From: Eric Biggers <ebiggers@kernel.org>
To: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Cc: "Gaurav Kashyap (QUIC)" <quic_gaurkash@quicinc.com>,
"linux-arm-msm@vger.kernel.org" <linux-arm-msm@vger.kernel.org>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"andersson@kernel.org" <andersson@kernel.org>,
"neil.armstrong@linaro.org" <neil.armstrong@linaro.org>,
"srinivas.kandagatla" <srinivas.kandagatla@linaro.org>,
"krzysztof.kozlowski+dt@linaro.org"
<krzysztof.kozlowski+dt@linaro.org>,
"conor+dt@kernel.org" <conor+dt@kernel.org>,
"robh+dt@kernel.org" <robh+dt@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
kernel <kernel@quicinc.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
"Om Prakash Singh (QUIC)" <quic_omprsing@quicinc.com>,
"Bao D. Nguyen (QUIC)" <quic_nguyenb@quicinc.com>,
"bartosz.golaszewski" <bartosz.golaszewski@linaro.org>,
"konrad.dybcio@linaro.org" <konrad.dybcio@linaro.org>,
"ulf.hansson@linaro.org" <ulf.hansson@linaro.org>,
"jejb@linux.ibm.com" <jejb@linux.ibm.com>,
"martin.petersen@oracle.com" <martin.petersen@oracle.com>,
"mani@kernel.org" <mani@kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
Prasad Sodagudi <psodagud@quicinc.com>,
Sonal Gupta <sonalg@quicinc.com>
Subject: Re: [PATCH v5 04/15] soc: qcom: ice: add hwkm support in ice
Date: Thu, 20 Jun 2024 21:47:47 -0700 [thread overview]
Message-ID: <20240621044747.GC4362@sol.localdomain> (raw)
In-Reply-To: <CAA8EJpoZ0RR035QwzMLguJZvdYb-C6aqudp1BgHgn_DH2ffsoQ@mail.gmail.com>
On Thu, Jun 20, 2024 at 02:57:40PM +0300, Dmitry Baryshkov wrote:
> > > >
> > > > > Is it possible to use both kind of keys when working on standard mode?
> > > > > If not, it should be the user who selects what type of keys to be used.
> > > > > Enforcing this via DT is not a way to go.
> > > > >
> > > >
> > > > Unfortunately, that support is not there yet. When you say user, do
> > > > you mean to have it as a filesystem mount option?
> > >
> > > During cryptsetup time. When running e.g. cryptsetup I, as a user, would like
> > > to be able to use either a hardware-wrapped key or a standard key.
> > >
> >
> > What we are looking for with these patches is for per-file/folder encryption using fscrypt policies.
> > Cryptsetup to my understanding supports only full-disk , and does not support FBE (File-Based)
>
> I must admit, I mostly used dm-crypt beforehand, so I had to look at
> fscrypt now. Some of my previous comments might not be fully
> applicable.
>
> > Hence the idea here is that we mount an unencrypted device (with the inlinecrypt option that indicates inline encryption is supported)
> > And specify policies (links to keys) for different folders.
> >
> > > > The way the UFS/EMMC crypto layer is designed currently is that, this
> > > > information is needed when the modules are loaded.
> > > >
> > > > https://lore.kernel.org/all/20231104211259.17448-2-ebiggers@kernel.org
> > > > /#Z31drivers:ufs:core:ufshcd-crypto.c
> > >
> > > I see that the driver lists capabilities here. E.g. that it supports HW-wrapped
> > > keys. But the line doesn't specify that standard keys are not supported.
> > >
> >
> > Those are capabilities that are read from the storage controller. However, wrapped keys
> > Are not a standard in the ICE JEDEC specification, and in most cases, is a value add coming
> > from the SoC.
> >
> > QCOM SOC and firmware currently does not support both kinds of keys in the HWKM mode.
> > That is something we are internally working on, but not available yet.
>
> I'd say this is a significant obstacle, at least from my point of
> view. I understand that the default might be to use hw-wrapped keys,
> but it should be possible for the user to select non-HW keys if the
> ability to recover the data is considered to be important. Note, I'm
> really pointing to the user here, not to the system integrator. So
> using DT property or specifying kernel arguments to switch between
> these modes is not really an option.
>
> But I'd really love to hear some feedback from linux-security and/or
> linux-fscrypt here.
>
> In my humble opinion the user should be able to specify that the key
> is wrapped using the hardware KMK. Then if the hardware has already
> started using the other kind of keys, it should be able to respond
> with -EINVAL / whatever else. Then the user can evict previously
> programmed key and program a desired one.
>
> > > Also, I'd have expected that hw-wrapped keys are handled using trusted
> > > keys mechanism (see security/keys/trusted-keys/). Could you please point
> > > out why that's not the case?
> > >
> >
> > I will evaluate this.
> > But my initial response is that we currently cannot communicate to our TPM directly from HLOS, but
> > goes through QTEE, and I don't think our qtee currently interfaces with the open source tee
> > driver. The interface is through QCOM SCM driver.
>
> Note, this is just an API interface, see how it is implemented for the
> CAAM hardware.
>
The problem is that this patchset was sent out without the patches that add the
block and filesystem-level framework for hardware-wrapped inline encryption
keys, which it depends on. So it's lacking context. The proposed framework can
be found at
https://lore.kernel.org/linux-block/20231104211259.17448-1-ebiggers@kernel.org/T/#u
As for why "trusted keys" aren't used, they just aren't helpful here. "Trusted
keys" are based around a model where the kernel can request that keys be sealed
and unsealed using a trust source, and the kernel gets access to the raw
unsealed keys. Hardware-wrapped inline encryption keys use a different model
where the kernel never gets access to the raw keys. They also have the concept
of ephemeral wrapping which does not exist in "trusted keys". And they need to
be properly integrated with the inline encryption framework in the block layer.
- Eric
next prev parent reply other threads:[~2024-06-21 4:47 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-17 0:50 [PATCH v5 00/15] Hardware wrapped key support for qcom ice and ufs Gaurav Kashyap
2024-06-17 0:50 ` [PATCH v5 01/15] ice, ufs, mmc: use blk_crypto_key for program_key Gaurav Kashyap
2024-06-17 0:50 ` [PATCH v5 02/15] qcom_scm: scm call for deriving a software secret Gaurav Kashyap
2024-06-17 7:33 ` Dmitry Baryshkov
2024-06-17 0:50 ` [PATCH v5 03/15] qcom_scm: scm call for create, prepare and import keys Gaurav Kashyap
2024-06-17 7:39 ` Dmitry Baryshkov
2024-06-17 0:50 ` [PATCH v5 04/15] soc: qcom: ice: add hwkm support in ice Gaurav Kashyap
2024-06-17 7:54 ` Dmitry Baryshkov
2024-06-18 22:07 ` Gaurav Kashyap (QUIC)
2024-06-18 22:16 ` Dmitry Baryshkov
2024-06-19 22:30 ` Gaurav Kashyap (QUIC)
2024-06-20 11:57 ` Dmitry Baryshkov
2024-06-21 4:47 ` Eric Biggers [this message]
2024-06-21 15:16 ` Dmitry Baryshkov
2024-06-21 15:39 ` Eric Biggers
2024-06-21 16:06 ` Dmitry Baryshkov
2024-06-21 16:31 ` Eric Biggers
2024-06-21 17:49 ` Dmitry Baryshkov
2024-06-21 18:36 ` Eric Biggers
2024-06-21 19:24 ` Dmitry Baryshkov
2024-06-21 20:14 ` Eric Biggers
2024-06-21 20:52 ` Dmitry Baryshkov
2024-06-21 21:46 ` Eric Biggers
2024-06-21 15:35 ` Gaurav Kashyap
2024-06-21 15:38 ` Gaurav Kashyap (QUIC)
2024-06-21 16:01 ` Eric Biggers
2024-06-25 4:58 ` Gaurav Kashyap (QUIC)
2024-06-25 8:21 ` neil.armstrong
2024-06-18 7:13 ` neil.armstrong
2024-06-18 22:08 ` Gaurav Kashyap (QUIC)
2024-06-19 6:16 ` Krzysztof Kozlowski
2024-06-19 22:02 ` Gaurav Kashyap (QUIC)
2024-06-20 6:51 ` Krzysztof Kozlowski
2024-06-19 7:12 ` Neil Armstrong
2024-06-19 22:03 ` Gaurav Kashyap (QUIC)
2024-06-17 0:51 ` [PATCH v5 05/15] soc: qcom: ice: support for hardware wrapped keys Gaurav Kashyap
2024-06-17 7:58 ` Dmitry Baryshkov
2024-06-17 0:51 ` [PATCH v5 06/15] soc: qcom: ice: support for generate, import and prepare key Gaurav Kashyap
2024-06-17 7:59 ` Dmitry Baryshkov
2024-06-17 0:51 ` [PATCH v5 07/15] ufs: core: support wrapped keys in ufs core Gaurav Kashyap
2024-06-17 8:01 ` Dmitry Baryshkov
2024-06-17 0:51 ` [PATCH v5 08/15] ufs: core: add support to derive software secret Gaurav Kashyap
2024-06-17 17:37 ` Konrad Dybcio
2024-06-17 0:51 ` [PATCH v5 09/15] ufs: core: add support for generate, import and prepare keys Gaurav Kashyap
2024-06-17 17:38 ` Konrad Dybcio
2024-06-17 0:51 ` [PATCH v5 10/15] ufs: host: wrapped keys support in ufs qcom Gaurav Kashyap
2024-06-17 0:51 ` [PATCH v5 11/15] ufs: host: implement derive sw secret vop " Gaurav Kashyap
2024-06-17 0:51 ` [PATCH v5 12/15] ufs: host: support for generate, import and prepare key Gaurav Kashyap
2024-06-17 0:51 ` [PATCH v5 13/15] dt-bindings: crypto: ice: document the hwkm property Gaurav Kashyap
2024-06-17 7:16 ` Krzysztof Kozlowski
2024-06-18 0:35 ` Gaurav Kashyap (QUIC)
2024-06-18 6:30 ` Krzysztof Kozlowski
2024-06-19 22:07 ` Gaurav Kashyap (QUIC)
2024-06-17 17:39 ` Konrad Dybcio
2024-06-17 0:51 ` [PATCH v5 14/15] arm64: dts: qcom: sm8650: add hwkm support to ufs ice Gaurav Kashyap
2024-06-17 8:21 ` Krzysztof Kozlowski
2024-06-17 8:28 ` neil.armstrong
2024-06-17 17:40 ` Konrad Dybcio
2024-06-17 0:51 ` [PATCH v5 15/15] arm64: dts: qcom: sm8550: " Gaurav Kashyap
2024-06-17 7:17 ` [PATCH v5 00/15] Hardware wrapped key support for qcom ice and ufs Krzysztof Kozlowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240621044747.GC4362@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=andersson@kernel.org \
--cc=bartosz.golaszewski@linaro.org \
--cc=conor+dt@kernel.org \
--cc=davem@davemloft.net \
--cc=devicetree@vger.kernel.org \
--cc=dmitry.baryshkov@linaro.org \
--cc=herbert@gondor.apana.org.au \
--cc=jejb@linux.ibm.com \
--cc=kernel@quicinc.com \
--cc=konrad.dybcio@linaro.org \
--cc=krzysztof.kozlowski+dt@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=mani@kernel.org \
--cc=martin.petersen@oracle.com \
--cc=neil.armstrong@linaro.org \
--cc=psodagud@quicinc.com \
--cc=quic_gaurkash@quicinc.com \
--cc=quic_nguyenb@quicinc.com \
--cc=quic_omprsing@quicinc.com \
--cc=robh+dt@kernel.org \
--cc=sonalg@quicinc.com \
--cc=srinivas.kandagatla@linaro.org \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).