc.c            |  87 +++++++++++-
 drivers/crypto/caam/caamalg_desc.h            |  13 +-
 drivers/crypto/caam/desc.h                    |   9 +-
 drivers/crypto/caam/desc_constr.h             |   8 +-
 include/soc/fsl/caam-blob.h                   |  26 ++++
 security/keys/trusted-keys/trusted_caam.c     | 108 +++++++++++++++
 9 files changed, 518 insertions(+), 34 deletions(-)

-- 
2.25.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ