Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2745915rdb; Tue, 12 Sep 2023 10:43:55 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFK5WaqIxRdPUzQ7KGgvcgWXgAm/Cji7WDT5hqFLfE2dBSABQ9XWLSnYj8+YnFeoCUev5ob X-Received: by 2002:a05:6a21:9983:b0:13d:d5bd:758f with SMTP id ve3-20020a056a21998300b0013dd5bd758fmr39174pzb.6.1694540634947; Tue, 12 Sep 2023 10:43:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694540634; cv=none; d=google.com; s=arc-20160816; b=k2hOO6pabzVuGh4ZA9mM6iPZdhkFhWtoMQRzxkkZZB+Pidh5ImrQbIBefjSLQOELKL gLTp1xA07NRdZV1auqeSDOXRJAEAjSyZCYKgzDufmg8u8PfH7gMu2LmTtNrOX0arMq3A tB2Smcib0MgzUqXgji6x0m/TkNvUx2br8+ve3E++fC+oYrtOt2SQj2+TZmlpCwU5qIxA 0W+aQ7MGt43+OhSTUiipl1v6/ZtqxXuRI/zPPBKb42bVQo9e74Cy1vsT1wanqQWE7pr0 OElVdONsjrXv63DLdJmAutA84JbFS5X3rCGFlP1kdCTkGeUqvUHvmfYINf0Z1iPhz0+f 2pfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:subject:cc:to:from :message-id:date:content-transfer-encoding:mime-version :dkim-signature; bh=Frl+x4Pt6OGWcOgcb9WwKdhh7bEd6R64eNEs8UOUhus=; fh=3iDjHzPLkfXKpoDoF1f9f1mBTKocMboVGkhHQjHHryU=; b=ETGwpQfDde3gIcoMqTPOEeUJaVihOq4S+aiSpVwtLSr04rONfIHzz8cqUUZfpvdvyD NuwQwjpwM0v4Ti2XlioHgFBjntrM2Bx9nUGuDBzFhsS7yt+4mSnyv+s1fwW4DuAL7fxx u1unn8HrDpFs3j8YMMsWfETv2hW2f8+nygr5nw5aBmZ2d/6+DAeyCHt/q7hnvko2dwXP XLm6xoU/ivZlt1/NwsrZ0FEJ3wanReEqz1IOWOG9+HKAT6nya9qBb3TXYcDHVzPJ9MbE HS2mg2AhXk39ZRpcvKxgV+fO2pAhumK8L3t18eHr/UwHV54RjnjvXyDJ4btp4Pyhzafp 4N6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mt8VWOQ2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id cu9-20020a056a00448900b0068fe810e8a1si1463744pfb.193.2023.09.12.10.43.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 10:43:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mt8VWOQ2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 21EC980BCEA1; Tue, 12 Sep 2023 10:32:30 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236671AbjILRc2 (ORCPT + 99 others); Tue, 12 Sep 2023 13:32:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231778AbjILRc1 (ORCPT ); Tue, 12 Sep 2023 13:32:27 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F88C10D9; Tue, 12 Sep 2023 10:32:23 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9482FC433C7; Tue, 12 Sep 2023 17:32:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1694539942; bh=9ZfPG+orToERpZBcmHd5T+RLHzRPrTBdinpB23NfTGA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=mt8VWOQ2SwEDLLhTMPMGRRxgsdchCHTcsZ8ztnaOG8AoX/lBGRwDgr56irXzn15hN FRrI0LWlzTUKFNEwOI3kxwSgDY/7Zke0f13Bruy+z92MGowQkD16MPccDTft2LJnZv Xo3Aj8nMVnbkfT24ppSmBuYQ5qjzRx9bVaPvTlUxV/BonhkGcNN6hpXhHbHePGlpa2 1M2JJOpc8rHOFaOSMs0OXSDy5AWwbv7wYTiQVrZhKYkjfI4MTJRuM6DNJNBdyyALKC /zjDGHCNC8mWNldwhKyAD2M1ksApIdH/eI6hUPRNlD8r8QncUsbqm+4CMRc2X6MFed kr5Tb75rMQp3A== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 12 Sep 2023 20:32:14 +0300 Message-Id: From: "Jarkko Sakkinen" To: "David Gstir" , "Mimi Zohar" , "James Bottomley" , "Herbert Xu" , "David S. Miller" Cc: "Shawn Guo" , "Jonathan Corbet" , "Sascha Hauer" , "Pengutronix Kernel Team" , "Fabio Estevam" , "NXP Linux Team" , "Ahmad Fatoum" , "sigma star Kernel Team" , "David Howells" , "Li Yang" , "Paul Moore" , "James Morris" , "Serge E. Hallyn" , "Paul E. McKenney" , "Randy Dunlap" , "Catalin Marinas" , "Rafael J. Wysocki" , "Tejun Heo" , "Steven Rostedt (Google)" , , , , , , , , , "Richard Weinberger" , "David Oberhollenzer" Subject: Re: [PATCH v2 1/3] crypto: mxs-dcp: Add support for hardware provided keys X-Mailer: aerc 0.14.0 References: <20230912111115.24274-1-david@sigma-star.at> <20230912111115.24274-2-david@sigma-star.at> In-Reply-To: <20230912111115.24274-2-david@sigma-star.at> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 12 Sep 2023 10:32:30 -0700 (PDT) X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email On Tue Sep 12, 2023 at 2:11 PM EEST, David Gstir wrote: > DCP is capable to performing AES with hardware-bound keys. > These keys are not stored in main memory and are therefore not directly > accessible by the operating system. > > So instead of feeding the key into DCP, we need to place a > reference to such a key before initiating the crypto operation. > Keys are referenced by a one byte identifiers. > > DCP supports 6 different keys: 4 slots in the secure memory area, > a one time programmable key which can be burnt via on-chip fuses > and an unique device key. > > Using these keys is restricted to in-kernel users that use them as buildi= ng > block for other crypto tools such as trusted keys. Allowing userspace > (e.g. via AF_ALG) to use these keys to crypt or decrypt data is a securit= y > risk, because there is no access control mechanism. > > Co-developed-by: Richard Weinberger > Signed-off-by: Richard Weinberger > Co-developed-by: David Oberhollenzer > Signed-off-by: David Oberhollenzer > Signed-off-by: David Gstir > --- > drivers/crypto/mxs-dcp.c | 107 +++++++++++++++++++++++++++++++++++---- > include/soc/fsl/dcp.h | 19 +++++++ > 2 files changed, 115 insertions(+), 11 deletions(-) > create mode 100644 include/soc/fsl/dcp.h > > diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c > index f6b7bce0e656..d525cb41f2ca 100644 > --- a/drivers/crypto/mxs-dcp.c > +++ b/drivers/crypto/mxs-dcp.c > @@ -15,6 +15,7 @@ > #include > #include > #include > +#include > =20 > #include > #include > @@ -101,6 +102,7 @@ struct dcp_async_ctx { > struct crypto_skcipher *fallback; > unsigned int key_len; > uint8_t key[AES_KEYSIZE_128]; > + bool refkey; > }; > =20 > struct dcp_aes_req_ctx { > @@ -155,6 +157,7 @@ static struct dcp *global_sdcp; > #define MXS_DCP_CONTROL0_HASH_TERM (1 << 13) > #define MXS_DCP_CONTROL0_HASH_INIT (1 << 12) > #define MXS_DCP_CONTROL0_PAYLOAD_KEY (1 << 11) > +#define MXS_DCP_CONTROL0_OTP_KEY (1 << 10) > #define MXS_DCP_CONTROL0_CIPHER_ENCRYPT (1 << 8) > #define MXS_DCP_CONTROL0_CIPHER_INIT (1 << 9) > #define MXS_DCP_CONTROL0_ENABLE_HASH (1 << 6) > @@ -168,6 +171,8 @@ static struct dcp *global_sdcp; > #define MXS_DCP_CONTROL1_CIPHER_MODE_ECB (0 << 4) > #define MXS_DCP_CONTROL1_CIPHER_SELECT_AES128 (0 << 0) > =20 > +#define MXS_DCP_CONTROL1_KEY_SELECT_SHIFT 8 > + > static int mxs_dcp_start_dma(struct dcp_async_ctx *actx) > { > int dma_err; > @@ -224,13 +229,16 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *ac= tx, > struct dcp *sdcp =3D global_sdcp; > struct dcp_dma_desc *desc =3D &sdcp->coh->desc[actx->chan]; > struct dcp_aes_req_ctx *rctx =3D skcipher_request_ctx(req); > + bool key_referenced =3D actx->refkey; > int ret; > =20 > - key_phys =3D dma_map_single(sdcp->dev, sdcp->coh->aes_key, > - 2 * AES_KEYSIZE_128, DMA_TO_DEVICE); > - ret =3D dma_mapping_error(sdcp->dev, key_phys); > - if (ret) > - return ret; > + if (!key_referenced) { > + key_phys =3D dma_map_single(sdcp->dev, sdcp->coh->aes_key, > + 2 * AES_KEYSIZE_128, DMA_TO_DEVICE); > + ret =3D dma_mapping_error(sdcp->dev, key_phys); > + if (ret) > + return ret; > + } > =20 > src_phys =3D dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf, > DCP_BUF_SZ, DMA_TO_DEVICE); > @@ -255,8 +263,13 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *act= x, > MXS_DCP_CONTROL0_INTERRUPT | > MXS_DCP_CONTROL0_ENABLE_CIPHER; > =20 > - /* Payload contains the key. */ > - desc->control0 |=3D MXS_DCP_CONTROL0_PAYLOAD_KEY; > + if (key_referenced) { > + /* Set OTP key bit to select the key via KEY_SELECT. */ > + desc->control0 |=3D MXS_DCP_CONTROL0_OTP_KEY; > + } else { > + /* Payload contains the key. */ > + desc->control0 |=3D MXS_DCP_CONTROL0_PAYLOAD_KEY; > + } Remove curly braces (coding style). > =20 > if (rctx->enc) > desc->control0 |=3D MXS_DCP_CONTROL0_CIPHER_ENCRYPT; > @@ -270,6 +283,9 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *actx= , > else > desc->control1 |=3D MXS_DCP_CONTROL1_CIPHER_MODE_CBC; > =20 > + if (key_referenced) > + desc->control1 |=3D sdcp->coh->aes_key[0] << MXS_DCP_CONTROL1_KEY_SELE= CT_SHIFT; > + > desc->next_cmd_addr =3D 0; > desc->source =3D src_phys; > desc->destination =3D dst_phys; > @@ -284,9 +300,10 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *act= x, > err_dst: > dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE); > err_src: > - dma_unmap_single(sdcp->dev, key_phys, 2 * AES_KEYSIZE_128, > - DMA_TO_DEVICE); > - > + if (!key_referenced) { > + dma_unmap_single(sdcp->dev, key_phys, 2 * AES_KEYSIZE_128, > + DMA_TO_DEVICE); > + } Ditto. > return ret; > } > =20 > @@ -453,7 +470,7 @@ static int mxs_dcp_aes_enqueue(struct skcipher_reques= t *req, int enc, int ecb) > struct dcp_aes_req_ctx *rctx =3D skcipher_request_ctx(req); > int ret; > =20 > - if (unlikely(actx->key_len !=3D AES_KEYSIZE_128)) > + if (unlikely(actx->key_len !=3D AES_KEYSIZE_128 && !actx->refkey)) > return mxs_dcp_block_fallback(req, enc); > =20 > rctx->enc =3D enc; > @@ -500,6 +517,7 @@ static int mxs_dcp_aes_setkey(struct crypto_skcipher = *tfm, const u8 *key, > * there can still be an operation in progress. > */ > actx->key_len =3D len; > + actx->refkey =3D false; > if (len =3D=3D AES_KEYSIZE_128) { > memcpy(actx->key, key, len); > return 0; > @@ -516,6 +534,33 @@ static int mxs_dcp_aes_setkey(struct crypto_skcipher= *tfm, const u8 *key, > return crypto_skcipher_setkey(actx->fallback, key, len); > } > =20 > +static int mxs_dcp_aes_setrefkey(struct crypto_skcipher *tfm, const u8 *= key, > + unsigned int len) > +{ > + struct dcp_async_ctx *actx =3D crypto_skcipher_ctx(tfm); > + > + if (len !=3D DCP_PAES_KEYSIZE) > + return -EINVAL; > + > + switch (key[0]) { > + case DCP_PAES_KEY_SLOT0: > + case DCP_PAES_KEY_SLOT1: > + case DCP_PAES_KEY_SLOT2: > + case DCP_PAES_KEY_SLOT3: > + case DCP_PAES_KEY_UNIQUE: > + case DCP_PAES_KEY_OTP: > + memcpy(actx->key, key, len); > + break; I don't understand why the "commit" is split into two parts (memcpy and assignments in different code blocks). You should probably rather: switch (key[0]) { case DCP_PAES_KEY_SLOT0: case DCP_PAES_KEY_SLOT1: case DCP_PAES_KEY_SLOT2: case DCP_PAES_KEY_SLOT3: case DCP_PAES_KEY_UNIQUE: case DCP_PAES_KEY_OTP: memcpy(actx->key, key, len); actx->key_len =3D len; actx->refkey =3D true; return 0; default: return -EINVAL; } } Or alternatively you can move all operations after the switch-case statement. IMHO, any state change is better to put into a singular location. > + default: > + return -EINVAL; > + } > + > + actx->key_len =3D len; > + actx->refkey =3D true; > + > + return 0; > +} > + > static int mxs_dcp_aes_fallback_init_tfm(struct crypto_skcipher *tfm) > { > const char *name =3D crypto_tfm_alg_name(crypto_skcipher_tfm(tfm)); > @@ -539,6 +584,13 @@ static void mxs_dcp_aes_fallback_exit_tfm(struct cry= pto_skcipher *tfm) > crypto_free_skcipher(actx->fallback); > } > =20 > +static int mxs_dcp_paes_init_tfm(struct crypto_skcipher *tfm) > +{ > + crypto_skcipher_set_reqsize(tfm, sizeof(struct dcp_aes_req_ctx)); > + > + return 0; > +} > + > /* > * Hashing (SHA1/SHA256) > */ > @@ -889,6 +941,39 @@ static struct skcipher_alg dcp_aes_algs[] =3D { > .ivsize =3D AES_BLOCK_SIZE, > .init =3D mxs_dcp_aes_fallback_init_tfm, > .exit =3D mxs_dcp_aes_fallback_exit_tfm, > + }, { > + .base.cra_name =3D "ecb(paes)", > + .base.cra_driver_name =3D "ecb-paes-dcp", > + .base.cra_priority =3D 401, > + .base.cra_alignmask =3D 15, > + .base.cra_flags =3D CRYPTO_ALG_ASYNC | CRYPTO_ALG_INTERNAL, > + .base.cra_blocksize =3D AES_BLOCK_SIZE, > + .base.cra_ctxsize =3D sizeof(struct dcp_async_ctx), > + .base.cra_module =3D THIS_MODULE, > + > + .min_keysize =3D DCP_PAES_KEYSIZE, > + .max_keysize =3D DCP_PAES_KEYSIZE, > + .setkey =3D mxs_dcp_aes_setrefkey, > + .encrypt =3D mxs_dcp_aes_ecb_encrypt, > + .decrypt =3D mxs_dcp_aes_ecb_decrypt, > + .init =3D mxs_dcp_paes_init_tfm, > + }, { > + .base.cra_name =3D "cbc(paes)", > + .base.cra_driver_name =3D "cbc-paes-dcp", > + .base.cra_priority =3D 401, > + .base.cra_alignmask =3D 15, > + .base.cra_flags =3D CRYPTO_ALG_ASYNC | CRYPTO_ALG_INTERNAL, > + .base.cra_blocksize =3D AES_BLOCK_SIZE, > + .base.cra_ctxsize =3D sizeof(struct dcp_async_ctx), > + .base.cra_module =3D THIS_MODULE, > + > + .min_keysize =3D DCP_PAES_KEYSIZE, > + .max_keysize =3D DCP_PAES_KEYSIZE, > + .setkey =3D mxs_dcp_aes_setrefkey, > + .encrypt =3D mxs_dcp_aes_cbc_encrypt, > + .decrypt =3D mxs_dcp_aes_cbc_decrypt, > + .ivsize =3D AES_BLOCK_SIZE, > + .init =3D mxs_dcp_paes_init_tfm, > }, > }; > =20 > diff --git a/include/soc/fsl/dcp.h b/include/soc/fsl/dcp.h > new file mode 100644 > index 000000000000..df6678ee10a1 > --- /dev/null > +++ b/include/soc/fsl/dcp.h > @@ -0,0 +1,19 @@ > +/* SPDX-License-Identifier: GPL-2.0-only */ > +/* > + * Copyright (C) 2021 sigma star gmbh > + * Authors: David Gstir > + * Richard Weinberger Git already has author-field and commit can have co-developed-by so this is totally obsolete. > + */ > + > +#ifndef MXS_DCP_H > +#define MXS_DCP_H > + > +#define DCP_PAES_KEYSIZE 1 > +#define DCP_PAES_KEY_SLOT0 0x00 > +#define DCP_PAES_KEY_SLOT1 0x01 > +#define DCP_PAES_KEY_SLOT2 0x02 > +#define DCP_PAES_KEY_SLOT3 0x03 > +#define DCP_PAES_KEY_UNIQUE 0xfe > +#define DCP_PAES_KEY_OTP 0xff > + > +#endif /* MXS_DCP_H */ > --=20 > 2.35.3 BR, Jarkko