[PATCH 1/3] crypto: mxs-dcp: Add support for hardware provided keys

Richard Weinberger richard.weinberger at gmail.com
Fri Jun 25 12:21:16 UTC 2021


Herbert,

On Mon, Jun 14, 2021 at 10:18 PM Richard Weinberger <richard at nod.at> wrote:
>
> DCP is capable to performing AES with hardware-bound keys.
> These keys are not stored in main memory and are therefore not directly
> accessible by the operating system.
>
> So instead of feeding the key into DCP, we need to place a
> reference to such a key before initiating the crypto operation.
> Keys are referenced by a one byte identifiers.
>
> DCP supports 6 different keys: 4 slots in the secure memory area,
> a one time programmable key which can be burnt via on-chip fuses
> and an unique device key.
>
> Using these keys is restricted to in-kernel users that use them as building
> block for other crypto tools such as trusted keys. Allowing userspace
> (e.g. via AF_ALG) to use these keys to crypt or decrypt data is a security
> risk, because there is no access control mechanism.
>
> Cc: Ahmad Fatoum <a.fatoum at pengutronix.de>
> Cc: David Gstir <david at sigma-star.at>
> Cc: David Howells <dhowells at redhat.com>
> Cc: "David S. Miller" <davem at davemloft.net>
> Cc: Fabio Estevam <festevam at gmail.com>
> Cc: Herbert Xu <herbert at gondor.apana.org.au>
> Cc: James Bottomley <jejb at linux.ibm.com>
> Cc: James Morris <jmorris at namei.org>
> Cc: Jarkko Sakkinen <jarkko at kernel.org>
> Cc: Jonathan Corbet <corbet at lwn.net>
> Cc: keyrings at vger.kernel.org
> Cc: linux-arm-kernel at lists.infradead.org
> Cc: linux-crypto at vger.kernel.org
> Cc: linux-doc at vger.kernel.org
> Cc: linux-integrity at vger.kernel.org
> Cc: linux-kernel at vger.kernel.org
> Cc: linux-security-module at vger.kernel.org
> Cc: Mimi Zohar <zohar at linux.ibm.com>
> Cc: NXP Linux Team <linux-imx at nxp.com>
> Cc: Pengutronix Kernel Team <kernel at pengutronix.de>
> Cc: Richard Weinberger <richard at nod.at>
> Cc: Sascha Hauer <s.hauer at pengutronix.de>
> Cc: "Serge E. Hallyn" <serge at hallyn.com>
> Cc: Shawn Guo <shawnguo at kernel.org>
> Co-developed-by: David Gstir <david at sigma-star.at>
> Signed-off-by: David Gstir <david at sigma-star.at>
> Signed-off-by: Richard Weinberger <richard at nod.at>
> ---
>  drivers/crypto/mxs-dcp.c | 110 ++++++++++++++++++++++++++++++++++-----
>  include/linux/mxs-dcp.h  |  19 +++++++
>  2 files changed, 117 insertions(+), 12 deletions(-)
>  create mode 100644 include/linux/mxs-dcp.h

This patch was judged as not applicable in your patchwork.
Is something missing? How can we proceed?

-- 
Thanks,
//richard



More information about the Linux-security-module-archive mailing list