Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp985372pxb; Fri, 15 Apr 2022 17:26:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwggnNsikwMsK1sPD07wZFfqEEFgxv29CunI1RmHHRvttuhusGKqUaEt7zeMvbIPME2KYlH X-Received: by 2002:a17:90a:7f94:b0:1cb:1853:da1b with SMTP id m20-20020a17090a7f9400b001cb1853da1bmr1454511pjl.14.1650068808982; Fri, 15 Apr 2022 17:26:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650068808; cv=none; d=google.com; s=arc-20160816; b=U9HbW26X61X4GhEi2NcsOWksOOjB4Mtzn9vzQiJ0ZCQ+6XI/biQeNTU7cJHWoT+HOH bq0sEnItxkc4IH89nUOAVVHEJfWl74vx1cV00grx1bGPgocu5cH+PiiN8iJxa93/CPGj 3V7WwcnM73sK1flDGBHZ0a8dDSO5L6BdLdBkC+JrMw/M4f9uHeClcXXVk1EVU1ZkUG1p fCgJcBUmAX92IlU0FSVOzrGpvLOi2a9agATLOy6Dq/Ty5VCyJ8L7CJZtvh63tRVaSUzS 4B2RaZUu3sGSLKQ6ovpY6TGAsq11sCPy0/9UWbWk97fgJ1XHPKQP8UjxNTXi6NvEfzdn nApw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=Cs7PVtcUp0FatQU9JmIdFFAri750mjGmY6NKm0PnD/U=; b=GstKFqMLlowjC38pGy9zpnx7g2BuVL+uYj86JJ/PMKsqDpt3MDxGqHT9agnb7Ld3Eq cD3l710Lhg1dqEI6xV8Hl7n0CdHStfwEO+fRII0VrLC773T+vTYkF2vwDy5kc8+PZxoS GfwGGRoh5tkVMMpu5Fgmx/4coQtRdZYM30gqLow6dgEvGeURd5arP93sabv4wG6ea2Wm 16cm2mmgG8hRWJIdJ7yZV0xuciwsI3V5gPl6huwW/7Fx5DJg5hD8+DhtDwg2vg/dry5l f/gpWHko6ItGAY2F1/VNIH6iBqBkkDHiOUsyaa6sjMYROTlKsGuOc2wX4GgxjbryGB7D V/8w== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id v190-20020a6389c7000000b0039d430ff61dsi2745096pgd.184.2022.04.15.17.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Apr 2022 17:26:48 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9D92211C0A; Fri, 15 Apr 2022 17:24:42 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352712AbiDOVAw (ORCPT + 99 others); Fri, 15 Apr 2022 17:00:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353010AbiDOVAf (ORCPT ); Fri, 15 Apr 2022 17:00:35 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 737588B6C3 for ; Fri, 15 Apr 2022 13:57:59 -0700 (PDT) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nfT0A-0002iE-Vw; Fri, 15 Apr 2022 22:57:11 +0200 Received: from [2a0a:edc0:0:1101:1d::ac] (helo=dude04.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1nfT09-003FIl-Vo; Fri, 15 Apr 2022 22:57:08 +0200 Received: from afa by dude04.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1nfT07-000C0H-I8; Fri, 15 Apr 2022 22:57:07 +0200 From: Ahmad Fatoum To: David Howells , Jarkko Sakkinen , James Bottomley , Mimi Zohar , Jonathan Corbet Cc: kernel@pengutronix.de, David Gstir , Pankaj Gupta , Tim Harvey , Matthias Schiffer , Ahmad Fatoum , James Morris , "Serge E. Hallyn" , =?UTF-8?q?Horia=20Geant=C4=83?= , Herbert Xu , "David S. Miller" , Eric Biggers , Jan Luebbe , Richard Weinberger , Franck LENORMAND , Sumit Garg , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v7 4/6] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys Date: Fri, 15 Apr 2022 22:56:45 +0200 Message-Id: <20220415205647.46056-5-a.fatoum@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220415205647.46056-1-a.fatoum@pengutronix.de> References: <20220415205647.46056-1-a.fatoum@pengutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: afa@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core built into many newer i.MX and QorIQ SoCs by NXP. The CAAM does crypto acceleration, hardware number generation and has a blob mechanism for encapsulation/decapsulation of sensitive material. This blob mechanism depends on a device specific random 256-bit One Time Programmable Master Key that is fused in each SoC at manufacturing time. This key is unreadable and can only be used by the CAAM for AES encryption/decryption of user data. This makes it a suitable backend (source) for kernel trusted keys. Previous commits generalized trusted keys to support multiple backends and added an API to access the CAAM blob mechanism. Based on these, provide the necessary glue to use the CAAM for trusted keys. Reviewed-by: David Gstir Reviewed-by: Pankaj Gupta Tested-by: Tim Harvey Tested-by: Matthias Schiffer Tested-by: Pankaj Gupta Signed-off-by: Ahmad Fatoum --- v6 -> v7: - Split off MAINTAINERS and documentation chanes into separate patches (Jarkko) - Use new struct caam_blob_info API (Pankaj) v5 -> v6: - Rename caam_trusted_key_ops to trusted_key_caam_ops for symmetry with other trust sources (Pankaj) - Collected Pankaj's Reviewed-by v4 -> v5: - Collected Reviewed-by's and Tested-by's - Changed modifier to SECURE_KEY for compatibility with linux-imx (Matthias) v3 -> v4: - Collected Acked-by's, Reviewed-by's and Tested-by v2 -> v3: - add MAINTAINERS entry v1 -> v2: - Extend trusted keys documentation for CAAM To: David Howells To: Jarkko Sakkinen To: James Bottomley To: Mimi Zohar To: Jonathan Corbet Cc: James Morris Cc: "Serge E. Hallyn" Cc: "Horia Geantă" Cc: Pankaj Gupta Cc: Herbert Xu Cc: "David S. Miller" Cc: Eric Biggers Cc: Jan Luebbe Cc: David Gstir Cc: Richard Weinberger Cc: Franck LENORMAND Cc: Matthias Schiffer Cc: Sumit Garg Cc: keyrings@vger.kernel.org Cc: linux-crypto@vger.kernel.org Cc: linux-doc@vger.kernel.org Cc: linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-security-module@vger.kernel.org --- .../admin-guide/kernel-parameters.txt | 1 + include/keys/trusted_caam.h | 11 +++ security/keys/trusted-keys/Kconfig | 11 ++- security/keys/trusted-keys/Makefile | 2 + security/keys/trusted-keys/trusted_caam.c | 82 +++++++++++++++++++ security/keys/trusted-keys/trusted_core.c | 6 +- 6 files changed, 111 insertions(+), 2 deletions(-) create mode 100644 include/keys/trusted_caam.h create mode 100644 security/keys/trusted-keys/trusted_caam.c diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 4deed1908a75..9afb7046ce97 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -5958,6 +5958,7 @@ sources: - "tpm" - "tee" + - "caam" If not specified then it defaults to iterating through the trust source list starting with TPM and assigns the first trust source as a backend which is initialized diff --git a/include/keys/trusted_caam.h b/include/keys/trusted_caam.h new file mode 100644 index 000000000000..73fe2f32f65e --- /dev/null +++ b/include/keys/trusted_caam.h @@ -0,0 +1,11 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Copyright (C) 2021 Pengutronix, Ahmad Fatoum + */ + +#ifndef __CAAM_TRUSTED_KEY_H +#define __CAAM_TRUSTED_KEY_H + +extern struct trusted_key_ops trusted_key_caam_ops; + +#endif diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig index fc4abd581abb..dbfdd8536468 100644 --- a/security/keys/trusted-keys/Kconfig +++ b/security/keys/trusted-keys/Kconfig @@ -24,6 +24,15 @@ config TRUSTED_KEYS_TEE Enable use of the Trusted Execution Environment (TEE) as trusted key backend. -if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE +config TRUSTED_KEYS_CAAM + bool "CAAM-based trusted keys" + depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS + select CRYPTO_DEV_FSL_CAAM_BLOB_GEN + default y + help + Enable use of NXP's Cryptographic Accelerator and Assurance Module + (CAAM) as trusted key backend. + +if !TRUSTED_KEYS_TPM && !TRUSTED_KEYS_TEE && !TRUSTED_KEYS_CAAM comment "No trust source selected!" endif diff --git a/security/keys/trusted-keys/Makefile b/security/keys/trusted-keys/Makefile index 2e2371eae4d5..735aa0bc08ef 100644 --- a/security/keys/trusted-keys/Makefile +++ b/security/keys/trusted-keys/Makefile @@ -12,3 +12,5 @@ trusted-$(CONFIG_TRUSTED_KEYS_TPM) += trusted_tpm2.o trusted-$(CONFIG_TRUSTED_KEYS_TPM) += tpm2key.asn1.o trusted-$(CONFIG_TRUSTED_KEYS_TEE) += trusted_tee.o + +trusted-$(CONFIG_TRUSTED_KEYS_CAAM) += trusted_caam.o diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trusted-keys/trusted_caam.c new file mode 100644 index 000000000000..46cb2484ec36 --- /dev/null +++ b/security/keys/trusted-keys/trusted_caam.c @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Copyright (C) 2021 Pengutronix, Ahmad Fatoum + */ + +#include +#include +#include +#include +#include + +static struct caam_blob_priv *blobifier; + +#define KEYMOD "SECURE_KEY" + +static_assert(MAX_KEY_SIZE + CAAM_BLOB_OVERHEAD <= CAAM_BLOB_MAX_LEN); +static_assert(MAX_BLOB_SIZE <= CAAM_BLOB_MAX_LEN); + +static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob) +{ + int ret; + struct caam_blob_info info = { + .input = p->key, .input_len = p->key_len, + .output = p->blob, .output_len = MAX_BLOB_SIZE, + .key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1, + }; + + ret = caam_encap_blob(blobifier, &info); + if (ret) + return ret; + + p->blob_len = info.output_len; + return 0; +} + +static int trusted_caam_unseal(struct trusted_key_payload *p, char *datablob) +{ + int ret; + struct caam_blob_info info = { + .input = p->blob, .input_len = p->blob_len, + .output = p->key, .output_len = MAX_KEY_SIZE, + .key_mod = KEYMOD, .key_mod_len = sizeof(KEYMOD) - 1, + }; + + ret = caam_decap_blob(blobifier, &info); + if (ret) + return ret; + + p->key_len = info.output_len; + return 0; +} + +static int trusted_caam_init(void) +{ + int ret; + + blobifier = caam_blob_gen_init(); + if (IS_ERR(blobifier)) { + pr_err("Job Ring Device allocation for transform failed\n"); + return PTR_ERR(blobifier); + } + + ret = register_key_type(&key_type_trusted); + if (ret) + caam_blob_gen_exit(blobifier); + + return ret; +} + +static void trusted_caam_exit(void) +{ + unregister_key_type(&key_type_trusted); + caam_blob_gen_exit(blobifier); +} + +struct trusted_key_ops trusted_key_caam_ops = { + .migratable = 0, /* non-migratable */ + .init = trusted_caam_init, + .seal = trusted_caam_seal, + .unseal = trusted_caam_unseal, + .exit = trusted_caam_exit, +}; diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c index 9235fb7d0ec9..c6fc50d67214 100644 --- a/security/keys/trusted-keys/trusted_core.c +++ b/security/keys/trusted-keys/trusted_core.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -29,7 +30,7 @@ MODULE_PARM_DESC(rng, "Select trusted key RNG"); static char *trusted_key_source; module_param_named(source, trusted_key_source, charp, 0); -MODULE_PARM_DESC(source, "Select trusted keys source (tpm or tee)"); +MODULE_PARM_DESC(source, "Select trusted keys source (tpm, tee or caam)"); static const struct trusted_key_source trusted_key_sources[] = { #if defined(CONFIG_TRUSTED_KEYS_TPM) @@ -38,6 +39,9 @@ static const struct trusted_key_source trusted_key_sources[] = { #if defined(CONFIG_TRUSTED_KEYS_TEE) { "tee", &trusted_key_tee_ops }, #endif +#if defined(CONFIG_TRUSTED_KEYS_CAAM) + { "caam", &trusted_key_caam_ops }, +#endif }; DEFINE_STATIC_CALL_NULL(trusted_key_init, *trusted_key_sources[0].ops->init); -- 2.30.2