From: "Gaurav Kashyap (QUIC)" <quic_gaurkash@quicinc.com>
To: Konrad Dybcio <konrad.dybcio@linaro.org>,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
"Gaurav Kashyap (QUIC)" <quic_gaurkash@quicinc.com>,
"linux-arm-msm@vger.kernel.org" <linux-arm-msm@vger.kernel.org>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"andersson@kernel.org" <andersson@kernel.org>,
"ebiggers@google.com" <ebiggers@google.com>,
"neil.armstrong@linaro.org" <neil.armstrong@linaro.org>,
srinivas.kandagatla <srinivas.kandagatla@linaro.org>,
"krzysztof.kozlowski+dt@linaro.org"
<krzysztof.kozlowski+dt@linaro.org>,
"conor+dt@kernel.org" <conor+dt@kernel.org>,
"robh+dt@kernel.org" <robh+dt@kernel.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
kernel <kernel@quicinc.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
"Om Prakash Singh (QUIC)" <quic_omprsing@quicinc.com>,
"Bao D. Nguyen (QUIC)" <quic_nguyenb@quicinc.com>,
bartosz.golaszewski <bartosz.golaszewski@linaro.org>,
"ulf.hansson@linaro.org" <ulf.hansson@linaro.org>,
"jejb@linux.ibm.com" <jejb@linux.ibm.com>,
"martin.petersen@oracle.com" <martin.petersen@oracle.com>,
"mani@kernel.org" <mani@kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>
Subject: RE: [PATCH v4 13/15] dt-bindings: crypto: ice: document the hwkm property
Date: Tue, 18 Jun 2024 00:26:14 +0000 [thread overview]
Message-ID: <9892c541ba4e4b5d975faaa4b49c92ba@quicinc.com> (raw)
In-Reply-To: <dd219c40-33d5-43ff-b0da-16ccf0198bb9@linaro.org>
Hello Konrad and Krzysztof
On 02/01/2024 11:14, Konrad Dybcio wrote
> On 29.01.2024 09:18, Krzysztof Kozlowski wrote:
> > On 28/01/2024 00:14, Gaurav Kashyap wrote:
> >> When Qualcomm's Inline Crypto Engine (ICE) contains Hardware Key
> >> Manager (HWKM), and the 'HWKM' mode is enabled, it supports wrapped
> >> keys. However, this also requires firmware support in Trustzone to
> >> work correctly, which may not be available on all chipsets. In the
> >> above scenario, ICE needs to support standard keys even though HWKM
> >> is integrated from a hardware perspective.
> >>
> >> Introducing this property so that Hardware wrapped key support can be
> >> enabled/disabled from software based on chipset firmware, and not
> >> just based on hardware version.
> >>
> >> Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com>
> >> Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
> >> ---
> >> .../bindings/crypto/qcom,inline-crypto-engine.yaml | 10 ++++++++++
> >> 1 file changed, 10 insertions(+)
> >>
> >> diff --git
> >> a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> engine.
> >> yaml
> >> b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> engine.
> >> yaml index 09e43157cc71..6415d7be9b73 100644
> >> ---
> >> a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> engine.
> >> yaml
> >> +++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> eng
> >> +++ ine.yaml
> >> @@ -25,6 +25,16 @@ properties:
> >> clocks:
> >> maxItems: 1
> >>
> >> + qcom,ice-use-hwkm:
> >> + type: boolean
> >> + description:
> >> + Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE
> >> + to support wrapped keys. Having this entry helps scenarios where
> >> + the ICE hardware supports HWKM, but the Trustzone firmware does
> >> + not have the full capability to use this HWKM and support
> >> + wrapped
> >
> > How does it help in this scenario? You enable this property, Trustzone
> > does not support it, so what happens?
> >
> > Also, which SoCs have incomplete Trustzone support? I expect this to
> > be a quirk, thus limited to specific SoCs with issues.
Apologies for not addressing this earlier, we can perhaps continue this discussion
in the new patch thread. I will link to this there.
SM8450 and SM8350 QCOM ICE both support HWKM in their ICE hardware.
However, wrapped keys can not be enabled on those targets due to certain
missing trustzone support. If we solely rely on hardware version to decide
if ICE has to use wrapped keys for data encryption, then it becomes untestable
on those chipsets.
So, we want another way to distinguish this scenario, and hence I chose a DT vendor property
to explicitly mention if we have to use the supported HWKM.
If there is another way, I am open to exploring that as well.
>
> Can we simply evaluate the return value of the secure calls?
>
This might not work as UFS crypto needs this information much earlier, and based
on that , it would need to register with the keyslot manager (and block crypto),
on whether wrapped keys are supported.
https://lore.kernel.org/all/20231104211259.17448-2-ebiggers@kernel.org/
> Konrad
next prev parent reply other threads:[~2024-06-18 0:26 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-27 23:13 [PATCH v4 00/15] Hardware wrapped key support for qcom ice and ufs Gaurav Kashyap
2024-01-27 23:13 ` [PATCH v4 01/15] ice, ufs, mmc: use blk_crypto_key for program_key Gaurav Kashyap
2024-02-06 11:46 ` Bartosz Golaszewski
2024-02-13 12:49 ` Ulf Hansson
2024-01-27 23:14 ` [PATCH v4 02/15] qcom_scm: scm call for deriving a software secret Gaurav Kashyap
2024-01-30 4:43 ` Bjorn Andersson
2024-02-01 16:11 ` Konrad Dybcio
2024-02-06 11:56 ` Bartosz Golaszewski
2024-01-27 23:14 ` [PATCH v4 03/15] qcom_scm: scm call for create, prepare and import keys Gaurav Kashyap
2024-02-05 18:03 ` Om Prakash Singh
2024-02-06 11:59 ` Bartosz Golaszewski
2024-01-27 23:14 ` [PATCH v4 04/15] soc: qcom: ice: add hwkm support in ice Gaurav Kashyap
2024-02-04 18:32 ` [EXTERNAL] " Kamlesh Gurudasani
2024-02-05 18:22 ` Om Prakash Singh
2024-01-27 23:14 ` [PATCH v4 05/15] soc: qcom: ice: support for hardware wrapped keys Gaurav Kashyap
2024-02-04 19:30 ` [EXTERNAL] " Kamlesh Gurudasani
2024-02-05 18:38 ` Om Prakash Singh
2024-01-27 23:14 ` [PATCH v4 06/15] soc: qcom: ice: support for generate, import and prepare key Gaurav Kashyap
2024-02-05 18:45 ` Om Prakash Singh
2024-01-27 23:14 ` [PATCH v4 07/15] ufs: core: support wrapped keys in ufs core Gaurav Kashyap
2024-01-27 23:14 ` [PATCH v4 08/15] ufs: core: add support to derive software secret Gaurav Kashyap
2024-02-05 18:52 ` Om Prakash Singh
2024-01-27 23:14 ` [PATCH v4 09/15] ufs: core: add support for generate, import and prepare keys Gaurav Kashyap
2024-02-05 18:53 ` Om Prakash Singh
2024-01-27 23:14 ` [PATCH v4 10/15] ufs: host: wrapped keys support in ufs qcom Gaurav Kashyap
2024-02-05 18:59 ` Om Prakash Singh
2024-01-27 23:14 ` [PATCH v4 11/15] ufs: host: implement derive sw secret vop " Gaurav Kashyap
2024-01-27 23:14 ` [PATCH v4 12/15] ufs: host: support for generate, import and prepare key Gaurav Kashyap
2024-01-27 23:14 ` [PATCH v4 13/15] dt-bindings: crypto: ice: document the hwkm property Gaurav Kashyap
2024-01-29 8:18 ` Krzysztof Kozlowski
2024-02-01 19:13 ` Konrad Dybcio
2024-06-18 0:26 ` Gaurav Kashyap (QUIC) [this message]
2024-01-27 23:14 ` [PATCH v4 14/15] arm64: dts: qcom: sm8650: add hwkm support to ufs ice Gaurav Kashyap
2024-01-29 8:15 ` Krzysztof Kozlowski
2024-01-27 23:14 ` [PATCH v4 15/15] arm64: dts: qcom: sm8550: " Gaurav Kashyap
2024-01-28 1:01 ` Dmitry Baryshkov
2024-02-01 9:55 ` Om Prakash Singh
2024-02-01 13:59 ` neil.armstrong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9892c541ba4e4b5d975faaa4b49c92ba@quicinc.com \
--to=quic_gaurkash@quicinc.com \
--cc=andersson@kernel.org \
--cc=bartosz.golaszewski@linaro.org \
--cc=conor+dt@kernel.org \
--cc=davem@davemloft.net \
--cc=devicetree@vger.kernel.org \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=jejb@linux.ibm.com \
--cc=kernel@quicinc.com \
--cc=konrad.dybcio@linaro.org \
--cc=krzysztof.kozlowski+dt@linaro.org \
--cc=krzysztof.kozlowski@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=mani@kernel.org \
--cc=martin.petersen@oracle.com \
--cc=neil.armstrong@linaro.org \
--cc=quic_nguyenb@quicinc.com \
--cc=quic_omprsing@quicinc.com \
--cc=robh+dt@kernel.org \
--cc=srinivas.kandagatla@linaro.org \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox