[PATCH 3/3] doc: trusted-encrypted: add DCP as new trust source
Richard Weinberger
richard at nod.at
Mon Jun 14 20:16:20 UTC 2021
From: David Gstir <david at sigma-star.at>
Update the documentation for trusted and encrypted KEYS with DCP as new
trust source:
- Describe security properties of DCP trust source
- Describe key usage
- Document blob format
Cc: Ahmad Fatoum <a.fatoum at pengutronix.de>
Cc: David Gstir <david at sigma-star.at>
Cc: David Howells <dhowells at redhat.com>
Cc: "David S. Miller" <davem at davemloft.net>
Cc: Fabio Estevam <festevam at gmail.com>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: James Morris <jmorris at namei.org>
Cc: Jarkko Sakkinen <jarkko at kernel.org>
Cc: Jonathan Corbet <corbet at lwn.net>
Cc: keyrings at vger.kernel.org
Cc: linux-arm-kernel at lists.infradead.org
Cc: linux-crypto at vger.kernel.org
Cc: linux-doc at vger.kernel.org
Cc: linux-integrity at vger.kernel.org
Cc: linux-kernel at vger.kernel.org
Cc: linux-security-module at vger.kernel.org
Cc: Mimi Zohar <zohar at linux.ibm.com>
Cc: NXP Linux Team <linux-imx at nxp.com>
Cc: Pengutronix Kernel Team <kernel at pengutronix.de>
Cc: Richard Weinberger <richard at nod.at>
Cc: Sascha Hauer <s.hauer at pengutronix.de>
Cc: "Serge E. Hallyn" <serge at hallyn.com>
Cc: Shawn Guo <shawnguo at kernel.org>
Co-developed-by: Richard Weinberger <richard at nod.at>
Signed-off-by: David Gstir <david at sigma-star.at>
---
.../security/keys/trusted-encrypted.rst | 84 ++++++++++++++++++-
1 file changed, 83 insertions(+), 1 deletion(-)
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 80d5a5af62a1..e8413122e4bc 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -35,6 +35,11 @@ safe.
Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip
fuses and is accessible to TEE only.
+ (3) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
+
+ Rooted to a one-time programmable key (OTP) that is generally burnt in
+ the on-chip fuses and is accessbile to the DCP encryption engine only.
+
* Execution isolation
(1) TPM
@@ -46,6 +51,12 @@ safe.
Customizable set of operations running in isolated execution
environment verified via Secure/Trusted boot process.
+ (3) DCP
+
+ Fixed set of cryptographic operations running in isolated execution
+ environment. Only basic blob key encryption is executed there.
+ The actual key sealing/unsealing is done on main processor/kernel space.
+
* Optional binding to platform integrity state
(1) TPM
@@ -63,6 +74,11 @@ safe.
Relies on Secure/Trusted boot process for platform integrity. It can
be extended with TEE based measured boot process.
+ (3) DCP
+
+ Relies on Secure/Trusted boot process (called HAB by vendor) for
+ platform integrity.
+
* Interfaces and APIs
(1) TPM
@@ -74,10 +90,14 @@ safe.
TEEs have well-documented, standardized client interface and APIs. For
more details refer to ``Documentation/staging/tee.rst``.
+ (3) DCP
+
+ Vendor-specific API that is implemented as part of the DCP crypto driver in
+ ``drivers/crypto/mxs-dcp.c``.
* Threat model
- The strength and appropriateness of a particular TPM or TEE for a given
+ The strength and appropriateness of a particular TPM, TEE or DCP for a given
purpose must be assessed when using them to protect security-relevant data.
@@ -103,6 +123,14 @@ access control policy within the trust source.
from platform specific hardware RNG or a software based Fortuna CSPRNG
which can be seeded via multiple entropy sources.
+ * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
+
+ The DCP hardware device itself does not provide a dedicated RNG interface,
+ so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have
+ a dedicated hardware RNG that is independent from DCP which can be enabled
+ to back the kernel RNG.
+
+
Encrypted Keys
--------------
@@ -188,6 +216,19 @@ Usage::
specific to TEE device implementation. The key length for new keys is always
in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
+Trusted Keys usage: DCP
+-----------------------
+
+Usage::
+
+ keyctl add trusted name "new keylen" ring
+ keyctl add trusted name "load hex_blob" ring
+ keyctl print keyid
+
+"keyctl print" returns an ASCII hex copy of the sealed key, which is in format
+specific to this DCP key-blob implementation. The key length for new keys is
+always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
+
Encrypted Keys usage
--------------------
@@ -370,3 +411,44 @@ string length.
privkey is the binary representation of TPM2B_PUBLIC excluding the
initial TPM2B header which can be reconstructed from the ASN.1 octed
string length.
+
+DCP Blob Format
+---------------
+
+The Data Co-Processor (DCP) provides hardware-bound AES keys using its
+AES encryption engine only. It does not provide direct key sealing/unsealing.
+To make DCP hardware encryption keys usable as trust source, we define
+our own custom format that uses a hardware-bound key to secure the sealing
+key stored in the key blob.
+
+Whenever a new tusted key using DCP is generated, we generate a random 128-bit
+blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are used to
+encrypt the trusted key payload using AES-128-GCM.
+
+The BEK itself is encrypted using the hardware-bound key using the DCP's AES
+encryption engine with AES-128-ECB. The encrypted BEK, generated nonce,
+BEK-encrypted payload and authentication tag make up the blob format together
+with a version number, payload length and authentication tag::
+
+ /*
+ * struct dcp_blob_fmt - DCP BLOB format.
+ *
+ * @fmt_version: Format version, currently being %1
+ * @blob_key: Random AES 128 key which is used to encrypt @payload,
+ * @blob_key itself is encrypted with OTP or UNIQUE device key in
+ * AES-128-ECB mode by DCP.
+ * @nonce: Random nonce used for @payload encryption.
+ * @payload_len: Length of the plain text @payload.
+ * @payload: The payload itself, encrypted using AES-128-GCM and @blob_key,
+ * GCM auth tag of size AES_BLOCK_SIZE is attached at the end of it.
+ *
+ * The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) + @payload_len +
+ * AES_BLOCK_SIZE.
+ */
+ struct dcp_blob_fmt {
+ __u8 fmt_version;
+ __u8 blob_key[AES_KEYSIZE_128];
+ __u8 nonce[AES_KEYSIZE_128];
+ __le32 payload_len;
+ __u8 payload[0];
+ } __packed;
--
2.26.2
More information about the Linux-security-module-archive
mailing list