[PATCH v4 4/5] crypto: caam - add in-kernel interface for blob generator
Ahmad Fatoum
a.fatoum at pengutronix.de
Mon Dec 13 10:34:39 UTC 2021
Hello Jarkko,
On 05.12.21 01:18, Jarkko Sakkinen wrote:
> On Mon, Oct 11, 2021 at 12:02:37PM +0200, Ahmad Fatoum wrote:
>> The CAAM can be used to protect user-defined data across system reboot:
>>
>> - When the system is fused and boots into secure state, the master
>> key is a unique never-disclosed device-specific key
>> - random key is encrypted by key derived from master key
>> - data is encrypted using the random key
>> - encrypted data and its encrypted random key are stored alongside
>> - This blob can now be safely stored in non-volatile memory
>>
>> On next power-on:
>> - blob is loaded into CAAM
>> - CAAM writes decrypted data either into memory or key register
>>
>> Add functions to realize encrypting and decrypting into memory alongside
>> the CAAM driver.
>>
>> They will be used in a later commit as a source for the trusted key
>> seal/unseal mechanism.
>>
>> Reviewed-by: David Gstir <david at sigma-star.at>
>> Tested-By: Tim Harvey <tharvey at gateworks.com>
>> Signed-off-by: Steffen Trumtrar <s.trumtrar at pengutronix.de>
>> Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
>
> What is CAAM? This is missing.
That's Crypto Accelerator on NXP SoCs. There is a description in the cover
letter and in the follow-up patch wiring this into the new trusted key
source. I didn't elaborate on this here as this patch touches
drivers/crypto/caam and I assumed familiarity.
For v5, I can add some extra info:
"The NXP Cryptographic Acceleration and Assurance Module (CAAM)
can be used to protect user-defined data across system reboot..."
Sounds good? Does the last patch in the series look ok to you?
Cheers,
Ahmad
>
> /Jarkko
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the Linux-security-module-archive
mailing list