Received: by 10.213.65.68 with SMTP id h4csp2348607imn; Mon, 9 Apr 2018 01:51:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx485xQ2YaznolWA2XdfAZeZuTsiKsw8LInKR7sU+XTii37pQYrQVROgULb6prOlrFQQ01lFE X-Received: by 10.99.104.9 with SMTP id d9mr24308327pgc.304.1523263903765; Mon, 09 Apr 2018 01:51:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523263903; cv=none; d=google.com; s=arc-20160816; b=gJyHxBJ/PNi6k6qu1accWB6NGxDyoZ3aHpGEu84rT0S2SB3KIJml6wFnjKgWVoC+ee mC53N23L2ZHJgYFodrvso9m+j0bcm/BshfQyK73/Jz/MUE1mGIvaltxKMLXdDrvpKymN TpeKZJ0qOAtCQ/uIVp0srbc1ty3A0f5lT5U3mmz82fNySzM2FkwDaKzMWr84FW+FLOVv eeXboaU1EEo6Tyeim4By2avE5Zbovu6hCJCwtipZCAwA5AZqxxAzThYItAeieN5kVoAr BnqASkVGDxXcA/nlbdd2ZCWqZ7bGhmPbZCmEIU7lEmbZjG8IwdqO/NzGj0ftTHjC3CNN xUbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=QVwOp5HWYZ+byOKMXMadCeQS9QfdncdPpOZrtiNlKsc=; b=CCZ4CXVYJ2mal7Kry4oJPT502A7LBMWkPxbJQCsTY1a9CdAHuCvhtcpOkCqElplH6o AEdpTFz9s9b5xK2KzknJRKQt4nv5vBhTejH6RwZiLm0JnKd7SS5ne8G4I+H88ip0X4TZ O482UiQ26Rtetexz3TnR/PeIXqSgiidE2xyYGM05Y1+jx07W0gkjMc7abeDamTaVKci6 2ABGTo1ZNbXAUe/0wAucvA9VZOC5fKDgTOI+Jr3+iNRhOfpg2l//Vy2v1IDClgDeKpkW DXRvA63is9xAnTyaHsZZF7VVddrHmPEJBugNACssmM5Almhts5/EeSSCQw/3GcIVOIcM o66g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@benyossef-com.20150623.gappssmtp.com header.s=20150623 header.b=ACyC0QMV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si14271051plo.228.2018.04.09.01.51.06; Mon, 09 Apr 2018 01:51:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@benyossef-com.20150623.gappssmtp.com header.s=20150623 header.b=ACyC0QMV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751716AbeDIIrg (ORCPT + 99 others); Mon, 9 Apr 2018 04:47:36 -0400 Received: from mail-ua0-f179.google.com ([209.85.217.179]:40405 "EHLO mail-ua0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750877AbeDIIrd (ORCPT ); Mon, 9 Apr 2018 04:47:33 -0400 Received: by mail-ua0-f179.google.com with SMTP id n20so4465218ual.7 for ; Mon, 09 Apr 2018 01:47:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benyossef-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QVwOp5HWYZ+byOKMXMadCeQS9QfdncdPpOZrtiNlKsc=; b=ACyC0QMVVSSgaMuztFJe4SQTtx7XawWo3gG6yZmhgxyKI5H4Iz7uHM+9u9g4IfDfsZ trR3hxOoKuwKTacHwTTbKr62l1lIV2o+ChUlTGV1UWH7ivt+Z0Nchqts5YIvxO4AcpRw xfYGlYPPGJQFQ0CdBttzv70wTzO8U5KgglJ384bkQlS+D8pv3yeXxUEkPjTV1kNjhTt9 Mke+emTTWDZQYlzWGPqnDVBLx2ZZ/1e5VWL7cS9JasWJ0B56LDoWL48QPGIL1vMyBi86 cZLH+p2CXIrhk0awbef7QSnO6ZHhyvCuug3XugdqhI26HahVMRrTXOPf1EdPlD+UTQAR M7Iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QVwOp5HWYZ+byOKMXMadCeQS9QfdncdPpOZrtiNlKsc=; b=ZCtEQyUal3gNb8tc32WqFfP1thKCxp+yoJRxzlfZ47WqwtlwEHuMpQOhqeSi1itxOc EiErm4V/xDtXIVsfzLrnshwjpyhGrSyXIE8LSjjSMWxJ2PKEvr6j2Jdqb6CLsyiXSyV8 gfWD7HvnnaGoUnN/uTx6slKYKG19T8kdWqFjIwn798qIHj8uA48XAqNVqtqISv0qjRMi YBMr41EdOGeE+jCDV5BiJsFNVv5+P+SSwxzdCy4xkMVgDD+RIXU793LAn7nylNnqQ0IX tMACIWzfg0TXZhzL6meZZz5IoThPQjZ1qhin8e8+hKREGxZ0TCZLW/2r4dbKLj8HJFUV Gqig== X-Gm-Message-State: ALQs6tBB2oLBMcpO8QQBfy9edkg0thjOVL/vE49eekB6so33yARoQo6M 4HwOMJBFQYA25broe9999FxHS39qRjbJ8X/2QYcxxg== X-Received: by 10.176.79.25 with SMTP id n25mr23698134uah.172.1523263653078; Mon, 09 Apr 2018 01:47:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.54.197 with HTTP; Mon, 9 Apr 2018 01:47:32 -0700 (PDT) X-Originating-IP: [62.219.136.235] In-Reply-To: <13b816b2-cae1-a926-d60b-734c77a6361c@gmail.com> References: <1522049540-10042-1-git-send-email-gilad@benyossef.com> <1522049540-10042-3-git-send-email-gilad@benyossef.com> <20180330172616.GB28120@gondor.apana.org.au> <13b816b2-cae1-a926-d60b-734c77a6361c@gmail.com> From: Gilad Ben-Yossef Date: Mon, 9 Apr 2018 11:47:32 +0300 Message-ID: Subject: Re: [PATCH 2/2] crypto: ccree: enable support for hardware keys To: Milan Broz Cc: Herbert Xu , "David S. Miller" , Ofir Drang , Linux Crypto Mailing List , Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 3:22 PM, Milan Broz wrote: > On 03/31/2018 07:30 PM, Gilad Ben-Yossef wrote: > ... >>> Are there other crypto drivers doing this? >> >> I thought the exact same thing until I ran into a presentation about the s390 >> secure keys implementation. I basically imitated their use (or abuse?) >> of the Crypto API >> assuming it is the way to go. >> >> Take a look at arch/s390/crypto/paes_s390.c >> >> The slide for the presentation describing this is here: >> http://schd.ws/hosted_files/ossna2017/89/LC2017SecKeyDmCryptV5.pdf >> >> And they seem to even have support for it in the DM-Crypt tools, which at >> the time they claimed to be in the process of getting it up-streamed. > > It is "in the process", but definitely not accepted. > > We are just discussing how to integrate paes wrapped keys in cryptsetup and > it will definitely not be the way presented in the slides above. > > If you plan more such ciphers, I would welcome some unified way in crypto API > how to handle these HSM keys flavors. That would be good. Note however the fine difference - the s390 usage is a wrapped key. Ours is a token for a key (a slot number really). Probably makes no difference for any practical sense, but I thought it is worth mentioning it. > > For kernel dm-crypt, there is no change needed (dmcrypt just treats it as a normal cipher key). > (I would say that it is not the best idea either, IMHO it would be better to use > kernel keyring reference instead and somehow handle hw keys through keyring.) > I am all for the keyring approach. In fact, that was the way I wanted to to go to introduce this feature for cryptocell when I discovered that was already upstream code using a different approach. Any suggestion how this would work vis a vis the crypto API usage? e.g. - have a parallel setkey variant added to crypto APi that takes a kernel keyring object rather than actual key? Thanks, Gilad -- Gilad Ben-Yossef Chief Coffee Drinker "If you take a class in large-scale robotics, can you end up in a situation where the homework eats your dog?" -- Jean-Baptiste Queru