[PATCH v4 4/5] crypto: caam - add in-kernel interface for blob generator
Jarkko Sakkinen
jarkko at kernel.org
Sun Dec 5 00:18:40 UTC 2021
On Mon, Oct 11, 2021 at 12:02:37PM +0200, Ahmad Fatoum wrote:
> The CAAM can be used to protect user-defined data across system reboot:
>
> - When the system is fused and boots into secure state, the master
> key is a unique never-disclosed device-specific key
> - random key is encrypted by key derived from master key
> - data is encrypted using the random key
> - encrypted data and its encrypted random key are stored alongside
> - This blob can now be safely stored in non-volatile memory
>
> On next power-on:
> - blob is loaded into CAAM
> - CAAM writes decrypted data either into memory or key register
>
> Add functions to realize encrypting and decrypting into memory alongside
> the CAAM driver.
>
> They will be used in a later commit as a source for the trusted key
> seal/unseal mechanism.
>
> Reviewed-by: David Gstir <david at sigma-star.at>
> Tested-By: Tim Harvey <tharvey at gateworks.com>
> Signed-off-by: Steffen Trumtrar <s.trumtrar at pengutronix.de>
> Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
What is CAAM? This is missing.
/Jarkko
More information about the Linux-security-module-archive
mailing list