Received: by 10.213.65.68 with SMTP id h4csp2348607imn;
        Mon, 9 Apr 2018 01:51:43 -0700 (PDT)
X-Google-Smtp-Source: AIpwx485xQ2YaznolWA2XdfAZeZuTsiKsw8LInKR7sU+XTii37pQYrQVROgULb6prOlrFQQ01lFE
X-Received: by 10.99.104.9 with SMTP id d9mr24308327pgc.304.1523263903765;
        Mon, 09 Apr 2018 01:51:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523263903; cv=none;
        d=google.com; s=arc-20160816;
        b=gJyHxBJ/PNi6k6qu1accWB6NGxDyoZ3aHpGEu84rT0S2SB3KIJml6wFnjKgWVoC+ee
         mC53N23L2ZHJgYFodrvso9m+j0bcm/BshfQyK73/Jz/MUE1mGIvaltxKMLXdDrvpKymN
         TpeKZJ0qOAtCQ/uIVp0srbc1ty3A0f5lT5U3mmz82fNySzM2FkwDaKzMWr84FW+FLOVv
         eeXboaU1EEo6Tyeim4By2avE5Zbovu6hCJCwtipZCAwA5AZqxxAzThYItAeieN5kVoAr
         BnqASkVGDxXcA/nlbdd2ZCWqZ7bGhmPbZCmEIU7lEmbZjG8IwdqO/NzGj0ftTHjC3CNN
         xUbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=QVwOp5HWYZ+byOKMXMadCeQS9QfdncdPpOZrtiNlKsc=;
        b=CCZ4CXVYJ2mal7Kry4oJPT502A7LBMWkPxbJQCsTY1a9CdAHuCvhtcpOkCqElplH6o
         AEdpTFz9s9b5xK2KzknJRKQt4nv5vBhTejH6RwZiLm0JnKd7SS5ne8G4I+H88ip0X4TZ
         O482UiQ26Rtetexz3TnR/PeIXqSgiidE2xyYGM05Y1+jx07W0gkjMc7abeDamTaVKci6
         2ABGTo1ZNbXAUe/0wAucvA9VZOC5fKDgTOI+Jr3+iNRhOfpg2l//Vy2v1IDClgDeKpkW
         DXRvA63is9xAnTyaHsZZF7VVddrHmPEJBugNACssmM5Almhts5/EeSSCQw/3GcIVOIcM
         o66g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@benyossef-com.20150623.gappssmtp.com header.s=20150623 header.b=ACyC0QMV;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 1-v6si14271051plo.228.2018.04.09.01.51.06;
        Mon, 09 Apr 2018 01:51:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@benyossef-com.20150623.gappssmtp.com header.s=20150623 header.b=ACyC0QMV;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751716AbeDIIrg (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 9 Apr 2018 04:47:36 -0400
Received: from mail-ua0-f179.google.com ([209.85.217.179]:40405 "EHLO
        mail-ua0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750877AbeDIIrd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Apr 2018 04:47:33 -0400
Received: by mail-ua0-f179.google.com with SMTP id n20so4465218ual.7
        for <linux-kernel@vger.kernel.org>; Mon, 09 Apr 2018 01:47:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=benyossef-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=QVwOp5HWYZ+byOKMXMadCeQS9QfdncdPpOZrtiNlKsc=;
        b=ACyC0QMVVSSgaMuztFJe4SQTtx7XawWo3gG6yZmhgxyKI5H4Iz7uHM+9u9g4IfDfsZ
         trR3hxOoKuwKTacHwTTbKr62l1lIV2o+ChUlTGV1UWH7ivt+Z0Nchqts5YIvxO4AcpRw
         xfYGlYPPGJQFQ0CdBttzv70wTzO8U5KgglJ384bkQlS+D8pv3yeXxUEkPjTV1kNjhTt9
         Mke+emTTWDZQYlzWGPqnDVBLx2ZZ/1e5VWL7cS9JasWJ0B56LDoWL48QPGIL1vMyBi86
         cZLH+p2CXIrhk0awbef7QSnO6ZHhyvCuug3XugdqhI26HahVMRrTXOPf1EdPlD+UTQAR
         M7Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=QVwOp5HWYZ+byOKMXMadCeQS9QfdncdPpOZrtiNlKsc=;
        b=ZCtEQyUal3gNb8tc32WqFfP1thKCxp+yoJRxzlfZ47WqwtlwEHuMpQOhqeSi1itxOc
         EiErm4V/xDtXIVsfzLrnshwjpyhGrSyXIE8LSjjSMWxJ2PKEvr6j2Jdqb6CLsyiXSyV8
         gfWD7HvnnaGoUnN/uTx6slKYKG19T8kdWqFjIwn798qIHj8uA48XAqNVqtqISv0qjRMi
         YBMr41EdOGeE+jCDV5BiJsFNVv5+P+SSwxzdCy4xkMVgDD+RIXU793LAn7nylNnqQ0IX
         tMACIWzfg0TXZhzL6meZZz5IoThPQjZ1qhin8e8+hKREGxZ0TCZLW/2r4dbKLj8HJFUV
         Gqig==
X-Gm-Message-State: ALQs6tBB2oLBMcpO8QQBfy9edkg0thjOVL/vE49eekB6so33yARoQo6M
        4HwOMJBFQYA25broe9999FxHS39qRjbJ8X/2QYcxxg==
X-Received: by 10.176.79.25 with SMTP id n25mr23698134uah.172.1523263653078;
 Mon, 09 Apr 2018 01:47:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.54.197 with HTTP; Mon, 9 Apr 2018 01:47:32 -0700 (PDT)
X-Originating-IP: [62.219.136.235]
In-Reply-To: <13b816b2-cae1-a926-d60b-734c77a6361c@gmail.com>
References: <1522049540-10042-1-git-send-email-gilad@benyossef.com>
 <1522049540-10042-3-git-send-email-gilad@benyossef.com> <20180330172616.GB28120@gondor.apana.org.au>
 <CAOtvUMd6MMyQBHU4E=5DKXndhZw90=K1V1apD0uRRaMLyp-0Ag@mail.gmail.com> <13b816b2-cae1-a926-d60b-734c77a6361c@gmail.com>
From:   Gilad Ben-Yossef <gilad@benyossef.com>
Date:   Mon, 9 Apr 2018 11:47:32 +0300
Message-ID: <CAOtvUMf6gU7EN2NL0wfFpmaqHFBP5xxAjYBJXdyhA03yVc9b5w@mail.gmail.com>
Subject: Re: [PATCH 2/2] crypto: ccree: enable support for hardware keys
To:     Milan Broz <gmazyland@gmail.com>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>,
        Ofir Drang <ofir.drang@arm.com>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Linux kernel mailing list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 3:22 PM, Milan Broz <gmazyland@gmail.com> wrote:
> On 03/31/2018 07:30 PM, Gilad Ben-Yossef wrote:
> ...
>>> Are there other crypto drivers doing this?
>>
>> I thought the exact same thing until I ran into a presentation about the s390
>> secure keys implementation. I basically imitated their use (or abuse?)
>> of the Crypto API
>> assuming it is the way to go.
>>
>> Take a look at arch/s390/crypto/paes_s390.c
>>
>> The slide for the presentation describing this is here:
>> http://schd.ws/hosted_files/ossna2017/89/LC2017SecKeyDmCryptV5.pdf
>>
>> And they seem to even have support for it in the DM-Crypt tools, which at
>> the time they claimed to be in the process of getting it up-streamed.
>
> It is "in the process", but definitely not accepted.
>
> We are just discussing how to integrate paes wrapped keys in cryptsetup and
> it will definitely not be the way presented in the slides above.
>
> If you plan more such ciphers, I would welcome some unified way in crypto API
> how to handle these HSM keys flavors.

That would be good. Note however the fine difference - the s390 usage
is a wrapped key.
Ours is a token for a key (a slot number really). Probably makes no
difference for any
practical sense, but I thought it is worth mentioning it.

>
> For kernel dm-crypt, there is no change needed (dmcrypt just treats it as a normal cipher key).
> (I would say that it is not the best idea either, IMHO it would be better to use
> kernel keyring reference instead and somehow handle hw keys through keyring.)
>

I am all for the keyring approach. In fact, that was the way I wanted
to to go to introduce this feature
for cryptocell when I discovered that was already upstream code using
a different approach.

Any suggestion how this would work vis a vis the crypto API usage?

e.g. - have a parallel setkey variant added to crypto APi that takes a
kernel keyring object rather than actual key?


Thanks,
Gilad





-- 
Gilad Ben-Yossef
Chief Coffee Drinker

"If you take a class in large-scale robotics, can you end up in a
situation where the homework eats your dog?"
 -- Jean-Baptiste Queru