[EXT] Re: [PATCH v0 3/8] crypto: hbk flags & info added to the tfm

Pankaj Gupta pankaj.gupta at nxp.com
Mon Oct 10 11:15:00 UTC 2022



> -----Original Message-----
> From: Herbert Xu <herbert at gondor.apana.org.au>
> Sent: Friday, October 7, 2022 12:28 PM
> To: Pankaj Gupta <pankaj.gupta at nxp.com>
> Cc: jarkko at kernel.org; a.fatoum at pengutronix.de; gilad at benyossef.com;
> Jason at zx2c4.com; jejb at linux.ibm.com; zohar at linux.ibm.com;
> dhowells at redhat.com; sumit.garg at linaro.org; david at sigma-star.at;
> michael at walle.cc; john.ernberg at actia.se; jmorris at namei.org;
> serge at hallyn.com; davem at davemloft.net; j.luebbe at pengutronix.de;
> ebiggers at kernel.org; richard at nod.at; keyrings at vger.kernel.org; linux-
> crypto at vger.kernel.org; linux-integrity at vger.kernel.org; linux-
> kernel at vger.kernel.org; linux-security-module at vger.kernel.org; Sahil Malhotra
> <sahil.malhotra at nxp.com>; Kshitiz Varshney <kshitiz.varshney at nxp.com>;
> Horia Geanta <horia.geanta at nxp.com>; Varun Sethi <V.Sethi at nxp.com>
> Subject: [EXT] Re: [PATCH v0 3/8] crypto: hbk flags & info added to the tfm
> 
> Caution: EXT Email
> 
> On Thu, Oct 06, 2022 at 06:38:32PM +0530, Pankaj Gupta wrote:
> > Consumer of the kernel crypto api, after allocating the transformation
> > (tfm), sets the:
> > - flag 'is_hbk'
> > - structure 'struct hw_bound_key_info hbk_info'
> > based on the type of key, the consumer is using.
> >
> > This helps:
> >
> > - This helps to influence the core processing logic
> >   for the encapsulated algorithm.
> > - This flag is set by the consumer after allocating
> >   the tfm and before calling the function crypto_xxx_setkey().
> >
> > Signed-off-by: Pankaj Gupta <pankaj.gupta at nxp.com>
> > ---
> >  include/linux/crypto.h | 5 +++++
> >  1 file changed, 5 insertions(+)
> 
> Nack.  You still have not provided a convincing argument why this is necessary
> since there are plenty of existing drivers in the kernel already providing similar
> features.
> 
CAAM is used as a trusted source for trusted keyring. CAAM can expose these keys either as plain key or HBK(hardware bound key- managed by the hardware only and never visible in plain outside of hardware).

Thus, Keys that are inside CAAM-backed-trusted-keyring, can either be plain key or HBK. So the trusted-key-payload requires additional flag & info(key-encryption-protocol)  to help differentiate it from each other. Now when CAAM trusted-key is presented to the kernel crypto framework, the additional information associated with the key, needs to be passed to the hardware driver. Currently the kernel keyring and kernel crypto frameworks are associated for plain key, but completely dis-associated for HBK. This patch addresses this problem.

Similar capabilities (trusted source), are there in other crypto accelerators on NXP SoC(s). Having hardware specific crypto algorithm name, does not seems to be a scalable solution.

> Cheers,
> --
> Email: Herbert Xu <herbert at gondor.apana.org.au> Home Page:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2F&data=05%7C01%7Cpankaj.gupta%40nxp.com
> %7C33055110772a4d4bb97508daa8317e93%7C686ea1d3bc2b4c6fa92cd99c5c3
> 01635%7C0%7C0%7C638007227793511347%7CUnknown%7CTWFpbGZsb3d8ey
> JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> 3000%7C%7C%7C&sdata=H0fzzxQhsV%2FyPphBAHBDmzQfTFnjDE7jYstTM
> ok%2F09I%3D&reserved=0
> PGP Key:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2Fpubkey.txt&data=05%7C01%7Cpankaj.gupta%4
> 0nxp.com%7C33055110772a4d4bb97508daa8317e93%7C686ea1d3bc2b4c6fa9
> 2cd99c5c301635%7C0%7C0%7C638007227793667554%7CUnknown%7CTWFpb
> GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0%3D%7C3000%7C%7C%7C&sdata=SclJ9G7jBWhOW%2Fm3Gt0jP1oicqVp
> 5ghH%2BDT8Vd5maag%3D&reserved=0



More information about the Linux-security-module-archive mailing list