linux-fscrypt.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Bartosz Golaszewski <brgl@bgdev.pl>
To: Jens Axboe <axboe@kernel.dk>, Jonathan Corbet <corbet@lwn.net>,
	 Alasdair Kergon <agk@redhat.com>,
	Mike Snitzer <snitzer@kernel.org>,
	 Mikulas Patocka <mpatocka@redhat.com>,
	 Adrian Hunter <adrian.hunter@intel.com>,
	 Asutosh Das <quic_asutoshd@quicinc.com>,
	 Ritesh Harjani <ritesh.list@gmail.com>,
	 Ulf Hansson <ulf.hansson@linaro.org>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	 Avri Altman <avri.altman@wdc.com>,
	Bart Van Assche <bvanassche@acm.org>,
	 "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
	 "Martin K. Petersen" <martin.petersen@oracle.com>,
	 Eric Biggers <ebiggers@kernel.org>,
	"Theodore Y. Ts'o" <tytso@mit.edu>,
	 Jaegeuk Kim <jaegeuk@kernel.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	 Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	 Bjorn Andersson <andersson@kernel.org>,
	 Konrad Dybcio <konradybcio@kernel.org>,
	 Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
	 Dmitry Baryshkov <dmitry.baryshkov@linaro.org>,
	 Gaurav Kashyap <quic_gaurkash@quicinc.com>,
	 Neil Armstrong <neil.armstrong@linaro.org>
Cc: linux-block@vger.kernel.org, linux-doc@vger.kernel.org,
	 linux-kernel@vger.kernel.org, dm-devel@lists.linux.dev,
	 linux-mmc@vger.kernel.org, linux-scsi@vger.kernel.org,
	 linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	 linux-arm-msm@vger.kernel.org,
	 Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Subject: [PATCH v6 11/17] soc: qcom: ice: add support for generating, importing and preparing keys
Date: Fri, 06 Sep 2024 20:07:14 +0200	[thread overview]
Message-ID: <20240906-wrapped-keys-v6-11-d59e61bc0cb4@linaro.org> (raw)
In-Reply-To: <20240906-wrapped-keys-v6-0-d59e61bc0cb4@linaro.org>

From: Gaurav Kashyap <quic_gaurkash@quicinc.com>

With the new SCM calls that interface with TrustZone and allow us to use
the Hardware Key Manager functionality, we can now add support for
hardware wrapped keys to the Qualcomm ICE SoC driver.

Upcoming patches will connect that layer with the block layer ioctls.

Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com>
Co-developed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
 drivers/soc/qcom/ice.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++
 include/soc/qcom/ice.h |  8 ++++++
 2 files changed, 86 insertions(+)

diff --git a/drivers/soc/qcom/ice.c b/drivers/soc/qcom/ice.c
index 4ed64845455f..1f6d3566b9e4 100644
--- a/drivers/soc/qcom/ice.c
+++ b/drivers/soc/qcom/ice.c
@@ -22,6 +22,13 @@
 
 #define AES_256_XTS_KEY_SIZE			64
 
+/*
+ * Wrapped key sizes that HWKM expects and manages is different for different
+ * versions of the hardware.
+ */
+#define QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(v)	\
+	((v) == 1 ? 68 : 100)
+
 /* QCOM ICE registers */
 #define QCOM_ICE_REG_VERSION			0x0008
 #define QCOM_ICE_REG_FUSE_SETTING		0x0010
@@ -448,6 +455,77 @@ int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[],
 }
 EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret);
 
+/**
+ * qcom_ice_generate_key() - Generate a wrapped key for inline encryption
+ * @lt_key: long-term wrapped key to be generated, which is
+ *          BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size.
+ *
+ * Make a scm call into trustzone to generate a wrapped key for storage
+ * encryption using hwkm.
+ *
+ * Returns: 0 on success, -errno on failure.
+ */
+int qcom_ice_generate_key(struct qcom_ice *ice,
+			  u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
+{
+	size_t wk_size = QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
+
+	if (!qcom_scm_generate_ice_key(lt_key, wk_size))
+		return wk_size;
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(qcom_ice_generate_key);
+
+/**
+ * qcom_ice_prepare_key() - Prepare a long-term wrapped key for inline encryption
+ * @lt_key: longterm wrapped key that was generated or imported.
+ * @lt_key_size: size of the longterm wrapped_key
+ * @eph_key: wrapped key returned which has been wrapped with a per-boot ephemeral key,
+ *           size of which is BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size.
+ *
+ * Make a scm call into trustzone to prepare a wrapped key for storage
+ * encryption by rewrapping the longterm wrapped key with a per boot ephemeral
+ * key using hwkm.
+ *
+ * Return: 0 on success; -errno on failure.
+ */
+int qcom_ice_prepare_key(struct qcom_ice *ice, const u8 *lt_key, size_t lt_key_size,
+			 u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
+{
+	size_t wk_size = QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
+
+	if (!qcom_scm_prepare_ice_key(lt_key, lt_key_size, eph_key, wk_size))
+		return wk_size;
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(qcom_ice_prepare_key);
+
+/**
+ * qcom_ice_import_key() - Import a raw key for inline encryption
+ * @imp_key: raw key that has to be imported
+ * @imp_key_size: size of the imported key
+ * @lt_key: longterm wrapped key that is imported, which is
+ *          BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size.
+ *
+ * Make a scm call into trustzone to import a raw key for storage encryption
+ * and generate a longterm wrapped key using hwkm.
+ *
+ * Return: 0 on success; -errno on failure.
+ */
+int qcom_ice_import_key(struct qcom_ice *ice, const u8 *imp_key, size_t imp_key_size,
+			u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
+{
+	size_t wk_size = QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
+
+	if (!qcom_scm_import_ice_key(imp_key, imp_key_size, lt_key, wk_size))
+		return wk_size;
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(qcom_ice_import_key);
+
 static struct qcom_ice *qcom_ice_create(struct device *dev,
 					void __iomem *base)
 {
diff --git a/include/soc/qcom/ice.h b/include/soc/qcom/ice.h
index dabe0d3a1fd0..dcf277d196ff 100644
--- a/include/soc/qcom/ice.h
+++ b/include/soc/qcom/ice.h
@@ -39,5 +39,13 @@ bool qcom_ice_hwkm_supported(struct qcom_ice *ice);
 int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[],
 			      unsigned int wkey_size,
 			      u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]);
+int qcom_ice_generate_key(struct qcom_ice *ice,
+			  u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]);
+int qcom_ice_prepare_key(struct qcom_ice *ice,
+			 const u8 *lt_key, size_t lt_key_size,
+			 u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]);
+int qcom_ice_import_key(struct qcom_ice *ice,
+			const u8 *imp_key, size_t imp_key_size,
+			u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]);
 struct qcom_ice *of_qcom_ice_get(struct device *dev);
 #endif /* __QCOM_ICE_H__ */

-- 
2.43.0


  parent reply	other threads:[~2024-09-06 18:07 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-06 18:07 [PATCH v6 00/17] Hardware wrapped key support for QCom ICE and UFS core Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 01/17] blk-crypto: add basic hardware-wrapped key support Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 02/17] blk-crypto: show supported key types in sysfs Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 03/17] blk-crypto: add ioctls to create and prepare hardware-wrapped keys Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 04/17] fscrypt: add support for " Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 05/17] ice, ufs, mmc: use the blk_crypto_key struct when programming the key Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 06/17] firmware: qcom: scm: add a call for deriving the software secret Bartosz Golaszewski
2024-09-09 11:23   ` Konrad Dybcio
2024-09-26 14:45     ` Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 07/17] firmware: qcom: scm: add calls for creating, preparing and importing keys Bartosz Golaszewski
2024-09-09 11:24   ` Konrad Dybcio
2024-09-06 18:07 ` [PATCH v6 08/17] firmware: qcom: scm: add a call for checking wrapped key support Bartosz Golaszewski
2024-09-09 11:25   ` Konrad Dybcio
2024-09-06 18:07 ` [PATCH v6 09/17] soc: qcom: ice: add HWKM support to the ICE driver Bartosz Golaszewski
2024-09-06 22:07   ` Dmitry Baryshkov
2024-09-09  8:58     ` Neil Armstrong
2024-09-09  9:44       ` Dmitry Baryshkov
2024-09-10  0:51         ` Gaurav Kashyap (QUIC)
2024-09-10  6:28           ` Dmitry Baryshkov
2024-09-12 22:17             ` Gaurav Kashyap (QUIC)
2024-09-12 23:17               ` Eric Biggers
2024-09-13  4:28                 ` Dmitry Baryshkov
2024-09-13  4:57                   ` Eric Biggers
2024-09-13 12:21                     ` Dmitry Baryshkov
2024-09-21 19:49                       ` Eric Biggers
2024-09-21 22:33                         ` Dmitry Baryshkov
2024-09-13  7:23                 ` Neil Armstrong
2024-09-06 18:07 ` [PATCH v6 10/17] soc: qcom: ice: add support for hardware wrapped keys Bartosz Golaszewski
2024-09-09 11:51   ` Konrad Dybcio
2024-09-06 18:07 ` Bartosz Golaszewski [this message]
2024-09-06 18:07 ` [PATCH v6 12/17] ufs: core: add support for wrapped keys to UFS core Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 13/17] ufs: core: add support for deriving the software secret Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 14/17] ufs: core: add support for generating, importing and preparing keys Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 15/17] ufs: host: add support for wrapped keys in QCom UFS Bartosz Golaszewski
2024-09-06 18:07 ` [PATCH v6 16/17] ufs: host: add a callback for deriving software secrets and use it Bartosz Golaszewski
2024-09-09 11:56   ` Konrad Dybcio
2024-09-06 18:07 ` [PATCH v6 17/17] ufs: host: add support for generating, importing and preparing wrapped keys Bartosz Golaszewski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240906-wrapped-keys-v6-11-d59e61bc0cb4@linaro.org \
    --to=brgl@bgdev.pl \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=adrian.hunter@intel.com \
    --cc=agk@redhat.com \
    --cc=alim.akhtar@samsung.com \
    --cc=andersson@kernel.org \
    --cc=avri.altman@wdc.com \
    --cc=axboe@kernel.dk \
    --cc=bartosz.golaszewski@linaro.org \
    --cc=brauner@kernel.org \
    --cc=bvanassche@acm.org \
    --cc=corbet@lwn.net \
    --cc=dm-devel@lists.linux.dev \
    --cc=dmitry.baryshkov@linaro.org \
    --cc=ebiggers@kernel.org \
    --cc=jack@suse.cz \
    --cc=jaegeuk@kernel.org \
    --cc=konradybcio@kernel.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mmc@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=manivannan.sadhasivam@linaro.org \
    --cc=martin.petersen@oracle.com \
    --cc=mpatocka@redhat.com \
    --cc=neil.armstrong@linaro.org \
    --cc=quic_asutoshd@quicinc.com \
    --cc=quic_gaurkash@quicinc.com \
    --cc=ritesh.list@gmail.com \
    --cc=snitzer@kernel.org \
    --cc=tytso@mit.edu \
    --cc=ulf.hansson@linaro.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).