[EXT] [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new trust source
Kshitiz Varshney
kshitiz.varshney at nxp.com
Tue Apr 30 21:48:38 AEST 2024
Hi David,
> -----Original Message-----
> From: David Gstir <david at sigma-star.at>
> Sent: Monday, April 29, 2024 5:05 PM
> To: Kshitiz Varshney <kshitiz.varshney at nxp.com>
> Cc: Jarkko Sakkinen <jarkko at kernel.org>; Mimi Zohar
> <zohar at linux.ibm.com>; James Bottomley <jejb at linux.ibm.com>; Herbert
> Xu <herbert at gondor.apana.org.au>; David S. Miller
> <davem at davemloft.net>; Shawn Guo <shawnguo at kernel.org>; Jonathan
> Corbet <corbet at lwn.net>; Sascha Hauer <s.hauer at pengutronix.de>;
> kernel at pengutronix.de; Fabio Estevam <festevam at gmail.com>; dl-linux-imx
> <linux-imx at nxp.com>; Ahmad Fatoum <a.fatoum at pengutronix.de>; sigma
> star Kernel Team <upstream+dcp at sigma-star.at>; David Howells
> <dhowells at redhat.com>; Li Yang <leoyang.li at nxp.com>; Paul Moore
> <paul at paul-moore.com>; James Morris <jmorris at namei.org>; Serge E.
> Hallyn <serge at hallyn.com>; Paul E. McKenney <paulmck at kernel.org>;
> Randy Dunlap <rdunlap at infradead.org>; Catalin Marinas
> <catalin.marinas at arm.com>; Rafael J. Wysocki
> <rafael.j.wysocki at intel.com>; Tejun Heo <tj at kernel.org>; Steven Rostedt
> (Google) <rostedt at goodmis.org>; linux-doc at vger.kernel.org; linux-
> kernel at vger.kernel.org; linux-integrity at vger.kernel.org;
> keyrings at vger.kernel.org; linux-crypto at vger.kernel.org; linux-arm-
> kernel at lists.infradead.org; linuxppc-dev at lists.ozlabs.org; linux-security-
> module at vger.kernel.org; Richard Weinberger <richard at nod.at>; David
> Oberhollenzer <david.oberhollenzer at sigma-star.at>; Varun Sethi
> <V.Sethi at nxp.com>; Gaurav Jain <gaurav.jain at nxp.com>; Pankaj Gupta
> <pankaj.gupta at nxp.com>
> Subject: Re: [EXT] [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new
> trust source
>
> Caution: This is an external email. Please take care when clicking links or
> opening attachments. When in doubt, report the message using the 'Report
> this email' button
>
>
> Hi Kshitiz,
>
> > On 09.04.2024, at 11:48, Kshitiz Varshney <kshitiz.varshney at nxp.com>
> wrote:
> >
> > Hi Jarkko,
> >
> >
> >> -----Original Message-----
> >> From: Jarkko Sakkinen <jarkko at kernel.org>
> >> Sent: Wednesday, April 3, 2024 9:18 PM
> >> To: David Gstir <david at sigma-star.at>; Mimi Zohar
> >> <zohar at linux.ibm.com>; James Bottomley <jejb at linux.ibm.com>;
> Herbert
> >> Xu <herbert at gondor.apana.org.au>; David S. Miller
> >> <davem at davemloft.net>
> >> Cc: Shawn Guo <shawnguo at kernel.org>; Jonathan Corbet
> >> <corbet at lwn.net>; Sascha Hauer <s.hauer at pengutronix.de>;
> Pengutronix
> >> Kernel Team <kernel at pengutronix.de>; Fabio Estevam
> >> <festevam at gmail.com>; dl-linux-imx <linux-imx at nxp.com>; Ahmad
> Fatoum
> >> <a.fatoum at pengutronix.de>; sigma star Kernel Team
> >> <upstream+dcp at sigma-star.at>; David Howells <dhowells at redhat.com>;
> Li
> >> Yang <leoyang.li at nxp.com>; Paul Moore <paul at paul-moore.com>;
> James
> >> Morris <jmorris at namei.org>; Serge E. Hallyn <serge at hallyn.com>; Paul
> E.
> >> McKenney <paulmck at kernel.org>; Randy Dunlap
> <rdunlap at infradead.org>;
> >> Catalin Marinas <catalin.marinas at arm.com>; Rafael J. Wysocki
> >> <rafael.j.wysocki at intel.com>; Tejun Heo <tj at kernel.org>; Steven
> >> Rostedt
> >> (Google) <rostedt at goodmis.org>; linux-doc at vger.kernel.org; linux-
> >> kernel at vger.kernel.org; linux-integrity at vger.kernel.org;
> >> keyrings at vger.kernel.org; linux-crypto at vger.kernel.org; linux-arm-
> >> kernel at lists.infradead.org; linuxppc-dev at lists.ozlabs.org;
> >> linux-security- module at vger.kernel.org; Richard Weinberger
> >> <richard at nod.at>; David Oberhollenzer
> >> <david.oberhollenzer at sigma-star.at>
> >> Subject: [EXT] Re: [PATCH v8 6/6] docs: trusted-encrypted: add DCP as
> >> new trust source
> >>
> >> Caution: This is an external email. Please take care when clicking
> >> links or opening attachments. When in doubt, report the message using
> >> the 'Report this email' button
> >>
> >>
> >> On Wed Apr 3, 2024 at 10:21 AM EEST, David Gstir wrote:
> >>> Update the documentation for trusted and encrypted KEYS with DCP as
> >>> new trust source:
> >>>
> >>> - Describe security properties of DCP trust source
> >>> - Describe key usage
> >>> - Document blob format
> >>>
> >>> Co-developed-by: Richard Weinberger <richard at nod.at>
> >>> Signed-off-by: Richard Weinberger <richard at nod.at>
> >>> Co-developed-by: David Oberhollenzer
> >>> <david.oberhollenzer at sigma-star.at>
> >>> Signed-off-by: David Oberhollenzer
> >>> <david.oberhollenzer at sigma-star.at>
> >>> Signed-off-by: David Gstir <david at sigma-star.at>
> >>> ---
> >>> .../security/keys/trusted-encrypted.rst | 53 +++++++++++++++++++
> >>> security/keys/trusted-keys/trusted_dcp.c | 19 +++++++
> >>> 2 files changed, 72 insertions(+)
> >>>
> >>> diff --git a/Documentation/security/keys/trusted-encrypted.rst
> >>> b/Documentation/security/keys/trusted-encrypted.rst
> >>> index e989b9802f92..f4d7e162d5e4 100644
> >>> --- a/Documentation/security/keys/trusted-encrypted.rst
> >>> +++ b/Documentation/security/keys/trusted-encrypted.rst
> >>> @@ -42,6 +42,14 @@ safe.
> >>> randomly generated and fused into each SoC at manufacturing
> time.
> >>> Otherwise, a common fixed test key is used instead.
> >>>
> >>> + (4) DCP (Data Co-Processor: crypto accelerator of various i.MX
> >>> + SoCs)
> >>> +
> >>> + Rooted to a one-time programmable key (OTP) that is
> >>> + generally
> >> burnt
> >>> + in the on-chip fuses and is accessible to the DCP
> >>> + encryption engine
> >> only.
> >>> + DCP provides two keys that can be used as root of trust:
> >>> + the OTP
> >> key
> >>> + and the UNIQUE key. Default is to use the UNIQUE key, but
> selecting
> >>> + the OTP key can be done via a module parameter
> >> (dcp_use_otp_key).
> >>> +
> >>> * Execution isolation
> >>>
> >>> (1) TPM
> >>> @@ -57,6 +65,12 @@ safe.
> >>>
> >>> Fixed set of operations running in isolated execution environment.
> >>>
> >>> + (4) DCP
> >>> +
> >>> + Fixed set of cryptographic operations running in isolated
> execution
> >>> + environment. Only basic blob key encryption is executed there.
> >>> + The actual key sealing/unsealing is done on main
> >>> + processor/kernel
> >> space.
> >>> +
> >>> * Optional binding to platform integrity state
> >>>
> >>> (1) TPM
> >>> @@ -79,6 +93,11 @@ safe.
> >>> Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs
> >>> for platform integrity.
> >>>
> >>> + (4) DCP
> >>> +
> >>> + Relies on Secure/Trusted boot process (called HAB by vendor) for
> >>> + platform integrity.
> >>> +
> >>> * Interfaces and APIs
> >>>
> >>> (1) TPM
> >>> @@ -94,6 +113,11 @@ safe.
> >>>
> >>> Interface is specific to silicon vendor.
> >>>
> >>> + (4) DCP
> >>> +
> >>> + Vendor-specific API that is implemented as part of the DCP
> >>> + crypto
> >> driver in
> >>> + ``drivers/crypto/mxs-dcp.c``.
> >>> +
> >>> * Threat model
> >>>
> >>> The strength and appropriateness of a particular trust source
> >>> for a given @@ -129,6 +153,13 @@ selected trust source:
> >>> CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and
> ensure
> >> the device
> >>> is probed.
> >>>
> >>> + * DCP (Data Co-Processor: crypto accelerator of various i.MX
> >>> + SoCs)
> >>> +
> >>> + The DCP hardware device itself does not provide a dedicated
> >>> + RNG
> >> interface,
> >>> + so the kernel default RNG is used. SoCs with DCP like the
> >>> + i.MX6ULL do
> >> have
> >>> + a dedicated hardware RNG that is independent from DCP which
> >>> + can be
> >> enabled
> >>> + to back the kernel RNG.
> >>> +
> >>> Users may override this by specifying ``trusted.rng=kernel`` on the
> >>> kernel command-line to override the used RNG with the kernel's
> >>> random
> >> number pool.
> >>>
> >>> @@ -231,6 +262,19 @@ Usage::
> >>> CAAM-specific format. The key length for new keys is always in bytes.
> >>> Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
> >>>
> >>> +Trusted Keys usage: DCP
> >>> +-----------------------
> >>> +
> >>> +Usage::
> >>> +
> >>> + keyctl add trusted name "new keylen" ring
> >>> + keyctl add trusted name "load hex_blob" ring
> >>> + keyctl print keyid
> >>> +
> >>> +"keyctl print" returns an ASCII hex copy of the sealed key, which
> >>> +is in format specific to this DCP key-blob implementation. The key
> >>> +length for new keys is always in bytes. Trusted Keys can be 32 -
> >>> +128 bytes
> >> (256 - 1024 bits).
> >>> +
> >>> Encrypted Keys usage
> >>> --------------------
> >>>
> >>> @@ -426,3 +470,12 @@ string length.
> >>> privkey is the binary representation of TPM2B_PUBLIC excluding the
> >>> initial TPM2B header which can be reconstructed from the ASN.1 octed
> >>> string length.
> >>> +
> >>> +DCP Blob Format
> >>> +---------------
> >>> +
> >>> +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
> >>> + :doc: dcp blob format
> >>> +
> >>> +.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
> >>> + :identifiers: struct dcp_blob_fmt
> >>> diff --git a/security/keys/trusted-keys/trusted_dcp.c
> >>> b/security/keys/trusted-keys/trusted_dcp.c
> >>> index 16c44aafeab3..b5f81a05be36 100644
> >>> --- a/security/keys/trusted-keys/trusted_dcp.c
> >>> +++ b/security/keys/trusted-keys/trusted_dcp.c
> >>> @@ -19,6 +19,25 @@
> >>> #define DCP_BLOB_VERSION 1
> >>> #define DCP_BLOB_AUTHLEN 16
> >>>
> >>> +/**
> >>> + * DOC: dcp blob format
> >>> + *
> >>> + * The Data Co-Processor (DCP) provides hardware-bound AES keys
> >>> +using its
> >>> + * AES encryption engine only. It does not provide direct key
> >> sealing/unsealing.
> >>> + * To make DCP hardware encryption keys usable as trust source, we
> >>> +define
> >>> + * our own custom format that uses a hardware-bound key to secure
> >>> +the sealing
> >>> + * key stored in the key blob.
> >>> + *
> >>> + * Whenever a new trusted key using DCP is generated, we generate a
> >>> +random 128-bit
> >>> + * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce
> >>> +are used to
> >>> + * encrypt the trusted key payload using AES-128-GCM.
> >>> + *
> >>> + * The BEK itself is encrypted using the hardware-bound key using
> >>> +the DCP's AES
> >>> + * encryption engine with AES-128-ECB. The encrypted BEK, generated
> >>> +nonce,
> >>> + * BEK-encrypted payload and authentication tag make up the blob
> >>> +format together
> >>> + * with a version number, payload length and authentication tag.
> >>> + */
> >>> +
> >>> /**
> >>> * struct dcp_blob_fmt - DCP BLOB format.
> >>> *
> >>
> >> Reviewed-by: Jarkko Sakkinen <jarkko at kernel.org>
> >>
> >> I can only test that this does not break a machine without the
> >> hardware feature.
> >>
> >> Is there anyone who could possibly peer test these patches?
> > I am already working on testing this patchset on i.MX6 platform.
>
> Did you get around to testing this?
> I’d greatly appreciate a Tested-by for this. :-)
>
> Thanks!
> BR, David
Currently, I am bit busy with other priority activities. It will take time to test this patch set.
Regards,
Kshitiz
More information about the Linuxppc-dev
mailing list