From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1675714A4E0; Wed, 3 Apr 2024 15:47:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712159280; cv=none; b=SdBt3zm/tClmgCO0cnZZD3Nr7ZG9R8orDWvDw1P24X5ajibDQhi7qmgu6t5CK8lR5Ava9x2qXr0QXwsX36cDkVKyiHC1aPCYPKHYkGEkynPTvenP31iPAr01WzPgxccxlOH53lM8gb82f6jcP0CwKwasF+Xyw/NzZTJ9uGAsdto= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712159280; c=relaxed/simple; bh=rrCR4x657hJj+9Z7FfIwTOL0bKqYr1iVATWuKVnBvdc=; h=Mime-Version:Content-Type:Date:Message-Id:From:To:Cc:Subject: References:In-Reply-To; b=IfaYXXHYKBzEF6hzXXR0y75ac5wwXSIeqeBlBf/82IoNYEa8tnAHz4cD+Ckpz9spJLRhlVwqBaFS//MXMIJiodhTaCYkokEofnOdphDXd/Uut2B7WfuGaETPlyXJs+xCyIeGEkun3MkLVROOSsJLxOUvZ7CpLhJbAS2ISxWIU/Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dYo0Q27d; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dYo0Q27d" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13591C433C7; Wed, 3 Apr 2024 15:47:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712159279; bh=rrCR4x657hJj+9Z7FfIwTOL0bKqYr1iVATWuKVnBvdc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dYo0Q27dSQQ3Ch8t1bv/4TDEGdVvlFtZiK/Zz2pAtDrV2dGg+D+XOJblloji6lf8f AT/1G9mjWsRaJTEV3z+NlLz40f+kBk5nFmcrUtgEA41qda5WwW4i8s4RLr/MzdF5zi YoTjxsD9V0zKYX4yL4N07X1LoysvapSXkS7G6OsnvSJFKJeNikI8cMxk3axKsNBB+y P6Adfksr8JnIG1LemgmEFRN0C6BpU/ZKYmBXXWJOohD4naX0Imdw+22KIlCXUWOohl YL80cR6IKID87Ymp816wKnW4iT/VyBYwP0nq6oFeuIpysRTK4u+RGJb+IBGt3Xt9x0 vxIbwg0cDWVFw== Precedence: bulk X-Mailing-List: keyrings@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 03 Apr 2024 18:47:51 +0300 Message-Id: From: "Jarkko Sakkinen" To: "David Gstir" , "Mimi Zohar" , "James Bottomley" , "Herbert Xu" , "David S. Miller" Cc: "Shawn Guo" , "Jonathan Corbet" , "Sascha Hauer" , "Pengutronix Kernel Team" , "Fabio Estevam" , "NXP Linux Team" , "Ahmad Fatoum" , "sigma star Kernel Team" , "David Howells" , "Li Yang" , "Paul Moore" , "James Morris" , "Serge E. Hallyn" , "Paul E. McKenney" , "Randy Dunlap" , "Catalin Marinas" , "Rafael J. Wysocki" , "Tejun Heo" , "Steven Rostedt (Google)" , , , , , , , , , "Richard Weinberger" , "David Oberhollenzer" Subject: Re: [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new trust source X-Mailer: aerc 0.17.0 References: <20240403072131.54935-1-david@sigma-star.at> <20240403072131.54935-7-david@sigma-star.at> In-Reply-To: <20240403072131.54935-7-david@sigma-star.at> On Wed Apr 3, 2024 at 10:21 AM EEST, David Gstir wrote: > Update the documentation for trusted and encrypted KEYS with DCP as new > trust source: > > - Describe security properties of DCP trust source > - Describe key usage > - Document blob format > > Co-developed-by: Richard Weinberger > Signed-off-by: Richard Weinberger > Co-developed-by: David Oberhollenzer > Signed-off-by: David Oberhollenzer > Signed-off-by: David Gstir > --- > .../security/keys/trusted-encrypted.rst | 53 +++++++++++++++++++ > security/keys/trusted-keys/trusted_dcp.c | 19 +++++++ > 2 files changed, 72 insertions(+) > > diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Document= ation/security/keys/trusted-encrypted.rst > index e989b9802f92..f4d7e162d5e4 100644 > --- a/Documentation/security/keys/trusted-encrypted.rst > +++ b/Documentation/security/keys/trusted-encrypted.rst > @@ -42,6 +42,14 @@ safe. > randomly generated and fused into each SoC at manufacturing tim= e. > Otherwise, a common fixed test key is used instead. > =20 > + (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs= ) > + > + Rooted to a one-time programmable key (OTP) that is generally b= urnt > + in the on-chip fuses and is accessible to the DCP encryption en= gine only. > + DCP provides two keys that can be used as root of trust: the OT= P key > + and the UNIQUE key. Default is to use the UNIQUE key, but selec= ting > + the OTP key can be done via a module parameter (dcp_use_otp_key= ). > + > * Execution isolation > =20 > (1) TPM > @@ -57,6 +65,12 @@ safe. > =20 > Fixed set of operations running in isolated execution environme= nt. > =20 > + (4) DCP > + > + Fixed set of cryptographic operations running in isolated execu= tion > + environment. Only basic blob key encryption is executed there. > + The actual key sealing/unsealing is done on main processor/kern= el space. > + > * Optional binding to platform integrity state > =20 > (1) TPM > @@ -79,6 +93,11 @@ safe. > Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs > for platform integrity. > =20 > + (4) DCP > + > + Relies on Secure/Trusted boot process (called HAB by vendor) fo= r > + platform integrity. > + > * Interfaces and APIs > =20 > (1) TPM > @@ -94,6 +113,11 @@ safe. > =20 > Interface is specific to silicon vendor. > =20 > + (4) DCP > + > + Vendor-specific API that is implemented as part of the DCP cryp= to driver in > + ``drivers/crypto/mxs-dcp.c``. > + > * Threat model > =20 > The strength and appropriateness of a particular trust source for a= given > @@ -129,6 +153,13 @@ selected trust source: > CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the devic= e > is probed. > =20 > + * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) > + > + The DCP hardware device itself does not provide a dedicated RNG int= erface, > + so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL = do have > + a dedicated hardware RNG that is independent from DCP which can be = enabled > + to back the kernel RNG. > + > Users may override this by specifying ``trusted.rng=3Dkernel`` on the ke= rnel > command-line to override the used RNG with the kernel's random number po= ol. > =20 > @@ -231,6 +262,19 @@ Usage:: > CAAM-specific format. The key length for new keys is always in bytes. > Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > =20 > +Trusted Keys usage: DCP > +----------------------- > + > +Usage:: > + > + keyctl add trusted name "new keylen" ring > + keyctl add trusted name "load hex_blob" ring > + keyctl print keyid > + > +"keyctl print" returns an ASCII hex copy of the sealed key, which is in = format > +specific to this DCP key-blob implementation. The key length for new ke= ys is > +always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > + > Encrypted Keys usage > -------------------- > =20 > @@ -426,3 +470,12 @@ string length. > privkey is the binary representation of TPM2B_PUBLIC excluding the > initial TPM2B header which can be reconstructed from the ASN.1 octed > string length. > + > +DCP Blob Format > +--------------- > + > +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c > + :doc: dcp blob format > + > +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c > + :identifiers: struct dcp_blob_fmt > diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/tru= sted-keys/trusted_dcp.c > index 16c44aafeab3..b5f81a05be36 100644 > --- a/security/keys/trusted-keys/trusted_dcp.c > +++ b/security/keys/trusted-keys/trusted_dcp.c > @@ -19,6 +19,25 @@ > #define DCP_BLOB_VERSION 1 > #define DCP_BLOB_AUTHLEN 16 > =20 > +/** > + * DOC: dcp blob format > + * > + * The Data Co-Processor (DCP) provides hardware-bound AES keys using it= s > + * AES encryption engine only. It does not provide direct key sealing/un= sealing. > + * To make DCP hardware encryption keys usable as trust source, we defin= e > + * our own custom format that uses a hardware-bound key to secure the se= aling > + * key stored in the key blob. > + * > + * Whenever a new trusted key using DCP is generated, we generate a rand= om 128-bit > + * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are us= ed to > + * encrypt the trusted key payload using AES-128-GCM. > + * > + * The BEK itself is encrypted using the hardware-bound key using the DC= P's AES > + * encryption engine with AES-128-ECB. The encrypted BEK, generated nonc= e, > + * BEK-encrypted payload and authentication tag make up the blob format = together > + * with a version number, payload length and authentication tag. > + */ > + > /** > * struct dcp_blob_fmt - DCP BLOB format. > * Reviewed-by: Jarkko Sakkinen I can only test that this does not break a machine without the hardware feature. Is there anyone who could possibly peer test these patches? BR, Jarkko From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C5E96CD1288 for ; Wed, 3 Apr 2024 15:48:46 +0000 (UTC) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=dYo0Q27d; dkim-atps=neutral Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4V8q0s2J9Gz3vYM for ; Thu, 4 Apr 2024 02:48:45 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=dYo0Q27d; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=kernel.org (client-ip=2604:1380:40e1:4800::1; helo=sin.source.kernel.org; envelope-from=jarkko@kernel.org; receiver=lists.ozlabs.org) Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4V8q042H1Yz3bsd for ; Thu, 4 Apr 2024 02:48:04 +1100 (AEDT) Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 6DB3ACE2B77; Wed, 3 Apr 2024 15:48:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13591C433C7; Wed, 3 Apr 2024 15:47:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712159279; bh=rrCR4x657hJj+9Z7FfIwTOL0bKqYr1iVATWuKVnBvdc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dYo0Q27dSQQ3Ch8t1bv/4TDEGdVvlFtZiK/Zz2pAtDrV2dGg+D+XOJblloji6lf8f AT/1G9mjWsRaJTEV3z+NlLz40f+kBk5nFmcrUtgEA41qda5WwW4i8s4RLr/MzdF5zi YoTjxsD9V0zKYX4yL4N07X1LoysvapSXkS7G6OsnvSJFKJeNikI8cMxk3axKsNBB+y P6Adfksr8JnIG1LemgmEFRN0C6BpU/ZKYmBXXWJOohD4naX0Imdw+22KIlCXUWOohl YL80cR6IKID87Ymp816wKnW4iT/VyBYwP0nq6oFeuIpysRTK4u+RGJb+IBGt3Xt9x0 vxIbwg0cDWVFw== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 03 Apr 2024 18:47:51 +0300 Message-Id: From: "Jarkko Sakkinen" To: "David Gstir" , "Mimi Zohar" , "James Bottomley" , "Herbert Xu" , "David S. Miller" Subject: Re: [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new trust source X-Mailer: aerc 0.17.0 References: <20240403072131.54935-1-david@sigma-star.at> <20240403072131.54935-7-david@sigma-star.at> In-Reply-To: <20240403072131.54935-7-david@sigma-star.at> X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-doc@vger.kernel.org, Catalin Marinas , David Howells , keyrings@vger.kernel.org, Fabio Estevam , Ahmad Fatoum , Paul Moore , Jonathan Corbet , Richard Weinberger , "Rafael J. Wysocki" , James Morris , NXP Linux Team , "Serge E. Hallyn" , "Paul E. McKenney" , Sascha Hauer , sigma star Kernel Team , "Steven Rostedt \(Google\)" , David Oberhollenzer , linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Randy Dunlap , linux-kernel@vger.kernel.org, Li Yang , linux-security-module@vger.kernel.org, linux-crypto@vger.kernel.org, Pengutronix Kernel Team , Tejun Heo , linux-integrity@vger.kernel.org, Shawn Guo Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Wed Apr 3, 2024 at 10:21 AM EEST, David Gstir wrote: > Update the documentation for trusted and encrypted KEYS with DCP as new > trust source: > > - Describe security properties of DCP trust source > - Describe key usage > - Document blob format > > Co-developed-by: Richard Weinberger > Signed-off-by: Richard Weinberger > Co-developed-by: David Oberhollenzer > Signed-off-by: David Oberhollenzer > Signed-off-by: David Gstir > --- > .../security/keys/trusted-encrypted.rst | 53 +++++++++++++++++++ > security/keys/trusted-keys/trusted_dcp.c | 19 +++++++ > 2 files changed, 72 insertions(+) > > diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Document= ation/security/keys/trusted-encrypted.rst > index e989b9802f92..f4d7e162d5e4 100644 > --- a/Documentation/security/keys/trusted-encrypted.rst > +++ b/Documentation/security/keys/trusted-encrypted.rst > @@ -42,6 +42,14 @@ safe. > randomly generated and fused into each SoC at manufacturing tim= e. > Otherwise, a common fixed test key is used instead. > =20 > + (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs= ) > + > + Rooted to a one-time programmable key (OTP) that is generally b= urnt > + in the on-chip fuses and is accessible to the DCP encryption en= gine only. > + DCP provides two keys that can be used as root of trust: the OT= P key > + and the UNIQUE key. Default is to use the UNIQUE key, but selec= ting > + the OTP key can be done via a module parameter (dcp_use_otp_key= ). > + > * Execution isolation > =20 > (1) TPM > @@ -57,6 +65,12 @@ safe. > =20 > Fixed set of operations running in isolated execution environme= nt. > =20 > + (4) DCP > + > + Fixed set of cryptographic operations running in isolated execu= tion > + environment. Only basic blob key encryption is executed there. > + The actual key sealing/unsealing is done on main processor/kern= el space. > + > * Optional binding to platform integrity state > =20 > (1) TPM > @@ -79,6 +93,11 @@ safe. > Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs > for platform integrity. > =20 > + (4) DCP > + > + Relies on Secure/Trusted boot process (called HAB by vendor) fo= r > + platform integrity. > + > * Interfaces and APIs > =20 > (1) TPM > @@ -94,6 +113,11 @@ safe. > =20 > Interface is specific to silicon vendor. > =20 > + (4) DCP > + > + Vendor-specific API that is implemented as part of the DCP cryp= to driver in > + ``drivers/crypto/mxs-dcp.c``. > + > * Threat model > =20 > The strength and appropriateness of a particular trust source for a= given > @@ -129,6 +153,13 @@ selected trust source: > CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the devic= e > is probed. > =20 > + * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) > + > + The DCP hardware device itself does not provide a dedicated RNG int= erface, > + so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL = do have > + a dedicated hardware RNG that is independent from DCP which can be = enabled > + to back the kernel RNG. > + > Users may override this by specifying ``trusted.rng=3Dkernel`` on the ke= rnel > command-line to override the used RNG with the kernel's random number po= ol. > =20 > @@ -231,6 +262,19 @@ Usage:: > CAAM-specific format. The key length for new keys is always in bytes. > Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > =20 > +Trusted Keys usage: DCP > +----------------------- > + > +Usage:: > + > + keyctl add trusted name "new keylen" ring > + keyctl add trusted name "load hex_blob" ring > + keyctl print keyid > + > +"keyctl print" returns an ASCII hex copy of the sealed key, which is in = format > +specific to this DCP key-blob implementation. The key length for new ke= ys is > +always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > + > Encrypted Keys usage > -------------------- > =20 > @@ -426,3 +470,12 @@ string length. > privkey is the binary representation of TPM2B_PUBLIC excluding the > initial TPM2B header which can be reconstructed from the ASN.1 octed > string length. > + > +DCP Blob Format > +--------------- > + > +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c > + :doc: dcp blob format > + > +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c > + :identifiers: struct dcp_blob_fmt > diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/tru= sted-keys/trusted_dcp.c > index 16c44aafeab3..b5f81a05be36 100644 > --- a/security/keys/trusted-keys/trusted_dcp.c > +++ b/security/keys/trusted-keys/trusted_dcp.c > @@ -19,6 +19,25 @@ > #define DCP_BLOB_VERSION 1 > #define DCP_BLOB_AUTHLEN 16 > =20 > +/** > + * DOC: dcp blob format > + * > + * The Data Co-Processor (DCP) provides hardware-bound AES keys using it= s > + * AES encryption engine only. It does not provide direct key sealing/un= sealing. > + * To make DCP hardware encryption keys usable as trust source, we defin= e > + * our own custom format that uses a hardware-bound key to secure the se= aling > + * key stored in the key blob. > + * > + * Whenever a new trusted key using DCP is generated, we generate a rand= om 128-bit > + * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are us= ed to > + * encrypt the trusted key payload using AES-128-GCM. > + * > + * The BEK itself is encrypted using the hardware-bound key using the DC= P's AES > + * encryption engine with AES-128-ECB. The encrypted BEK, generated nonc= e, > + * BEK-encrypted payload and authentication tag make up the blob format = together > + * with a version number, payload length and authentication tag. > + */ > + > /** > * struct dcp_blob_fmt - DCP BLOB format. > * Reviewed-by: Jarkko Sakkinen I can only test that this does not break a machine without the hardware feature. Is there anyone who could possibly peer test these patches? BR, Jarkko From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E59ECCD128A for ; Wed, 3 Apr 2024 15:48:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:References:Subject:Cc:To: From:Message-Id:Date:Mime-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ILnQ//FEhRwm+HxxPmhz3LDCTXgcjFlwpDZmr7nIVbQ=; b=Laxz0rd5/Dm5G/ mZoKHeV8Y6GedKCch3yeUcn40gT1y4QgU2jT/4T5sgRPPKe594D7dWl1en7eu6xp4NWkRx1pMdekn 5XJ35kFAMnIKUzfbTSgYUrGM/87A4xoI9Tn4aU3+kLhYCNNh+ofJEhDpHVV6tRVoHbJ9wEkMi+glp sSFu+jqDlIDnnkb7nSDbGG9gHeorL4dnInFTNlQg5hTAHekKaCnIcmCvJorc5zNUhymF9+7oCHhZ9 XiJVb3TBeaeAU5Rmbbz1nzOjHI+L43BLMqI1vqW1Vc+AhNkj03bnnJNPjO7aHDxB7pkGuItv6Nera tdbIsYn6D+3HkENZkDcg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rs2qK-0000000GoDa-3LCk; Wed, 03 Apr 2024 15:48:04 +0000 Received: from sin.source.kernel.org ([2604:1380:40e1:4800::1]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rs2qI-0000000GoBn-0QT5 for linux-arm-kernel@lists.infradead.org; Wed, 03 Apr 2024 15:48:03 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 6DB3ACE2B77; Wed, 3 Apr 2024 15:48:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13591C433C7; Wed, 3 Apr 2024 15:47:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712159279; bh=rrCR4x657hJj+9Z7FfIwTOL0bKqYr1iVATWuKVnBvdc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dYo0Q27dSQQ3Ch8t1bv/4TDEGdVvlFtZiK/Zz2pAtDrV2dGg+D+XOJblloji6lf8f AT/1G9mjWsRaJTEV3z+NlLz40f+kBk5nFmcrUtgEA41qda5WwW4i8s4RLr/MzdF5zi YoTjxsD9V0zKYX4yL4N07X1LoysvapSXkS7G6OsnvSJFKJeNikI8cMxk3axKsNBB+y P6Adfksr8JnIG1LemgmEFRN0C6BpU/ZKYmBXXWJOohD4naX0Imdw+22KIlCXUWOohl YL80cR6IKID87Ymp816wKnW4iT/VyBYwP0nq6oFeuIpysRTK4u+RGJb+IBGt3Xt9x0 vxIbwg0cDWVFw== Mime-Version: 1.0 Date: Wed, 03 Apr 2024 18:47:51 +0300 Message-Id: From: "Jarkko Sakkinen" To: "David Gstir" , "Mimi Zohar" , "James Bottomley" , "Herbert Xu" , "David S. Miller" Cc: "Shawn Guo" , "Jonathan Corbet" , "Sascha Hauer" , "Pengutronix Kernel Team" , "Fabio Estevam" , "NXP Linux Team" , "Ahmad Fatoum" , "sigma star Kernel Team" , "David Howells" , "Li Yang" , "Paul Moore" , "James Morris" , "Serge E. Hallyn" , "Paul E. McKenney" , "Randy Dunlap" , "Catalin Marinas" , "Rafael J. Wysocki" , "Tejun Heo" , "Steven Rostedt (Google)" , , , , , , , , , "Richard Weinberger" , "David Oberhollenzer" Subject: Re: [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new trust source X-Mailer: aerc 0.17.0 References: <20240403072131.54935-1-david@sigma-star.at> <20240403072131.54935-7-david@sigma-star.at> In-Reply-To: <20240403072131.54935-7-david@sigma-star.at> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240403_084802_563702_0D9A3FCC X-CRM114-Status: GOOD ( 28.03 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed Apr 3, 2024 at 10:21 AM EEST, David Gstir wrote: > Update the documentation for trusted and encrypted KEYS with DCP as new > trust source: > > - Describe security properties of DCP trust source > - Describe key usage > - Document blob format > > Co-developed-by: Richard Weinberger > Signed-off-by: Richard Weinberger > Co-developed-by: David Oberhollenzer > Signed-off-by: David Oberhollenzer > Signed-off-by: David Gstir > --- > .../security/keys/trusted-encrypted.rst | 53 +++++++++++++++++++ > security/keys/trusted-keys/trusted_dcp.c | 19 +++++++ > 2 files changed, 72 insertions(+) > > diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst > index e989b9802f92..f4d7e162d5e4 100644 > --- a/Documentation/security/keys/trusted-encrypted.rst > +++ b/Documentation/security/keys/trusted-encrypted.rst > @@ -42,6 +42,14 @@ safe. > randomly generated and fused into each SoC at manufacturing time. > Otherwise, a common fixed test key is used instead. > > + (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) > + > + Rooted to a one-time programmable key (OTP) that is generally burnt > + in the on-chip fuses and is accessible to the DCP encryption engine only. > + DCP provides two keys that can be used as root of trust: the OTP key > + and the UNIQUE key. Default is to use the UNIQUE key, but selecting > + the OTP key can be done via a module parameter (dcp_use_otp_key). > + > * Execution isolation > > (1) TPM > @@ -57,6 +65,12 @@ safe. > > Fixed set of operations running in isolated execution environment. > > + (4) DCP > + > + Fixed set of cryptographic operations running in isolated execution > + environment. Only basic blob key encryption is executed there. > + The actual key sealing/unsealing is done on main processor/kernel space. > + > * Optional binding to platform integrity state > > (1) TPM > @@ -79,6 +93,11 @@ safe. > Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs > for platform integrity. > > + (4) DCP > + > + Relies on Secure/Trusted boot process (called HAB by vendor) for > + platform integrity. > + > * Interfaces and APIs > > (1) TPM > @@ -94,6 +113,11 @@ safe. > > Interface is specific to silicon vendor. > > + (4) DCP > + > + Vendor-specific API that is implemented as part of the DCP crypto driver in > + ``drivers/crypto/mxs-dcp.c``. > + > * Threat model > > The strength and appropriateness of a particular trust source for a given > @@ -129,6 +153,13 @@ selected trust source: > CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the device > is probed. > > + * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) > + > + The DCP hardware device itself does not provide a dedicated RNG interface, > + so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have > + a dedicated hardware RNG that is independent from DCP which can be enabled > + to back the kernel RNG. > + > Users may override this by specifying ``trusted.rng=kernel`` on the kernel > command-line to override the used RNG with the kernel's random number pool. > > @@ -231,6 +262,19 @@ Usage:: > CAAM-specific format. The key length for new keys is always in bytes. > Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > > +Trusted Keys usage: DCP > +----------------------- > + > +Usage:: > + > + keyctl add trusted name "new keylen" ring > + keyctl add trusted name "load hex_blob" ring > + keyctl print keyid > + > +"keyctl print" returns an ASCII hex copy of the sealed key, which is in format > +specific to this DCP key-blob implementation. The key length for new keys is > +always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > + > Encrypted Keys usage > -------------------- > > @@ -426,3 +470,12 @@ string length. > privkey is the binary representation of TPM2B_PUBLIC excluding the > initial TPM2B header which can be reconstructed from the ASN.1 octed > string length. > + > +DCP Blob Format > +--------------- > + > +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c > + :doc: dcp blob format > + > +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c > + :identifiers: struct dcp_blob_fmt > diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c > index 16c44aafeab3..b5f81a05be36 100644 > --- a/security/keys/trusted-keys/trusted_dcp.c > +++ b/security/keys/trusted-keys/trusted_dcp.c > @@ -19,6 +19,25 @@ > #define DCP_BLOB_VERSION 1 > #define DCP_BLOB_AUTHLEN 16 > > +/** > + * DOC: dcp blob format > + * > + * The Data Co-Processor (DCP) provides hardware-bound AES keys using its > + * AES encryption engine only. It does not provide direct key sealing/unsealing. > + * To make DCP hardware encryption keys usable as trust source, we define > + * our own custom format that uses a hardware-bound key to secure the sealing > + * key stored in the key blob. > + * > + * Whenever a new trusted key using DCP is generated, we generate a random 128-bit > + * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are used to > + * encrypt the trusted key payload using AES-128-GCM. > + * > + * The BEK itself is encrypted using the hardware-bound key using the DCP's AES > + * encryption engine with AES-128-ECB. The encrypted BEK, generated nonce, > + * BEK-encrypted payload and authentication tag make up the blob format together > + * with a version number, payload length and authentication tag. > + */ > + > /** > * struct dcp_blob_fmt - DCP BLOB format. > * Reviewed-by: Jarkko Sakkinen I can only test that this does not break a machine without the hardware feature. Is there anyone who could possibly peer test these patches? BR, Jarkko _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel