lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aPH83_rWq8E1dYZ2@gondor.apana.org.au>
Date: Fri, 17 Oct 2025 16:22:55 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: meenakshi.aggarwal@....com
Cc: horia.geanta@....com, V.sethi@....com, pankaj.gupta@....com,
	gaurav.jain@....com, linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/3] trusted-keys: Add support for protected keys using
 CAAM

On Mon, Oct 06, 2025 at 09:17:50AM +0200, meenakshi.aggarwal@....com wrote:
> From: Meenakshi Aggarwal <meenakshi.aggarwal@....com>
> 
> Overview:
> This patch set adds:
> - Support for creating and loading protected keys via `keyctl` interface.
> - Documentation updates to describe protected key usage and options.
> - CAAM-specific implementation for protected key encryption algorithms.
> 
> User can create protected/encrypted key using keyctl interface:
> 
> KEYNAME=dm_trust_key_hw
> KEY="$(keyctl add trusted $KEYNAME 'new 32 pk key_enc_algo=1' @s)"
> keyctl pipe $KEY >~/$KEYNAME.blob
> keyctl list @s
> 
> dm-crypt can load the protected key buffer from the keyring and use it to
> initialize encrypted volumes, ensuring that key material is never exposed in plaintext.
> 
> The Protected key buffer is passed to the CAAM driver via the kernel crypto API.
> CAAM driver will decapsulate the protected key buffer and perform cipher operation.
> 
> Protected Keys are identified by a header structure:
> 
> struct caam_pkey_info {
> 	u8  is_pkey;
> 	u8  key_enc_algo;
> 	u16 plain_key_sz;
> 	u8 key_buf[];
> };
> 
> This information is populated based on the parameters provided during key creation such as 'new 32 pk key_enc_algo=1'
> 
> Internal Workflow:
> ::
> 
>  +------------------------+     +-------------------------------+
>  |   Seal Function        |     | paes_skcipher_setkey()        |
>  | - Constructs key buffer|---->| - Parses header and key_buf[] |
>  | - Adds header metadata |     | - Initializes cipher context  |
>  +------------------------+     +-------------------------------+
> 
> I welcome feedback and suggestions from the community.
> 
> Thank you for your time and consideration.
> 
> Best regards,
> Meenakshi Aggarwal 
> 
> Meenakshi Aggarwal (3):
>   Doc: trusted-keys as protected keys
>   KEYS: trusted: caam based protected key
>   crypto:caam: Add support of paes algorithm
> 
>  .../security/keys/trusted-encrypted.rst       |  87 +++++++++++-
>  drivers/crypto/caam/blob_gen.c                |  86 +++++++++---
>  drivers/crypto/caam/caamalg.c                 | 128 ++++++++++++++++--
>  drivers/crypto/caam/caamalg_desc.c            |  87 +++++++++++-
>  drivers/crypto/caam/caamalg_desc.h            |  13 +-
>  drivers/crypto/caam/desc.h                    |   9 +-
>  drivers/crypto/caam/desc_constr.h             |   8 +-
>  include/soc/fsl/caam-blob.h                   |  26 ++++
>  security/keys/trusted-keys/trusted_caam.c     | 108 +++++++++++++++
>  9 files changed, 518 insertions(+), 34 deletions(-)
> 
> -- 
> 2.25.1

All applied.  Thanks.
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ