From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C77731B81F for ; Sun, 25 Feb 2024 22:20:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708899638; cv=none; b=KaK/aQa4iNmzum7lc6lwWyODnpHsaM8CikBXkTWT6PBzxNGvAv5e7cs1irkfMoholeGB/SELSrkQ3YAqLoaY0cPEfhS0iQiGCXRc/fL42e5AR6i/mUVPARAGzpRNp1eXTlaJoXpYRwOBu0SkXqAeyUnJL1GT29TM/kdcT+xIZZo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708899638; c=relaxed/simple; bh=UXS6o52/gxylcEk77QTCs8vWUzpJEIdKr/eTjoCMKJk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=AX4L/Ky7Lc6AP5j5BRHayUIFHVy8OWq6PykJfx0Rl8vgabcgz9JFPTcpuKaHJVBzeYWMuQtuOr4yncBeqWOhzO/WpuVPhkzzSeKtl9PfUpQ7Beum9wJdXNp+OSpL+dMOJZrpOQh2j39nt7Ga+7AKriwa79iSyxpb7Sv9taRBjUI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sigma-star.at; spf=pass smtp.mailfrom=sigma-star.at; dkim=pass (2048-bit key) header.d=sigma-star.at header.i=@sigma-star.at header.b=ZWzz/A1+; arc=none smtp.client-ip=209.85.208.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sigma-star.at Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sigma-star.at Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=sigma-star.at header.i=@sigma-star.at header.b="ZWzz/A1+" Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-563cb3ba9daso2272477a12.3 for ; Sun, 25 Feb 2024 14:20:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigma-star.at; s=google; t=1708899634; x=1709504434; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vcAAMbo5fPSeSlUc+G3Ds0RoWmjIC7d5lnGAqCLP7+0=; b=ZWzz/A1+/0hUq9nDjW7N3dGG7LW0a25pVAl4SI7JWbix8Ltz4Y5g7CQa0X19SpZvrt m0GmEH/4k1aw2+YaXYQWzMvA49bfciqVUt/kubYMWAfGocim+0pbUwS4a90JpIm+UucR rdSrZ1sCdsthEBmpbj9+wTzVstNYGC3tqeE5NZ7Temc2jwHK6oo5aHlSF8hvuMrITMcu 5l9wPI4BUwWVFm9OQP+ykoWDa0GS+o/3IPjv+EWumaiPBhxHrDdk1HvypueugaWP8lA6 e17B5V0hWi03vQZfx1NVYorirpMQDGTkg/zoCRONcwXcJLnRJgbr96bJ39Hv7REZ5rX+ 00jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708899634; x=1709504434; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vcAAMbo5fPSeSlUc+G3Ds0RoWmjIC7d5lnGAqCLP7+0=; b=N8hiexlwHCb4wx2b6BA2xIR4iuDnipJTTu6vxWwF1LXPAB4BMdcR9YF/NRoOKe6w4x NHDYxocJsLLVj6cZAPWrStxTJ1ip9YgF1vpUugs1z1aGVLyBFGu6CiJjmNuCjcj6dXL6 sVNC+87S9pmajemqHEUN99R2i01zo6hZTtAhfm/fOdw5zs99Yg/eI2DNrtrGmrSqG2k6 wYHmUYTL8s4Ka1D3jhomv7AJavIgCc7A0Khgn47O5ZWLriGBfsKaTyrCtyRhn+gMkGI8 e3NgswIOcwphbAqX27TiVNIdToTTimZbI7ehDWP00zQfp3pvkwHi8X1CF82vgTf+il2I ivyw== X-Forwarded-Encrypted: i=1; AJvYcCVqIYYujZRT7dfTB7Y9H5JsSaCL6M+7KAwwOXJVJL9hRmVFqxCtfnHGo2SiRPzwMLY56kA0SE4iV/W0mdxz9b7K9EG2VZRgtLk= X-Gm-Message-State: AOJu0YzmBtThDts/Z6gKO3NNqzRyYjmQNTLcVWiclURsEZeU8tfENyK1 Wn55CpXDbsrJiLQAfrPexM9ddmlRfrK+BxNkOHg7s8P7WNTR0qjz7NNy7+KxJlo= X-Google-Smtp-Source: AGHT+IG5bJ/fK8sFX2rG8b+VDYEkiBFr76ZXZ4JyDKWlPw45GhDGbdPCrTlUaWepqwiGPkAAQmeUww== X-Received: by 2002:a17:906:3c18:b0:a3e:d5ac:9995 with SMTP id h24-20020a1709063c1800b00a3ed5ac9995mr3150880ejg.59.1708899633957; Sun, 25 Feb 2024 14:20:33 -0800 (PST) Received: from blindfold.localnet (84-115-239-180.cable.dynamic.surfer.at. [84.115.239.180]) by smtp.gmail.com with ESMTPSA id h4-20020a1709062dc400b00a3f355aeb0bsm1828968eji.131.2024.02.25.14.20.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Feb 2024 14:20:33 -0800 (PST) From: Richard Weinberger To: Mimi Zohar , James Bottomley , Jarkko Sakkinen , Herbert Xu , "David S. Miller" , upstream@sigma-star.at, David Howells Cc: Shawn Guo , Jonathan Corbet , Sascha Hauer , "kernel@pengutronix.de" , Fabio Estevam , NXP Linux Team , Ahmad Fatoum , sigma star Kernel Team , Li Yang , Paul Moore , James Morris , "Serge E. Hallyn" , "Paul E. McKenney" , Randy Dunlap , Catalin Marinas , "Rafael J. Wysocki" , Tejun Heo , "Steven Rostedt (Google)" , linux-doc@vger.kernel.org, "linux-kernel@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-crypto@vger.kernel.org" , linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, "linux-security-module@vger.kernel.org" , David Gstir Subject: Re: [PATCH v5 0/6] DCP as trusted keys backend Date: Sun, 25 Feb 2024 23:20:31 +0100 Message-ID: <1733761.uacIGzncQW@somecomputer> In-Reply-To: <47439997.XUcTiDjVJD@somecomputer> References: <20231215110639.45522-1-david@sigma-star.at> <7AED262F-9387-446D-B11A-C549C02542F9@sigma-star.at> <47439997.XUcTiDjVJD@somecomputer> Precedence: bulk X-Mailing-List: keyrings@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Mimi, James, Jarkko, David, you remained silent for a whole release cycle. Is there anything we can do to get this forward? Thanks, //richard Am Dienstag, 13. Februar 2024, 10:59:56 CET schrieb Richard Weinberger: > Am Montag, 5. Februar 2024, 09:39:07 CET schrieb David Gstir: > > Hi, > >=20 > > > On 15.12.2023, at 12:06, David Gstir wrote: > > >=20 > > > This is a revival of the previous patch set submitted by Richard Wein= berger: > > > https://lore.kernel.org/linux-integrity/20210614201620.30451-1-richar= d@nod.at/ > > >=20 > > > v4 is here: > > > https://lore.kernel.org/keyrings/20231024162024.51260-1-david@sigma-s= tar.at/ > > >=20 > > > v4 -> v5: > > > - Make Kconfig for trust source check scalable as suggested by Jarkko= Sakkinen > > > - Add Acked-By from Herbert Xu to patch #1 - thanks! > > > v3 -> v4: > > > - Split changes on MAINTAINERS and documentation into dedicated patch= es > > > - Use more concise wording in commit messages as suggested by Jarkko = Sakkinen > > > v2 -> v3: > > > - Addressed review comments from Jarkko Sakkinen > > > v1 -> v2: > > > - Revive and rebase to latest version > > > - Include review comments from Ahmad Fatoum > > >=20 > > > The Data CoProcessor (DCP) is an IP core built into many NXP SoCs such > > > as i.mx6ull. > > >=20 > > > Similar to the CAAM engine used in more powerful SoCs, DCP can AES- > > > encrypt/decrypt user data using a unique, never-disclosed, > > > device-specific key. Unlike CAAM though, it cannot directly wrap and > > > unwrap blobs in hardware. As DCP offers only the bare minimum feature > > > set and a blob mechanism needs aid from software. A blob in this case > > > is a piece of sensitive data (e.g. a key) that is encrypted and > > > authenticated using the device-specific key so that unwrapping can on= ly > > > be done on the hardware where the blob was wrapped. > > >=20 > > > This patch series adds a DCP based, trusted-key backend and is similar > > > in spirit to the one by Ahmad Fatoum [0] that does the same for CAAM. > > > It is of interest for similar use cases as the CAAM patch set, but for > > > lower end devices, where CAAM is not available. > > >=20 > > > Because constructing and parsing the blob has to happen in software, > > > we needed to decide on a blob format and chose the following: > > >=20 > > > struct dcp_blob_fmt { > > > __u8 fmt_version; > > > __u8 blob_key[AES_KEYSIZE_128]; > > > __u8 nonce[AES_KEYSIZE_128]; > > > __le32 payload_len; > > > __u8 payload[]; > > > } __packed; > > >=20 > > > The `fmt_version` is currently 1. > > >=20 > > > The encrypted key is stored in the payload area. It is AES-128-GCM > > > encrypted using `blob_key` and `nonce`, GCM auth tag is attached at > > > the end of the payload (`payload_len` does not include the size of > > > the auth tag). > > >=20 > > > The `blob_key` itself is encrypted in AES-128-ECB mode by DCP using > > > the OTP or UNIQUE device key. A new `blob_key` and `nonce` are genera= ted > > > randomly, when sealing/exporting the DCP blob. > > >=20 > > > This patchset was tested with dm-crypt on an i.MX6ULL board. > > >=20 > > > [0] https://lore.kernel.org/keyrings/20220513145705.2080323-1-a.fatou= m@pengutronix.de/ > > >=20 > > > David Gstir (6): > > > crypto: mxs-dcp: Add support for hardware-bound keys > > > KEYS: trusted: improve scalability of trust source config > > > KEYS: trusted: Introduce NXP DCP-backed trusted keys > > > MAINTAINERS: add entry for DCP-based trusted keys > > > docs: document DCP-backed trusted keys kernel params > > > docs: trusted-encrypted: add DCP as new trust source > > >=20 > > > .../admin-guide/kernel-parameters.txt | 13 + > > > .../security/keys/trusted-encrypted.rst | 85 +++++ > > > MAINTAINERS | 9 + > > > drivers/crypto/mxs-dcp.c | 104 +++++- > > > include/keys/trusted_dcp.h | 11 + > > > include/soc/fsl/dcp.h | 17 + > > > security/keys/trusted-keys/Kconfig | 18 +- > > > security/keys/trusted-keys/Makefile | 2 + > > > security/keys/trusted-keys/trusted_core.c | 6 +- > > > security/keys/trusted-keys/trusted_dcp.c | 311 ++++++++++++++++++ > > > 10 files changed, 562 insertions(+), 14 deletions(-) > > > create mode 100644 include/keys/trusted_dcp.h > > > create mode 100644 include/soc/fsl/dcp.h > > > create mode 100644 security/keys/trusted-keys/trusted_dcp.c > >=20 > > Jarkko, Mimi, David do you need anything from my side for these patches= to get them merged? >=20 > Friendly ping also from my side. :-) >=20 > Thanks, > //richard >=20 > --=20 > =E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8Bsigma star gmbh | Eduard-Bod= em-Gasse 6, 6020 Innsbruck, AUT > UID/VAT Nr: ATU 66964118 | FN: 374287y >=20 =2D-=20 =E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8Bsigma star gmbh | Eduard-Bodem= =2DGasse 6, 6020 Innsbruck, AUT UID/VAT Nr: ATU 66964118 | FN: 374287y From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 40283C47DD9 for ; Sun, 25 Feb 2024 22:21:36 +0000 (UTC) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=sigma-star.at header.i=@sigma-star.at header.a=rsa-sha256 header.s=google header.b=qsBhLclX; dkim-atps=neutral Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4TjdWf1vwkz3vXr for ; Mon, 26 Feb 2024 09:21:34 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=sigma-star.at header.i=@sigma-star.at header.a=rsa-sha256 header.s=google header.b=qsBhLclX; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sigma-star.at (client-ip=2a00:1450:4864:20::52a; helo=mail-ed1-x52a.google.com; envelope-from=richard@sigma-star.at; receiver=lists.ozlabs.org) Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4TjdVh6wQ8z3bnV for ; Mon, 26 Feb 2024 09:20:41 +1100 (AEDT) Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-55a8fd60af0so2945299a12.1 for ; Sun, 25 Feb 2024 14:20:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigma-star.at; s=google; t=1708899634; x=1709504434; darn=lists.ozlabs.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vcAAMbo5fPSeSlUc+G3Ds0RoWmjIC7d5lnGAqCLP7+0=; b=qsBhLclXFBuDPif9VBhxrXiUqjl5lxr4GIifLKyhXj4zvNH3XZoUvR8FCBkfAmfyQs C0nohXRB6DJJPVLyK2eVS76czvptlPMrgvrGOMYTO5Hu5ckCrwdfPxC5StMmiLdKQz6/ 1fe5tAfxjpUliEAud8ElIW0Jd1zi4v/6FPcUp3N5Z1IqNwA8A1dVcHNmrseMA8CoV4RF hytPi7FnvkviKVSTMWXvE5JM2Anw0Oh/A92uaKgYOV8jxTD8+nmTDEoXubwP/cG2tR/o 0AvaCygmzEGQ30mS3KqNcygpw93DXjbWXmuo/0LkEe3w//hM3GbiFxlpj83BMypS0QoL 8OXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708899634; x=1709504434; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vcAAMbo5fPSeSlUc+G3Ds0RoWmjIC7d5lnGAqCLP7+0=; b=bhoaxv/uYwMWL332JYW28GyJG/y7X000nBWg/1mbpmKyvIrill8UwQqk2Be1pvnWfw LaRjzargf+7yxzLHPUl/qpABklClTPBXgZHIYgsytNL0CwkS9m9FNvSjcAnbCpwPAmlX /GGmgxtvb7MR1fiCZlxyAYNvt7g2Av5zyqVV4Vc3NtWryJsQPnhtf1dMPQBkUZVTNYKv KKZgMov26uwXE0GgKurLQtgiGG1t6BPogt/KVGD2en5DQYjbaD4kr7bu/EXfXpH8U5hK d96aqXoY8+LpeSY26mmjxtMQ8Wpm1pC+KReWQ0gz/qlx0ri1WMc18SFLJ2H39KERNjGt bmMA== X-Forwarded-Encrypted: i=1; AJvYcCVD70qdr1VG0IToyRzbTfAGmCiX1Iy+99CiMD6UYRKOUvOjmNTDiKJ6wwjDcPwzqnzBCbFlPDaNYlgMB/gblKvYvxRxOWHBlGsyKlekUA== X-Gm-Message-State: AOJu0Yyek09bZYi4MIGWnAZS303Vng7IpL7PqAFHGva8xjuFr3RFtD83 sB81h/izVmoqieri2UVA0oMquLuQ2G0ExF0RWX1TvjwCrNDquSUgn7IM/jaUhhM= X-Google-Smtp-Source: AGHT+IG5bJ/fK8sFX2rG8b+VDYEkiBFr76ZXZ4JyDKWlPw45GhDGbdPCrTlUaWepqwiGPkAAQmeUww== X-Received: by 2002:a17:906:3c18:b0:a3e:d5ac:9995 with SMTP id h24-20020a1709063c1800b00a3ed5ac9995mr3150880ejg.59.1708899633957; Sun, 25 Feb 2024 14:20:33 -0800 (PST) Received: from blindfold.localnet (84-115-239-180.cable.dynamic.surfer.at. [84.115.239.180]) by smtp.gmail.com with ESMTPSA id h4-20020a1709062dc400b00a3f355aeb0bsm1828968eji.131.2024.02.25.14.20.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Feb 2024 14:20:33 -0800 (PST) From: Richard Weinberger To: Mimi Zohar , James Bottomley , Jarkko Sakkinen , Herbert Xu , "David S. Miller" , upstream@sigma-star.at, David Howells Subject: Re: [PATCH v5 0/6] DCP as trusted keys backend Date: Sun, 25 Feb 2024 23:20:31 +0100 Message-ID: <1733761.uacIGzncQW@somecomputer> In-Reply-To: <47439997.XUcTiDjVJD@somecomputer> References: <20231215110639.45522-1-david@sigma-star.at> <7AED262F-9387-446D-B11A-C549C02542F9@sigma-star.at> <47439997.XUcTiDjVJD@somecomputer> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Gstir , linux-doc@vger.kernel.org, Catalin Marinas , "keyrings@vger.kernel.org" , Fabio Estevam , Ahmad Fatoum , Paul Moore , Jonathan Corbet , "Rafael J. Wysocki" , James Morris , NXP Linux Team , "Serge E. Hallyn" , "Paul E. McKenney" , Sascha Hauer , sigma star Kernel Team , "Steven Rostedt \(Google\)" , linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Randy Dunlap , "linux-kernel@vger.kernel.org" , Li Yang , "linux-security-module@vger.kernel.org" , "linux-crypto@vger.kernel.org" , "ker nel@pengutronix.de" , Tejun Heo , "linux-integrity@vger.kernel.org" , Shawn Guo Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" Mimi, James, Jarkko, David, you remained silent for a whole release cycle. Is there anything we can do to get this forward? Thanks, //richard Am Dienstag, 13. Februar 2024, 10:59:56 CET schrieb Richard Weinberger: > Am Montag, 5. Februar 2024, 09:39:07 CET schrieb David Gstir: > > Hi, > >=20 > > > On 15.12.2023, at 12:06, David Gstir wrote: > > >=20 > > > This is a revival of the previous patch set submitted by Richard Wein= berger: > > > https://lore.kernel.org/linux-integrity/20210614201620.30451-1-richar= d@nod.at/ > > >=20 > > > v4 is here: > > > https://lore.kernel.org/keyrings/20231024162024.51260-1-david@sigma-s= tar.at/ > > >=20 > > > v4 -> v5: > > > - Make Kconfig for trust source check scalable as suggested by Jarkko= Sakkinen > > > - Add Acked-By from Herbert Xu to patch #1 - thanks! > > > v3 -> v4: > > > - Split changes on MAINTAINERS and documentation into dedicated patch= es > > > - Use more concise wording in commit messages as suggested by Jarkko = Sakkinen > > > v2 -> v3: > > > - Addressed review comments from Jarkko Sakkinen > > > v1 -> v2: > > > - Revive and rebase to latest version > > > - Include review comments from Ahmad Fatoum > > >=20 > > > The Data CoProcessor (DCP) is an IP core built into many NXP SoCs such > > > as i.mx6ull. > > >=20 > > > Similar to the CAAM engine used in more powerful SoCs, DCP can AES- > > > encrypt/decrypt user data using a unique, never-disclosed, > > > device-specific key. Unlike CAAM though, it cannot directly wrap and > > > unwrap blobs in hardware. As DCP offers only the bare minimum feature > > > set and a blob mechanism needs aid from software. A blob in this case > > > is a piece of sensitive data (e.g. a key) that is encrypted and > > > authenticated using the device-specific key so that unwrapping can on= ly > > > be done on the hardware where the blob was wrapped. > > >=20 > > > This patch series adds a DCP based, trusted-key backend and is similar > > > in spirit to the one by Ahmad Fatoum [0] that does the same for CAAM. > > > It is of interest for similar use cases as the CAAM patch set, but for > > > lower end devices, where CAAM is not available. > > >=20 > > > Because constructing and parsing the blob has to happen in software, > > > we needed to decide on a blob format and chose the following: > > >=20 > > > struct dcp_blob_fmt { > > > __u8 fmt_version; > > > __u8 blob_key[AES_KEYSIZE_128]; > > > __u8 nonce[AES_KEYSIZE_128]; > > > __le32 payload_len; > > > __u8 payload[]; > > > } __packed; > > >=20 > > > The `fmt_version` is currently 1. > > >=20 > > > The encrypted key is stored in the payload area. It is AES-128-GCM > > > encrypted using `blob_key` and `nonce`, GCM auth tag is attached at > > > the end of the payload (`payload_len` does not include the size of > > > the auth tag). > > >=20 > > > The `blob_key` itself is encrypted in AES-128-ECB mode by DCP using > > > the OTP or UNIQUE device key. A new `blob_key` and `nonce` are genera= ted > > > randomly, when sealing/exporting the DCP blob. > > >=20 > > > This patchset was tested with dm-crypt on an i.MX6ULL board. > > >=20 > > > [0] https://lore.kernel.org/keyrings/20220513145705.2080323-1-a.fatou= m@pengutronix.de/ > > >=20 > > > David Gstir (6): > > > crypto: mxs-dcp: Add support for hardware-bound keys > > > KEYS: trusted: improve scalability of trust source config > > > KEYS: trusted: Introduce NXP DCP-backed trusted keys > > > MAINTAINERS: add entry for DCP-based trusted keys > > > docs: document DCP-backed trusted keys kernel params > > > docs: trusted-encrypted: add DCP as new trust source > > >=20 > > > .../admin-guide/kernel-parameters.txt | 13 + > > > .../security/keys/trusted-encrypted.rst | 85 +++++ > > > MAINTAINERS | 9 + > > > drivers/crypto/mxs-dcp.c | 104 +++++- > > > include/keys/trusted_dcp.h | 11 + > > > include/soc/fsl/dcp.h | 17 + > > > security/keys/trusted-keys/Kconfig | 18 +- > > > security/keys/trusted-keys/Makefile | 2 + > > > security/keys/trusted-keys/trusted_core.c | 6 +- > > > security/keys/trusted-keys/trusted_dcp.c | 311 ++++++++++++++++++ > > > 10 files changed, 562 insertions(+), 14 deletions(-) > > > create mode 100644 include/keys/trusted_dcp.h > > > create mode 100644 include/soc/fsl/dcp.h > > > create mode 100644 security/keys/trusted-keys/trusted_dcp.c > >=20 > > Jarkko, Mimi, David do you need anything from my side for these patches= to get them merged? >=20 > Friendly ping also from my side. :-) >=20 > Thanks, > //richard >=20 > --=20 > =E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8Bsigma star gmbh | Eduard-Bod= em-Gasse 6, 6020 Innsbruck, AUT > UID/VAT Nr: ATU 66964118 | FN: 374287y >=20 =2D-=20 =E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8B=E2=80=8Bsigma star gmbh | Eduard-Bodem= =2DGasse 6, 6020 Innsbruck, AUT UID/VAT Nr: ATU 66964118 | FN: 374287y From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2C2B1C47DD9 for ; Sun, 25 Feb 2024 22:20:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=k3c4PZkEVnNE2PxTHYJhMFKY1v8tm7BsUyFQ5w1ZrB0=; b=oJ36M3YbLF1KwW XUxs6Vu5SU2bZUjEZc7mktXpTIXeG7jB20un3td4C1JK36nPvDmgYVJ562mHiQ085e+Yw7TC+TkEC x99JeWdjKYTkE9CI3S4jxp2vPM1DtqUXmw0VTcAUzejzgzi/OmatJvvPdzGqXaaU5Ao6VSCCW63V/ 2e1RbH/rUXpZSx0FNuf7SFcENlpJIHPMpz0J5MAdi5Xn0gF9hr9XHT+Sp5OH+0hk4XghAM+g7MN6o xL4s4kL3LF1Sg6bxOUsAGG+TDAT15JJ/BgUK+p2wRAiYjwKSx+R90QhprTNgcGYmNAOk9EYUh97pW 96qDv/O0q/Z1mpUdXRAg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1reMrP-0000000Fpyf-2EJV; Sun, 25 Feb 2024 22:20:39 +0000 Received: from mail-ed1-x533.google.com ([2a00:1450:4864:20::533]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1reMrM-0000000Fpxt-2BXb for linux-arm-kernel@lists.infradead.org; Sun, 25 Feb 2024 22:20:38 +0000 Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-563cb3ba9daso2272475a12.3 for ; Sun, 25 Feb 2024 14:20:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigma-star.at; s=google; t=1708899634; x=1709504434; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vcAAMbo5fPSeSlUc+G3Ds0RoWmjIC7d5lnGAqCLP7+0=; b=HwSYPFhcF0CWvO3cIyK5XrLnoW77/XjCYZOzO/tkWYnljFZ5uF2qnEFY7xNSQrGLMS mU0itMlCjyNFgdJ93sxwfVBUqKATr3JmXSaLHhmBXeITge044AhkM+W8JBzTEtcfkGQZ BDHCvGJPHd+CE/2HHhswlzg0LvciTOPvSgFm/4DwFRk/euAGh8pr8y8E8mUX3QW41Uq5 UEv44W9nQAu/1jd5NwbA6DEXruljktMuK8w8vxtqSR699PJSP2vYI91MSvlAyXNGN6T7 5ZFN0Nyn8s/fl68vg6G9mYkoU5+0HbwuCINThhA6ohREwEBE/dGV8kCp5M0ufDvqtjL2 +dgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708899634; x=1709504434; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vcAAMbo5fPSeSlUc+G3Ds0RoWmjIC7d5lnGAqCLP7+0=; b=b+iCu4y3gH35Y4sGoPOHhOaneK6ahPaWHZnpQbi8cc0JqMYgNTx8XIzCtbHtp0WORC hB9r91fPy35rYLCUndtwuZ59FiZGPyL8z1wblWQ++s1MhsjijktUovCO5DMOl+PYIfok cK8dQOv4iWvlpA9Dr2ftzlM0DpVUNAll8Zu2NudldDkzddbX+sZBNEwLLZtBuzsEhHvK O2f58s0fBiJ9d/RS/J9rGd+FtSKeppdgu1a2q3a2tGEy89Ib3v6i7OXAhQ4+d5Lh6H+X e9XUN/TjeM6Y3AsCSO+1ZKjrTw6yWy/oD9J4UrWWN3Wuiuu8DZ0+qZSa4bO565AenlrM qTlg== X-Forwarded-Encrypted: i=1; AJvYcCXAPHE+FEMIbnjRqgRCt0RIFoWiso2elBY0jT5aMAwik97vA/Jk1OBq4N2Tk8PLGiddZrCW40e4Q0xzLiJXJtQdJC7fffSt7gDBSFXX7cEfuXfgVmE= X-Gm-Message-State: AOJu0YwIpxPToOOevovgT9NPmX0Jm4T4gllivrQr/08xeFR2qH/PCsDm pOozPb1gC2IlkQ/ATUcks3jWy/wJW5XrcgcidbW3CA4asEcpGiaSwWGBX9E1Fk0= X-Google-Smtp-Source: AGHT+IG5bJ/fK8sFX2rG8b+VDYEkiBFr76ZXZ4JyDKWlPw45GhDGbdPCrTlUaWepqwiGPkAAQmeUww== X-Received: by 2002:a17:906:3c18:b0:a3e:d5ac:9995 with SMTP id h24-20020a1709063c1800b00a3ed5ac9995mr3150880ejg.59.1708899633957; Sun, 25 Feb 2024 14:20:33 -0800 (PST) Received: from blindfold.localnet (84-115-239-180.cable.dynamic.surfer.at. [84.115.239.180]) by smtp.gmail.com with ESMTPSA id h4-20020a1709062dc400b00a3f355aeb0bsm1828968eji.131.2024.02.25.14.20.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Feb 2024 14:20:33 -0800 (PST) From: Richard Weinberger To: Mimi Zohar , James Bottomley , Jarkko Sakkinen , Herbert Xu , "David S. Miller" , upstream@sigma-star.at, David Howells Cc: Shawn Guo , Jonathan Corbet , Sascha Hauer , "kernel@pengutronix.de" , Fabio Estevam , NXP Linux Team , Ahmad Fatoum , sigma star Kernel Team , Li Yang , Paul Moore , James Morris , "Serge E. Hallyn" , "Paul E. McKenney" , Randy Dunlap , Catalin Marinas , "Rafael J. Wysocki" , Tejun Heo , "Steven Rostedt (Google)" , linux-doc@vger.kernel.org, "linux-kernel@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-crypto@vger.kernel.org" , linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, "linux-security-module@vger.kernel.org" , David Gstir Subject: Re: [PATCH v5 0/6] DCP as trusted keys backend Date: Sun, 25 Feb 2024 23:20:31 +0100 Message-ID: <1733761.uacIGzncQW@somecomputer> In-Reply-To: <47439997.XUcTiDjVJD@somecomputer> References: <20231215110639.45522-1-david@sigma-star.at> <7AED262F-9387-446D-B11A-C549C02542F9@sigma-star.at> <47439997.XUcTiDjVJD@somecomputer> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240225_142036_897366_4FA82FEB X-CRM114-Status: GOOD ( 39.27 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org TWltaSwgSmFtZXMsIEphcmtrbywgRGF2aWQsCgp5b3UgcmVtYWluZWQgc2lsZW50IGZvciBhIHdo b2xlIHJlbGVhc2UgY3ljbGUuCklzIHRoZXJlIGFueXRoaW5nIHdlIGNhbiBkbyB0byBnZXQgdGhp cyBmb3J3YXJkPwoKVGhhbmtzLAovL3JpY2hhcmQKCkFtIERpZW5zdGFnLCAxMy4gRmVicnVhciAy MDI0LCAxMDo1OTo1NiBDRVQgc2NocmllYiBSaWNoYXJkIFdlaW5iZXJnZXI6Cj4gQW0gTW9udGFn LCA1LiBGZWJydWFyIDIwMjQsIDA5OjM5OjA3IENFVCBzY2hyaWViIERhdmlkIEdzdGlyOgo+ID4g SGksCj4gPiAKPiA+ID4gT24gMTUuMTIuMjAyMywgYXQgMTI6MDYsIERhdmlkIEdzdGlyIDxkYXZp ZEBzaWdtYS1zdGFyLmF0PiB3cm90ZToKPiA+ID4gCj4gPiA+IFRoaXMgaXMgYSByZXZpdmFsIG9m IHRoZSBwcmV2aW91cyBwYXRjaCBzZXQgc3VibWl0dGVkIGJ5IFJpY2hhcmQgV2VpbmJlcmdlcjoK PiA+ID4gaHR0cHM6Ly9sb3JlLmtlcm5lbC5vcmcvbGludXgtaW50ZWdyaXR5LzIwMjEwNjE0MjAx NjIwLjMwNDUxLTEtcmljaGFyZEBub2QuYXQvCj4gPiA+IAo+ID4gPiB2NCBpcyBoZXJlOgo+ID4g PiBodHRwczovL2xvcmUua2VybmVsLm9yZy9rZXlyaW5ncy8yMDIzMTAyNDE2MjAyNC41MTI2MC0x LWRhdmlkQHNpZ21hLXN0YXIuYXQvCj4gPiA+IAo+ID4gPiB2NCAtPiB2NToKPiA+ID4gLSBNYWtl IEtjb25maWcgZm9yIHRydXN0IHNvdXJjZSBjaGVjayBzY2FsYWJsZSBhcyBzdWdnZXN0ZWQgYnkg SmFya2tvIFNha2tpbmVuCj4gPiA+IC0gQWRkIEFja2VkLUJ5IGZyb20gSGVyYmVydCBYdSB0byBw YXRjaCAjMSAtIHRoYW5rcyEKPiA+ID4gdjMgLT4gdjQ6Cj4gPiA+IC0gU3BsaXQgY2hhbmdlcyBv biBNQUlOVEFJTkVSUyBhbmQgZG9jdW1lbnRhdGlvbiBpbnRvIGRlZGljYXRlZCBwYXRjaGVzCj4g PiA+IC0gVXNlIG1vcmUgY29uY2lzZSB3b3JkaW5nIGluIGNvbW1pdCBtZXNzYWdlcyBhcyBzdWdn ZXN0ZWQgYnkgSmFya2tvIFNha2tpbmVuCj4gPiA+IHYyIC0+IHYzOgo+ID4gPiAtIEFkZHJlc3Nl ZCByZXZpZXcgY29tbWVudHMgZnJvbSBKYXJra28gU2Fra2luZW4KPiA+ID4gdjEgLT4gdjI6Cj4g PiA+IC0gUmV2aXZlIGFuZCByZWJhc2UgdG8gbGF0ZXN0IHZlcnNpb24KPiA+ID4gLSBJbmNsdWRl IHJldmlldyBjb21tZW50cyBmcm9tIEFobWFkIEZhdG91bQo+ID4gPiAKPiA+ID4gVGhlIERhdGEg Q29Qcm9jZXNzb3IgKERDUCkgaXMgYW4gSVAgY29yZSBidWlsdCBpbnRvIG1hbnkgTlhQIFNvQ3Mg c3VjaAo+ID4gPiBhcyBpLm14NnVsbC4KPiA+ID4gCj4gPiA+IFNpbWlsYXIgdG8gdGhlIENBQU0g ZW5naW5lIHVzZWQgaW4gbW9yZSBwb3dlcmZ1bCBTb0NzLCBEQ1AgY2FuIEFFUy0KPiA+ID4gZW5j cnlwdC9kZWNyeXB0IHVzZXIgZGF0YSB1c2luZyBhIHVuaXF1ZSwgbmV2ZXItZGlzY2xvc2VkLAo+ ID4gPiBkZXZpY2Utc3BlY2lmaWMga2V5LiBVbmxpa2UgQ0FBTSB0aG91Z2gsIGl0IGNhbm5vdCBk aXJlY3RseSB3cmFwIGFuZAo+ID4gPiB1bndyYXAgYmxvYnMgaW4gaGFyZHdhcmUuIEFzIERDUCBv ZmZlcnMgb25seSB0aGUgYmFyZSBtaW5pbXVtIGZlYXR1cmUKPiA+ID4gc2V0IGFuZCBhIGJsb2Ig bWVjaGFuaXNtIG5lZWRzIGFpZCBmcm9tIHNvZnR3YXJlLiBBIGJsb2IgaW4gdGhpcyBjYXNlCj4g PiA+IGlzIGEgcGllY2Ugb2Ygc2Vuc2l0aXZlIGRhdGEgKGUuZy4gYSBrZXkpIHRoYXQgaXMgZW5j cnlwdGVkIGFuZAo+ID4gPiBhdXRoZW50aWNhdGVkIHVzaW5nIHRoZSBkZXZpY2Utc3BlY2lmaWMg a2V5IHNvIHRoYXQgdW53cmFwcGluZyBjYW4gb25seQo+ID4gPiBiZSBkb25lIG9uIHRoZSBoYXJk d2FyZSB3aGVyZSB0aGUgYmxvYiB3YXMgd3JhcHBlZC4KPiA+ID4gCj4gPiA+IFRoaXMgcGF0Y2gg c2VyaWVzIGFkZHMgYSBEQ1AgYmFzZWQsIHRydXN0ZWQta2V5IGJhY2tlbmQgYW5kIGlzIHNpbWls YXIKPiA+ID4gaW4gc3Bpcml0IHRvIHRoZSBvbmUgYnkgQWhtYWQgRmF0b3VtIFswXSB0aGF0IGRv ZXMgdGhlIHNhbWUgZm9yIENBQU0uCj4gPiA+IEl0IGlzIG9mIGludGVyZXN0IGZvciBzaW1pbGFy IHVzZSBjYXNlcyBhcyB0aGUgQ0FBTSBwYXRjaCBzZXQsIGJ1dCBmb3IKPiA+ID4gbG93ZXIgZW5k IGRldmljZXMsIHdoZXJlIENBQU0gaXMgbm90IGF2YWlsYWJsZS4KPiA+ID4gCj4gPiA+IEJlY2F1 c2UgY29uc3RydWN0aW5nIGFuZCBwYXJzaW5nIHRoZSBibG9iIGhhcyB0byBoYXBwZW4gaW4gc29m dHdhcmUsCj4gPiA+IHdlIG5lZWRlZCB0byBkZWNpZGUgb24gYSBibG9iIGZvcm1hdCBhbmQgY2hv c2UgdGhlIGZvbGxvd2luZzoKPiA+ID4gCj4gPiA+IHN0cnVjdCBkY3BfYmxvYl9mbXQgewo+ID4g PiBfX3U4IGZtdF92ZXJzaW9uOwo+ID4gPiBfX3U4IGJsb2Jfa2V5W0FFU19LRVlTSVpFXzEyOF07 Cj4gPiA+IF9fdTggbm9uY2VbQUVTX0tFWVNJWkVfMTI4XTsKPiA+ID4gX19sZTMyIHBheWxvYWRf bGVuOwo+ID4gPiBfX3U4IHBheWxvYWRbXTsKPiA+ID4gfSBfX3BhY2tlZDsKPiA+ID4gCj4gPiA+ IFRoZSBgZm10X3ZlcnNpb25gIGlzIGN1cnJlbnRseSAxLgo+ID4gPiAKPiA+ID4gVGhlIGVuY3J5 cHRlZCBrZXkgaXMgc3RvcmVkIGluIHRoZSBwYXlsb2FkIGFyZWEuIEl0IGlzIEFFUy0xMjgtR0NN Cj4gPiA+IGVuY3J5cHRlZCB1c2luZyBgYmxvYl9rZXlgIGFuZCBgbm9uY2VgLCBHQ00gYXV0aCB0 YWcgaXMgYXR0YWNoZWQgYXQKPiA+ID4gdGhlIGVuZCBvZiB0aGUgcGF5bG9hZCAoYHBheWxvYWRf bGVuYCBkb2VzIG5vdCBpbmNsdWRlIHRoZSBzaXplIG9mCj4gPiA+IHRoZSBhdXRoIHRhZykuCj4g PiA+IAo+ID4gPiBUaGUgYGJsb2Jfa2V5YCBpdHNlbGYgaXMgZW5jcnlwdGVkIGluIEFFUy0xMjgt RUNCIG1vZGUgYnkgRENQIHVzaW5nCj4gPiA+IHRoZSBPVFAgb3IgVU5JUVVFIGRldmljZSBrZXku IEEgbmV3IGBibG9iX2tleWAgYW5kIGBub25jZWAgYXJlIGdlbmVyYXRlZAo+ID4gPiByYW5kb21s eSwgd2hlbiBzZWFsaW5nL2V4cG9ydGluZyB0aGUgRENQIGJsb2IuCj4gPiA+IAo+ID4gPiBUaGlz IHBhdGNoc2V0IHdhcyB0ZXN0ZWQgd2l0aCBkbS1jcnlwdCBvbiBhbiBpLk1YNlVMTCBib2FyZC4K PiA+ID4gCj4gPiA+IFswXSBodHRwczovL2xvcmUua2VybmVsLm9yZy9rZXlyaW5ncy8yMDIyMDUx MzE0NTcwNS4yMDgwMzIzLTEtYS5mYXRvdW1AcGVuZ3V0cm9uaXguZGUvCj4gPiA+IAo+ID4gPiBE YXZpZCBHc3RpciAoNik6Cj4gPiA+ICBjcnlwdG86IG14cy1kY3A6IEFkZCBzdXBwb3J0IGZvciBo YXJkd2FyZS1ib3VuZCBrZXlzCj4gPiA+ICBLRVlTOiB0cnVzdGVkOiBpbXByb3ZlIHNjYWxhYmls aXR5IG9mIHRydXN0IHNvdXJjZSBjb25maWcKPiA+ID4gIEtFWVM6IHRydXN0ZWQ6IEludHJvZHVj ZSBOWFAgRENQLWJhY2tlZCB0cnVzdGVkIGtleXMKPiA+ID4gIE1BSU5UQUlORVJTOiBhZGQgZW50 cnkgZm9yIERDUC1iYXNlZCB0cnVzdGVkIGtleXMKPiA+ID4gIGRvY3M6IGRvY3VtZW50IERDUC1i YWNrZWQgdHJ1c3RlZCBrZXlzIGtlcm5lbCBwYXJhbXMKPiA+ID4gIGRvY3M6IHRydXN0ZWQtZW5j cnlwdGVkOiBhZGQgRENQIGFzIG5ldyB0cnVzdCBzb3VyY2UKPiA+ID4gCj4gPiA+IC4uLi9hZG1p bi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQgICAgICAgICB8ICAxMyArCj4gPiA+IC4uLi9z ZWN1cml0eS9rZXlzL3RydXN0ZWQtZW5jcnlwdGVkLnJzdCAgICAgICB8ICA4NSArKysrKwo+ID4g PiBNQUlOVEFJTkVSUyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgIDkgKwo+ ID4gPiBkcml2ZXJzL2NyeXB0by9teHMtZGNwLmMgICAgICAgICAgICAgICAgICAgICAgfCAxMDQg KysrKystCj4gPiA+IGluY2x1ZGUva2V5cy90cnVzdGVkX2RjcC5oICAgICAgICAgICAgICAgICAg ICB8ICAxMSArCj4gPiA+IGluY2x1ZGUvc29jL2ZzbC9kY3AuaCAgICAgICAgICAgICAgICAgICAg ICAgICB8ICAxNyArCj4gPiA+IHNlY3VyaXR5L2tleXMvdHJ1c3RlZC1rZXlzL0tjb25maWcgICAg ICAgICAgICB8ICAxOCArLQo+ID4gPiBzZWN1cml0eS9rZXlzL3RydXN0ZWQta2V5cy9NYWtlZmls ZSAgICAgICAgICAgfCAgIDIgKwo+ID4gPiBzZWN1cml0eS9rZXlzL3RydXN0ZWQta2V5cy90cnVz dGVkX2NvcmUuYyAgICAgfCAgIDYgKy0KPiA+ID4gc2VjdXJpdHkva2V5cy90cnVzdGVkLWtleXMv dHJ1c3RlZF9kY3AuYyAgICAgIHwgMzExICsrKysrKysrKysrKysrKysrKwo+ID4gPiAxMCBmaWxl cyBjaGFuZ2VkLCA1NjIgaW5zZXJ0aW9ucygrKSwgMTQgZGVsZXRpb25zKC0pCj4gPiA+IGNyZWF0 ZSBtb2RlIDEwMDY0NCBpbmNsdWRlL2tleXMvdHJ1c3RlZF9kY3AuaAo+ID4gPiBjcmVhdGUgbW9k ZSAxMDA2NDQgaW5jbHVkZS9zb2MvZnNsL2RjcC5oCj4gPiA+IGNyZWF0ZSBtb2RlIDEwMDY0NCBz ZWN1cml0eS9rZXlzL3RydXN0ZWQta2V5cy90cnVzdGVkX2RjcC5jCj4gPiAKPiA+IEphcmtrbywg TWltaSwgRGF2aWQgZG8geW91IG5lZWQgYW55dGhpbmcgZnJvbSBteSBzaWRlIGZvciB0aGVzZSBw YXRjaGVzIHRvIGdldCB0aGVtIG1lcmdlZD8KPiAKPiBGcmllbmRseSBwaW5nIGFsc28gZnJvbSBt eSBzaWRlLiA6LSkKPiAKPiBUaGFua3MsCj4gLy9yaWNoYXJkCj4gCj4gLS0gCj4g4oCL4oCL4oCL 4oCL4oCLc2lnbWEgc3RhciBnbWJoIHwgRWR1YXJkLUJvZGVtLUdhc3NlIDYsIDYwMjAgSW5uc2Jy dWNrLCBBVVQKPiBVSUQvVkFUIE5yOiBBVFUgNjY5NjQxMTggfCBGTjogMzc0Mjg3eQo+IAoKCi0t IArigIvigIvigIvigIvigItzaWdtYSBzdGFyIGdtYmggfCBFZHVhcmQtQm9kZW0tR2Fzc2UgNiwg NjAyMCBJbm5zYnJ1Y2ssIEFVVApVSUQvVkFUIE5yOiBBVFUgNjY5NjQxMTggfCBGTjogMzc0Mjg3 eQoKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpsaW51 eC1hcm0ta2VybmVsIG1haWxpbmcgbGlzdApsaW51eC1hcm0ta2VybmVsQGxpc3RzLmluZnJhZGVh ZC5vcmcKaHR0cDovL2xpc3RzLmluZnJhZGVhZC5vcmcvbWFpbG1hbi9saXN0aW5mby9saW51eC1h cm0ta2VybmVsCg==