[EXT] Re: [RFC PATCH HBK: 2/8] hw-bound-key: flag-is_hbk added to the tfm

Mon Sep 12 17:19:44 UTC 2022

Hi Herbert
Please find response inline.

Regards
Varun

> -----Original Message-----
> From: Herbert Xu <herbert at gondor.apana.org.au>
> Sent: Wednesday, September 7, 2022 3:40 PM
> To: Pankaj Gupta <pankaj.gupta at nxp.com>
> Cc: jarkko at kernel.org; a.fatoum at pengutronix.de; Jason at zx2c4.com;
> jejb at linux.ibm.com; zohar at linux.ibm.com; dhowells at redhat.com;
> sumit.garg at linaro.org; david at sigma-star.at; michael at walle.cc;
> john.ernberg at actia.se; jmorris at namei.org; serge at hallyn.com;
> davem at davemloft.net; j.luebbe at pengutronix.de; ebiggers at kernel.org;
> richard at nod.at; keyrings at vger.kernel.org; linux-crypto at vger.kernel.org; linux-
> integrity at vger.kernel.org; linux-kernel at vger.kernel.org; linux-security-
> module at vger.kernel.org; Sahil Malhotra <sahil.malhotra at nxp.com>; Kshitiz
> Varshney <kshitiz.varshney at nxp.com>; Horia Geanta <horia.geanta at nxp.com>;
> Varun Sethi <V.Sethi at nxp.com>
> Subject: Re: [EXT] Re: [RFC PATCH HBK: 2/8] hw-bound-key: flag-is_hbk added
> to the tfm
> 
> Caution: EXT Email
> 
> On Wed, Sep 07, 2022 at 09:58:45AM +0000, Pankaj Gupta wrote:
> >
> > There are 3rd party IP(s), which uses kernel for crypto-algorithm's operations.
> > Modifying the algorithm name in these IP(s), is not always allowed or easy to
> maintain.
> 
> So the objective is to support out-of-tree modules?
[Varun] No, the intention is not to use out of tree modules but to allow seamless use of crytpo ciphers with keys backed by security co-processors (keys only visible to security co-processors), by Linux kernel and userspace components. Hardware backed keys are being introduced as a variant of existing Trusted keys, with the difference that these are not un-sealed and released in plain to the kernel memory. With the current patchset, the existing set of ciphers can be used along with newly introduced hardware backed flag. The security co-processor driver is able to interpret the flag and subsequently program the hardware, to interpret the supplied key as a hardware backed key.
> 
> There is no way I'm merging this then.
> 
> Thanks,
> --
> Email: Herbert Xu <herbert at gondor.apana.org.au> Home Page:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2F&data=05%7C01%7CV.Sethi%40nxp.com%7Cd
> ec165619848426b9c9008da90b946da%7C686ea1d3bc2b4c6fa92cd99c5c30163
> 5%7C0%7C0%7C637981422690327443%7CUnknown%7CTWFpbGZsb3d8eyJWIj
> oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300
> 0%7C%7C%7C&sdata=kKaGEvKOmUbV8hCh6T9Fswfo39jg%2BqbxYavPcfJS
> h3E%3D&reserved=0
> PGP Key:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap
> ana.org.au%2F~herbert%2Fpubkey.txt&data=05%7C01%7CV.Sethi%40nxp.
> com%7Cdec165619848426b9c9008da90b946da%7C686ea1d3bc2b4c6fa92cd99
> c5c301635%7C0%7C0%7C637981422690327443%7CUnknown%7CTWFpbGZsb3
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
> D%7C3000%7C%7C%7C&sdata=vSNYijBOH5mCmOzZW02R0sNzNNrtTWkD
> vF8%2FpwlTUqk%3D&reserved=0