[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-keyrings
Subject: RE: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface for blob generator
From: Pankaj Gupta <pankaj.gupta () nxp ! com>
Date: 2022-02-25 12:20:54
Message-ID: DU2PR04MB863084B70239A69E4DE9D65B953E9 () DU2PR04MB8630 ! eurprd04 ! prod ! outlook ! com
[Download RAW message or body]
> -----Original Message-----
> From: Ahmad Fatoum <a.fatoum@pengutronix.de>
> Sent: Wednesday, February 23, 2022 9:50 PM
> To: Jarkko Sakkinen <jarkko@kernel.org>
> Cc: Horia Geanta <horia.geanta@nxp.com>; Aymen Sghaier
> <aymen.sghaier@nxp.com>; Herbert Xu <herbert@gondor.apana.org.au>;
> David S. Miller <davem@davemloft.net>; kernel@pengutronix.de; David Gstir
> <david@sigma-star.at>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> tharvey@gateworks.com; Matthias Schiffer <matthias.schiffer@ew.tq-
> group.com>; James Bottomley <jejb@linux.ibm.com>; Mimi Zohar
> <zohar@linux.ibm.com>; David Howells <dhowells@redhat.com>; James Morris
> <jmorris@namei.org>; Eric Biggers <ebiggers@kernel.org>; Serge E. Hallyn
> <serge@hallyn.com>; Jan Luebbe <j.luebbe@pengutronix.de>; Richard
> Weinberger <richard@nod.at>; Franck Lenormand
> <franck.lenormand@nxp.com>; Sumit Garg <sumit.garg@linaro.org>; linux-
> integrity@vger.kernel.org; keyrings@vger.kernel.org; linux-
> crypto@vger.kernel.org; linux-kernel@vger.kernel.org; linux-security-
> module@vger.kernel.org
> Subject: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface for blob
> generator
>
> Caution: EXT Email
>
> On 23.02.22 16:41, Jarkko Sakkinen wrote:
> > On Tue, Feb 22, 2022 at 08:58:18PM +0100, Ahmad Fatoum wrote:
> > > The NXP Cryptographic Acceleration and Assurance Module (CAAM) can be
> > > used to protect user-defined data across system reboot:
> > >
> > > - When the system is fused and boots into secure state, the master
> > > key is a unique never-disclosed device-specific key
> > > - random key is encrypted by key derived from master key
> > > - data is encrypted using the random key
> > > - encrypted data and its encrypted random key are stored alongside
> > > - This blob can now be safely stored in non-volatile memory
> > >
> > > On next power-on:
> > > - blob is loaded into CAAM
> > > - CAAM writes decrypted data either into memory or key register
> > >
> > > Add functions to realize encrypting and decrypting into memory
> > > alongside the CAAM driver.
> > >
> > > They will be used in a later commit as a source for the trusted key
> > > seal/unseal mechanism.
> > >
> > > Reviewed-by: David Gstir <david@sigma-star.at>
> > > Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com>
> > > Tested-By: Tim Harvey <tharvey@gateworks.com>
> > > Tested-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
> > > Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> > > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> > > ---
> > > To: "Horia Geantã" <horia.geanta@nxp.com>
> > > To: Aymen Sghaier <aymen.sghaier@nxp.com>
> > > To: Herbert Xu <herbert@gondor.apana.org.au>
> > > To: "David S. Miller" <davem@davemloft.net>
> > > Cc: James Bottomley <jejb@linux.ibm.com>
> > > Cc: Jarkko Sakkinen <jarkko@kernel.org>
> > > Cc: Mimi Zohar <zohar@linux.ibm.com>
> > > Cc: David Howells <dhowells@redhat.com>
> > > Cc: James Morris <jmorris@namei.org>
> > > Cc: Eric Biggers <ebiggers@kernel.org>
> > > Cc: "Serge E. Hallyn" <serge@hallyn.com>
> > > Cc: Jan Luebbe <j.luebbe@pengutronix.de>
> > > Cc: David Gstir <david@sigma-star.at>
> > > Cc: Richard Weinberger <richard@nod.at>
> > > Cc: Franck LENORMAND <franck.lenormand@nxp.com>
> > > Cc: Sumit Garg <sumit.garg@linaro.org>
> > > Cc: Tim Harvey <tharvey@gateworks.com>
> > > Cc: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
> > > Cc: Pankaj Gupta <pankaj.gupta@nxp.com>
> > > Cc: linux-integrity@vger.kernel.org
> > > Cc: keyrings@vger.kernel.org
> > > Cc: linux-crypto@vger.kernel.org
> > > Cc: linux-kernel@vger.kernel.org
> > > Cc: linux-security-module@vger.kernel.org
> > > ---
> > > drivers/crypto/caam/Kconfig | 3 +
> > > drivers/crypto/caam/Makefile | 1 +
> > > drivers/crypto/caam/blob_gen.c | 230
> +++++++++++++++++++++++++++++++++
> > > include/soc/fsl/caam-blob.h | 56 ++++++++
> > > 4 files changed, 290 insertions(+)
> > > create mode 100644 drivers/crypto/caam/blob_gen.c create mode
> > > 100644 include/soc/fsl/caam-blob.h
> > >
> > > diff --git a/drivers/crypto/caam/Kconfig
> > > b/drivers/crypto/caam/Kconfig index 84ea7cba5ee5..ea9f8b1ae981 100644
> > > --- a/drivers/crypto/caam/Kconfig
> > > +++ b/drivers/crypto/caam/Kconfig
> > > @@ -151,6 +151,9 @@ config CRYPTO_DEV_FSL_CAAM_RNG_API
> > > Selecting this will register the SEC4 hardware rng to
> > > the hw_random API for supplying the kernel entropy pool.
> > >
> > > +config CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> > > + bool
> > > +
> > > endif # CRYPTO_DEV_FSL_CAAM_JR
> > >
> > > endif # CRYPTO_DEV_FSL_CAAM
> > > diff --git a/drivers/crypto/caam/Makefile
> > > b/drivers/crypto/caam/Makefile index 3570286eb9ce..25f7ae5a4642
> > > 100644
> > > --- a/drivers/crypto/caam/Makefile
> > > +++ b/drivers/crypto/caam/Makefile
> > > @@ -21,6 +21,7 @@ caam_jr-
> $(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI)
> > > += caamalg_qi.o
> > > caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API) += caamhash.o
> > > caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API) += caamrng.o
> > > caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API) += caampkc.o
> > > pkc_desc.o
> > > +caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_BLOB_GEN) += blob_gen.o
> > >
> > > caam-$(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI) += qi.o ifneq
> > > ($(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI),)
> > > diff --git a/drivers/crypto/caam/blob_gen.c
> > > b/drivers/crypto/caam/blob_gen.c new file mode 100644 index
> > > 000000000000..513d3f90e438
> > > --- /dev/null
> > > +++ b/drivers/crypto/caam/blob_gen.c
> > > @@ -0,0 +1,230 @@
> > > +// SPDX-License-Identifier: GPL-2.0-only
> > > +/*
> > > + * Copyright (C) 2015 Pengutronix, Steffen Trumtrar
> > > +<kernel@pengutronix.de>
> > > + * Copyright (C) 2021 Pengutronix, Ahmad Fatoum
> > > +<kernel@pengutronix.de> */
> > > +
> > > +#include <linux/device.h>
> > > +#include <soc/fsl/caam-blob.h>
> > > +
> > > +#include "compat.h"
> > > +#include "desc_constr.h"
> > > +#include "desc.h"
> > > +#include "error.h"
> > > +#include "intern.h"
> > > +#include "jr.h"
> > > +#include "regs.h"
> > > +
> > > +struct caam_blob_priv {
> > > + struct device jrdev;
> > > +};
> > > +
> > > +struct caam_blob_job_result {
> > > + int err;
> > > + struct completion completion;
> > > +};
> > > +
> > > +static void caam_blob_job_done(struct device *dev, u32 *desc, u32
> > > +err, void *context) {
> > > + struct caam_blob_job_result *res = context;
> > > + int ecode = 0;
> > > +
> > > + dev_dbg(dev, "%s %d: err 0x%x\n", __func__, __LINE__, err);
> > > +
> > > + if (err)
> > > + ecode = caam_jr_strstatus(dev, err);
> > > +
> > > + res->err = ecode;
> > > +
> > > + /*
> > > + * Upon completion, desc points to a buffer containing a CAAM job
> > > + * descriptor which encapsulates data into an externally-storable
> > > + * blob.
> > > + */
> > > + complete(&res->completion);
> > > +}
> > > +
> > > +static u32 *caam_blob_alloc_desc(size_t keymod_len) {
> > > + size_t len;
> > > +
> > > + /* header + (key mod immediate) + 2x pointers + op */
> > > + len = 4 + (4 + ALIGN(keymod_len, 4)) + 2*(4 + 4 +
> > > + CAAM_PTR_SZ_MAX) + 4;
> >
> > Nit: the amount of magic numbers is overwhelming here. I neither
> > understand the statement nor how that comment should help me to
> understand it.
>
> header = 4
> (key mod immediate) = (4 + ALIGN(keymod_len, 4))
> 2x pointer = 2 * (4 + 4 + CAAM_PTR_SZ_MAX)
> op = 4
Instead of the function caam_blob_alloc_desc(), it will be great if the caller \
functions caam_encap_blob()/caam_encap_blob (), could add local array: uint32_t \
desc[CAAM_DESC_BYTES_MAX];
>
> I haven't heard back from the CAAM maintainers yet since v1. Perhaps now is a
> good occasion to chime in? :-)
>
> @Jarkko, could you take a look at patch 5? That's the gist of the series and I
> have yet to get maintainer feedback on that one.
>
> Cheers,
> Ahmad
>
>
> >
> > BR, Jarkko
> >
>
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 |
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pen
> gutronix.de%2F&data=04%7C01%7Cpankaj.gupta%40nxp.com%7Cc97e9d4
> aaf304124407908d9f6e87101%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%
> 7C0%7C637812300459173929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&s
> data=CvnfIXR68DPRCaYrOYQKSv2eSBSNSSJYx2BQJee4yLg%3D&reserved=0
> >
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic