lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <23c9f3b9-f575-5bc6-e7f0-46238c26a7e5@oss.qualcomm.com>
Date: Mon, 19 Jan 2026 15:49:19 +0530
From: Neeraj Soni <neeraj.soni@....qualcomm.com>
To: Adrian Hunter <adrian.hunter@...el.com>, ulf.hansson@...aro.org,
        ebiggers@...nel.org, abel.vesa@...aro.org
Cc: linux-mmc@...r.kernel.org, linux-arm-msm@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Wenjia Zhang <wenjia.zhang@....qualcomm.com>
Subject: Re: [PATCH v4] mmc: host: sdhci-msm: Add support for wrapped keys

Hi,

On 1/12/2026 12:35 PM, Adrian Hunter wrote:
> On 02/01/2026 14:40, Neeraj Soni wrote:
>> Add the wrapped key support for sdhci-msm by implementing the needed
>> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
>> blk_crypto_profile::key_types_supported.
>>
>> Tested on SC7280 eMMC variant.
>>
>> How to test:
>>
>> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
>> fscryptctl that supports generating wrapped keys.
>>
>> Enable the following config options:
>> CONFIG_BLK_INLINE_ENCRYPTION=y
>> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
>> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
>> CONFIG_MMC_CRYPTO=y
>>
>> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
>>
>> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>> $ rm -rf /mnt/dir
>> $ mkdir /mnt/dir
>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>> $ dmesg > /mnt/dir/test.txt
>> $ sync
>>
>> Reboot the board
>>
>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>> $ ls /mnt/dir # File should be encrypted
>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>> $ cat /mnt/dir/test.txt # File should now be decrypted
>>
>> Tested-by: Wenjia Zhang <wenjia.zhang@....qualcomm.com>
>> Signed-off-by: Neeraj Soni <neeraj.soni@....qualcomm.com>
> 
> Doesn't apply cleanly to mmc next.  Otherwise:
> 
> Acked-by: Adrian Hunter <adrian.hunter@...el.com>
> 
Is this a blocker for the patch to get merged? I will anyway see why it is not applying cleanly on mmc next
but wanted to know if this is necessary to resolve for these chagnes to get merged in Linux-next?

>>
>> ---
>> This is a reworked version of the patchset
>> https://lore.kernel.org/all/20241101031539.13285-1-quic_spuppala@quicinc.com/
>> that was sent by Seshu Madhavi Puppala.
>>
>> My changes rebase it to use the custom crypto profile support.
>>
>> Changes in v4:
>> - Updated the link for fscryptctl tool in commit message to "https://github.com/google/fscryptctl".
>> - Aligned the indentation at few places.
>> - Unwrapped few lines of code.
>>
>> Changes in v3:
>> - Updated commit message with test details and moved "Signed-off-by" above the
>>   scissors line.
>>
>> Changes in v2:
>> - Updated commit message for clarity.
>>
>> Changes in v1:
>> - Added initial support for wrapped keys.
>> ---
>>  drivers/mmc/host/sdhci-msm.c | 47 +++++++++++++++++++++++++++++++-----
>>  1 file changed, 41 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
>> index 4e5edbf2fc9b..8ac4aee2cb3b 100644
>> --- a/drivers/mmc/host/sdhci-msm.c
>> +++ b/drivers/mmc/host/sdhci-msm.c
>> @@ -1911,11 +1911,6 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
>>  	if (IS_ERR_OR_NULL(ice))
>>  		return PTR_ERR_OR_ZERO(ice);
>>  
>> -	if (qcom_ice_get_supported_key_type(ice) != BLK_CRYPTO_KEY_TYPE_RAW) {
>> -		dev_warn(dev, "Wrapped keys not supported. Disabling inline encryption support.\n");
>> -		return 0;
>> -	}
>> -
>>  	msm_host->ice = ice;
>>  
>>  	/* Initialize the blk_crypto_profile */
>> @@ -1929,7 +1924,7 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
>>  
>>  	profile->ll_ops = sdhci_msm_crypto_ops;
>>  	profile->max_dun_bytes_supported = 4;
>> -	profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW;
>> +	profile->key_types_supported = qcom_ice_get_supported_key_type(ice);
>>  	profile->dev = dev;
>>  
>>  	/*
>> @@ -2009,9 +2004,49 @@ static int sdhci_msm_ice_keyslot_evict(struct blk_crypto_profile *profile,
>>  	return qcom_ice_evict_key(msm_host->ice, slot);
>>  }
>>  
>> +static int sdhci_msm_ice_derive_sw_secret(struct blk_crypto_profile *profile,
>> +					  const u8 *eph_key, size_t eph_key_size,
>> +					  u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_derive_sw_secret(msm_host->ice, eph_key, eph_key_size,
>> +					 sw_secret);
>> +}
>> +
>> +static int sdhci_msm_ice_import_key(struct blk_crypto_profile *profile,
>> +				    const u8 *raw_key, size_t raw_key_size,
>> +				    u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_import_key(msm_host->ice, raw_key, raw_key_size, lt_key);
>> +}
>> +
>> +static int sdhci_msm_ice_generate_key(struct blk_crypto_profile *profile,
>> +				      u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_generate_key(msm_host->ice, lt_key);
>> +}
>> +
>> +static int sdhci_msm_ice_prepare_key(struct blk_crypto_profile *profile,
>> +				     const u8 *lt_key, size_t lt_key_size,
>> +				     u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_prepare_key(msm_host->ice, lt_key, lt_key_size, eph_key);
>> +}
>> +
>>  static const struct blk_crypto_ll_ops sdhci_msm_crypto_ops = {
>>  	.keyslot_program	= sdhci_msm_ice_keyslot_program,
>>  	.keyslot_evict		= sdhci_msm_ice_keyslot_evict,
>> +	.derive_sw_secret	= sdhci_msm_ice_derive_sw_secret,
>> +	.import_key		= sdhci_msm_ice_import_key,
>> +	.generate_key		= sdhci_msm_ice_generate_key,
>> +	.prepare_key		= sdhci_msm_ice_prepare_key,
>>  };
>>  
>>  #else /* CONFIG_MMC_CRYPTO */
> 
Regards
Neeraj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ