From: Adrian Hunter <adrian.hunter@intel.com>
To: Neeraj Soni <neeraj.soni@oss.qualcomm.com>,
<ulf.hansson@linaro.org>, <ebiggers@kernel.org>,
<abel.vesa@linaro.org>
Cc: <linux-mmc@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
Subject: Re: [PATCH v4] mmc: host: sdhci-msm: Add support for wrapped keys
Date: Mon, 12 Jan 2026 09:05:48 +0200 [thread overview]
Message-ID: <3a93822a-6ca1-4cc1-be12-38b2b04704da@intel.com> (raw)
In-Reply-To: <20260102124018.3643243-1-neeraj.soni@oss.qualcomm.com>
On 02/01/2026 14:40, Neeraj Soni wrote:
> Add the wrapped key support for sdhci-msm by implementing the needed
> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
> blk_crypto_profile::key_types_supported.
>
> Tested on SC7280 eMMC variant.
>
> How to test:
>
> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
> fscryptctl that supports generating wrapped keys.
>
> Enable the following config options:
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> CONFIG_MMC_CRYPTO=y
>
> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
>
> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ rm -rf /mnt/dir
> $ mkdir /mnt/dir
> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> $ dmesg > /mnt/dir/test.txt
> $ sync
>
> Reboot the board
>
> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> $ ls /mnt/dir # File should be encrypted
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> $ cat /mnt/dir/test.txt # File should now be decrypted
>
> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>
Doesn't apply cleanly to mmc next. Otherwise:
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
>
> ---
> This is a reworked version of the patchset
> https://lore.kernel.org/all/20241101031539.13285-1-quic_spuppala@quicinc.com/
> that was sent by Seshu Madhavi Puppala.
>
> My changes rebase it to use the custom crypto profile support.
>
> Changes in v4:
> - Updated the link for fscryptctl tool in commit message to "https://github.com/google/fscryptctl".
> - Aligned the indentation at few places.
> - Unwrapped few lines of code.
>
> Changes in v3:
> - Updated commit message with test details and moved "Signed-off-by" above the
> scissors line.
>
> Changes in v2:
> - Updated commit message for clarity.
>
> Changes in v1:
> - Added initial support for wrapped keys.
> ---
> drivers/mmc/host/sdhci-msm.c | 47 +++++++++++++++++++++++++++++++-----
> 1 file changed, 41 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
> index 4e5edbf2fc9b..8ac4aee2cb3b 100644
> --- a/drivers/mmc/host/sdhci-msm.c
> +++ b/drivers/mmc/host/sdhci-msm.c
> @@ -1911,11 +1911,6 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
> if (IS_ERR_OR_NULL(ice))
> return PTR_ERR_OR_ZERO(ice);
>
> - if (qcom_ice_get_supported_key_type(ice) != BLK_CRYPTO_KEY_TYPE_RAW) {
> - dev_warn(dev, "Wrapped keys not supported. Disabling inline encryption support.\n");
> - return 0;
> - }
> -
> msm_host->ice = ice;
>
> /* Initialize the blk_crypto_profile */
> @@ -1929,7 +1924,7 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
>
> profile->ll_ops = sdhci_msm_crypto_ops;
> profile->max_dun_bytes_supported = 4;
> - profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW;
> + profile->key_types_supported = qcom_ice_get_supported_key_type(ice);
> profile->dev = dev;
>
> /*
> @@ -2009,9 +2004,49 @@ static int sdhci_msm_ice_keyslot_evict(struct blk_crypto_profile *profile,
> return qcom_ice_evict_key(msm_host->ice, slot);
> }
>
> +static int sdhci_msm_ice_derive_sw_secret(struct blk_crypto_profile *profile,
> + const u8 *eph_key, size_t eph_key_size,
> + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
> +{
> + struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> + return qcom_ice_derive_sw_secret(msm_host->ice, eph_key, eph_key_size,
> + sw_secret);
> +}
> +
> +static int sdhci_msm_ice_import_key(struct blk_crypto_profile *profile,
> + const u8 *raw_key, size_t raw_key_size,
> + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> + struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> + return qcom_ice_import_key(msm_host->ice, raw_key, raw_key_size, lt_key);
> +}
> +
> +static int sdhci_msm_ice_generate_key(struct blk_crypto_profile *profile,
> + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> + struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> + return qcom_ice_generate_key(msm_host->ice, lt_key);
> +}
> +
> +static int sdhci_msm_ice_prepare_key(struct blk_crypto_profile *profile,
> + const u8 *lt_key, size_t lt_key_size,
> + u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> + struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> + return qcom_ice_prepare_key(msm_host->ice, lt_key, lt_key_size, eph_key);
> +}
> +
> static const struct blk_crypto_ll_ops sdhci_msm_crypto_ops = {
> .keyslot_program = sdhci_msm_ice_keyslot_program,
> .keyslot_evict = sdhci_msm_ice_keyslot_evict,
> + .derive_sw_secret = sdhci_msm_ice_derive_sw_secret,
> + .import_key = sdhci_msm_ice_import_key,
> + .generate_key = sdhci_msm_ice_generate_key,
> + .prepare_key = sdhci_msm_ice_prepare_key,
> };
>
> #else /* CONFIG_MMC_CRYPTO */
next prev parent reply other threads:[~2026-01-12 7:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-02 12:40 [PATCH v4] mmc: host: sdhci-msm: Add support for wrapped keys Neeraj Soni
2026-01-06 7:03 ` Eric Biggers
2026-01-12 7:05 ` Adrian Hunter [this message]
2026-01-19 10:19 ` Neeraj Soni
2026-01-19 11:06 ` Dmitry Baryshkov
2026-01-19 12:31 ` Adrian Hunter
2026-01-21 10:26 ` Ulf Hansson
2026-01-22 13:01 ` Neeraj Soni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3a93822a-6ca1-4cc1-be12-38b2b04704da@intel.com \
--to=adrian.hunter@intel.com \
--cc=abel.vesa@linaro.org \
--cc=ebiggers@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=neeraj.soni@oss.qualcomm.com \
--cc=ulf.hansson@linaro.org \
--cc=wenjia.zhang@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox