Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
From:   Pankaj Gupta <pankaj.gupta@nxp.com>
To:     Ahmad Fatoum <a.fatoum@pengutronix.de>,
        Jarkko Sakkinen <jarkko@kernel.org>
CC:     Horia Geanta <horia.geanta@nxp.com>,
        Aymen Sghaier <aymen.sghaier@nxp.com>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>,
        "kernel@pengutronix.de" <kernel@pengutronix.de>,
        David Gstir <david@sigma-star.at>,
        "tharvey@gateworks.com" <tharvey@gateworks.com>,
        Matthias Schiffer <matthias.schiffer@ew.tq-group.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        David Howells <dhowells@redhat.com>,
        James Morris <jmorris@namei.org>,
        Eric Biggers <ebiggers@kernel.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Jan Luebbe <j.luebbe@pengutronix.de>,
        Richard Weinberger <richard@nod.at>,
        Franck Lenormand <franck.lenormand@nxp.com>,
        Sumit Garg <sumit.garg@linaro.org>,
        "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>,
        "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
        "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>
Subject: RE: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface
 for blob generator
Thread-Topic: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface
 for blob generator
Thread-Index: AQHYKMu29wEgG18aYk6KcocJX/sIp6yhUPGAgALbRkA=
Date:   Fri, 25 Feb 2022 12:20:54 +0000
Message-ID: <DU2PR04MB863084B70239A69E4DE9D65B953E9@DU2PR04MB8630.eurprd04.prod.outlook.com>
References: <20220222195819.2313913-1-a.fatoum@pengutronix.de>
 <20220222195819.2313913-5-a.fatoum@pengutronix.de> <YhZVmBy3/nWbqf+/@iki.fi>
 <a8cb99e0-fe01-2234-9839-fea28ca09f6d@pengutronix.de>
In-Reply-To: <a8cb99e0-fe01-2234-9839-fea28ca09f6d@pengutronix.de>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-2?Q?0x+3wklkru38YR/LcsKnUmGY6QOizIBRHShVmlry34rLKZofx2dD1O/jzH?=
 =?iso-8859-2?Q?erh463BzHgZO3mEcrub2Jhrj98qDbYkvefFy59ViTyxccSvhEgboYsZ5IW?=
 =?iso-8859-2?Q?scl+SGdK3JiL38Xi5jzfVj/xJBUJmLNfOun+/r0YO5EU1BeRDvpRVLeDS7?=
 =?iso-8859-2?Q?pZuqIzxIsyWAUeW69appidPuTN6bDqR+G+wPUFD+p0a30pibOCDEiuaiIC?=
 =?iso-8859-2?Q?vTY9xdP8FukA5/WE6Klyv/7SkP/Og5EpDrJGFtjWQ8aLa2AzS6dCMJd1o1?=
 =?iso-8859-2?Q?xoBbecwL2XhHz7OJzAdXQNncPkn5HXbEQU8qEH4MmM/auwLlSlDoml2QdH?=
 =?iso-8859-2?Q?uxaeF0PQ+82ArOygFpmXQyWpvHpeApf/OSokyc/VIPZtsUnh+RX+mX67x6?=
 =?iso-8859-2?Q?N3TMyRnQCReSdLsvXHlKePqLOIwVvR7YkrFyYT5zbhWsn6OpCt/aWd9dGe?=
 =?iso-8859-2?Q?Q/y09yZizzhG2ceMaz92I1BcdH1VwD7mKHdfkDM83wfmhfUkONslGqVzdB?=
 =?iso-8859-2?Q?bKGCnGoFWMkYTYWgN4ZtXsdSUdoJLj9eWSeaPWODPs1mwJsLmZi9tOepGW?=
 =?iso-8859-2?Q?/oJcQUoGYcDrF82s/PM4rXR7+7FlDOm83AuFcbFwP5L6MMSCetC4n2tEBu?=
 =?iso-8859-2?Q?8HjPzxl4OQlEeYDCjLcvyJ73r92ezvoyEVA3Hr32zgpihT0ky8QkQ9AcT8?=
 =?iso-8859-2?Q?a+A6aYwEWf2i3D7n1Ck+1TXpC46ULECGeJgf7QuF/zVm0F/NSw+MMtTOdq?=
 =?iso-8859-2?Q?lwAdxr/oCwRwUbzE+vbC4i0h0OqBKKpqmc3iik4PDAn8BqXPbTbw/7Lm3k?=
 =?iso-8859-2?Q?2r1jgdKhnGVV8oV4V8es5N/7nQeWOHvkQCIq4w/dgvJ7EocNPTuPcmSlWJ?=
 =?iso-8859-2?Q?HlyG1omgnDFN3WGaBJ5QtLKRmMho+1pvwnOmjYyS9P+T/50BsT/u+xSnZ5?=
 =?iso-8859-2?Q?4W05H0O1z2zD5J8Q47/cPQvJXtiRoLP2R0S2ya6LqNtHI9qW5m5MlT4sTo?=
 =?iso-8859-2?Q?yVno2T00h9CQnF3slWxrmS55b5x66bAqmkFjbPHqGq9WLI9vEJkvgIiB0X?=
 =?iso-8859-2?Q?OYnrEfavGW6M3A0EXDZw9fQBzKhFvm1yHbtqEsMfIYK2eXSmObYKZeWTP4?=
 =?iso-8859-2?Q?rTcpiZ9U61p+o0YvgsghBU72zaa0d7thfB9PE3aeRve9lhSLy+2ccB1FLV?=
 =?iso-8859-2?Q?fHBHLR43oViij5/yrdh3IIKABdE8sYGO/W16PyrokPY/svwBo+g2lahs+b?=
 =?iso-8859-2?Q?Tds0pYbaoNe/5tA3LKbP5+kcMB6b7i3TTLQZ01fyNcFNe7vxog4SEv74of?=
 =?iso-8859-2?Q?uBSTNMjh1V7LbWaUr6LThfKYqWOo/o9jpwzSXhs14igGmqpgESI7pVoKHA?=
 =?iso-8859-2?Q?jZLekeMrTOT0RHA/mjm+cSGzh0ck3T1zP7/58U8uF2oQe/y8dm9SrvcDVE?=
 =?iso-8859-2?Q?tR5xkr+lrQbry++I2RXP4uf/sW7MiOms7fcMRl0S8FQ3NjvVu0FiraCiFm?=
 =?iso-8859-2?Q?VFhBGs1l2q0QiLHUfRvCOXyujbe9DfNjHLeRAX1L9D2wqiGD6IYKXZ5mHI?=
 =?iso-8859-2?Q?8Tdm26dNj8+/jXvYHZSOjM7ULaxT8jEUzC1aCAvw1EMCFIXOtitUn8c0lx?=
 =?iso-8859-2?Q?NEI9j0d+OeRRj9qkNtieqTkIzDpYLSnxgBc1tq+VfOXelpV+qIVLs1+hA4?=
 =?iso-8859-2?Q?AlwYahhVadWKaUNCmP4=3D?=
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU2PR04MB8630.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c213e2c-4651-4ddf-7141-08d9f8594511
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2022 12:20:54.2934
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xf5wirHgjxlMWyjb5ldb+cLXI0hF8OG0yI52RtJeh0QrUzDL8hQHaAY6SuNi3qkKgItX6LoSSGBScsqy5GHdtg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB4945
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org


> -----Original Message-----
> From: Ahmad Fatoum <a.fatoum@pengutronix.de>
> Sent: Wednesday, February 23, 2022 9:50 PM
> To: Jarkko Sakkinen <jarkko@kernel.org>
> Cc: Horia Geanta <horia.geanta@nxp.com>; Aymen Sghaier
> <aymen.sghaier@nxp.com>; Herbert Xu <herbert@gondor.apana.org.au>;
> David S. Miller <davem@davemloft.net>; kernel@pengutronix.de; David Gstir
> <david@sigma-star.at>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> tharvey@gateworks.com; Matthias Schiffer <matthias.schiffer@ew.tq-
> group.com>; James Bottomley <jejb@linux.ibm.com>; Mimi Zohar
> <zohar@linux.ibm.com>; David Howells <dhowells@redhat.com>; James Morris
> <jmorris@namei.org>; Eric Biggers <ebiggers@kernel.org>; Serge E. Hallyn
> <serge@hallyn.com>; Jan Luebbe <j.luebbe@pengutronix.de>; Richard
> Weinberger <richard@nod.at>; Franck Lenormand
> <franck.lenormand@nxp.com>; Sumit Garg <sumit.garg@linaro.org>; linux-
> integrity@vger.kernel.org; keyrings@vger.kernel.org; linux-
> crypto@vger.kernel.org; linux-kernel@vger.kernel.org; linux-security-
> module@vger.kernel.org
> Subject: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface =
for blob
> generator
>=20
> Caution: EXT Email
>=20
> On 23.02.22 16:41, Jarkko Sakkinen wrote:
> > On Tue, Feb 22, 2022 at 08:58:18PM +0100, Ahmad Fatoum wrote:
> >> The NXP Cryptographic Acceleration and Assurance Module (CAAM) can be
> >> used to protect user-defined data across system reboot:
> >>
> >>   - When the system is fused and boots into secure state, the master
> >>     key is a unique never-disclosed device-specific key
> >>   - random key is encrypted by key derived from master key
> >>   - data is encrypted using the random key
> >>   - encrypted data and its encrypted random key are stored alongside
> >>   - This blob can now be safely stored in non-volatile memory
> >>
> >> On next power-on:
> >>   - blob is loaded into CAAM
> >>   - CAAM writes decrypted data either into memory or key register
> >>
> >> Add functions to realize encrypting and decrypting into memory
> >> alongside the CAAM driver.
> >>
> >> They will be used in a later commit as a source for the trusted key
> >> seal/unseal mechanism.
> >>
> >> Reviewed-by: David Gstir <david@sigma-star.at>
> >> Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com>
> >> Tested-By: Tim Harvey <tharvey@gateworks.com>
> >> Tested-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
> >> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> >> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> >> ---
> >> To: "Horia Geant=E3" <horia.geanta@nxp.com>
> >> To: Aymen Sghaier <aymen.sghaier@nxp.com>
> >> To: Herbert Xu <herbert@gondor.apana.org.au>
> >> To: "David S. Miller" <davem@davemloft.net>
> >> Cc: James Bottomley <jejb@linux.ibm.com>
> >> Cc: Jarkko Sakkinen <jarkko@kernel.org>
> >> Cc: Mimi Zohar <zohar@linux.ibm.com>
> >> Cc: David Howells <dhowells@redhat.com>
> >> Cc: James Morris <jmorris@namei.org>
> >> Cc: Eric Biggers <ebiggers@kernel.org>
> >> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> >> Cc: Jan Luebbe <j.luebbe@pengutronix.de>
> >> Cc: David Gstir <david@sigma-star.at>
> >> Cc: Richard Weinberger <richard@nod.at>
> >> Cc: Franck LENORMAND <franck.lenormand@nxp.com>
> >> Cc: Sumit Garg <sumit.garg@linaro.org>
> >> Cc: Tim Harvey <tharvey@gateworks.com>
> >> Cc: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
> >> Cc: Pankaj Gupta <pankaj.gupta@nxp.com>
> >> Cc: linux-integrity@vger.kernel.org
> >> Cc: keyrings@vger.kernel.org
> >> Cc: linux-crypto@vger.kernel.org
> >> Cc: linux-kernel@vger.kernel.org
> >> Cc: linux-security-module@vger.kernel.org
> >> ---
> >>  drivers/crypto/caam/Kconfig    |   3 +
> >>  drivers/crypto/caam/Makefile   |   1 +
> >>  drivers/crypto/caam/blob_gen.c | 230
> +++++++++++++++++++++++++++++++++
> >>  include/soc/fsl/caam-blob.h    |  56 ++++++++
> >>  4 files changed, 290 insertions(+)
> >>  create mode 100644 drivers/crypto/caam/blob_gen.c  create mode
> >> 100644 include/soc/fsl/caam-blob.h
> >>
> >> diff --git a/drivers/crypto/caam/Kconfig
> >> b/drivers/crypto/caam/Kconfig index 84ea7cba5ee5..ea9f8b1ae981 100644
> >> --- a/drivers/crypto/caam/Kconfig
> >> +++ b/drivers/crypto/caam/Kconfig
> >> @@ -151,6 +151,9 @@ config CRYPTO_DEV_FSL_CAAM_RNG_API
> >>        Selecting this will register the SEC4 hardware rng to
> >>        the hw_random API for supplying the kernel entropy pool.
> >>
> >> +config CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> >> +    bool
> >> +
> >>  endif # CRYPTO_DEV_FSL_CAAM_JR
> >>
> >>  endif # CRYPTO_DEV_FSL_CAAM
> >> diff --git a/drivers/crypto/caam/Makefile
> >> b/drivers/crypto/caam/Makefile index 3570286eb9ce..25f7ae5a4642
> >> 100644
> >> --- a/drivers/crypto/caam/Makefile
> >> +++ b/drivers/crypto/caam/Makefile
> >> @@ -21,6 +21,7 @@ caam_jr-
> $(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI)
> >> +=3D caamalg_qi.o
> >>  caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API) +=3D caamhash.o
> >>  caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API) +=3D caamrng.o
> >>  caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API) +=3D caampkc.o
> >> pkc_desc.o
> >> +caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_BLOB_GEN) +=3D blob_gen.o
> >>
> >>  caam-$(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI) +=3D qi.o  ifneq
> >> ($(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI),)
> >> diff --git a/drivers/crypto/caam/blob_gen.c
> >> b/drivers/crypto/caam/blob_gen.c new file mode 100644 index
> >> 000000000000..513d3f90e438
> >> --- /dev/null
> >> +++ b/drivers/crypto/caam/blob_gen.c
> >> @@ -0,0 +1,230 @@
> >> +// SPDX-License-Identifier: GPL-2.0-only
> >> +/*
> >> + * Copyright (C) 2015 Pengutronix, Steffen Trumtrar
> >> +<kernel@pengutronix.de>
> >> + * Copyright (C) 2021 Pengutronix, Ahmad Fatoum
> >> +<kernel@pengutronix.de>  */
> >> +
> >> +#include <linux/device.h>
> >> +#include <soc/fsl/caam-blob.h>
> >> +
> >> +#include "compat.h"
> >> +#include "desc_constr.h"
> >> +#include "desc.h"
> >> +#include "error.h"
> >> +#include "intern.h"
> >> +#include "jr.h"
> >> +#include "regs.h"
> >> +
> >> +struct caam_blob_priv {
> >> +    struct device jrdev;
> >> +};
> >> +
> >> +struct caam_blob_job_result {
> >> +    int err;
> >> +    struct completion completion;
> >> +};
> >> +
> >> +static void caam_blob_job_done(struct device *dev, u32 *desc, u32
> >> +err, void *context) {
> >> +    struct caam_blob_job_result *res =3D context;
> >> +    int ecode =3D 0;
> >> +
> >> +    dev_dbg(dev, "%s %d: err 0x%x\n", __func__, __LINE__, err);
> >> +
> >> +    if (err)
> >> +            ecode =3D caam_jr_strstatus(dev, err);
> >> +
> >> +    res->err =3D ecode;
> >> +
> >> +    /*
> >> +     * Upon completion, desc points to a buffer containing a CAAM job
> >> +     * descriptor which encapsulates data into an externally-storable
> >> +     * blob.
> >> +     */
> >> +    complete(&res->completion);
> >> +}
> >> +
> >> +static u32 *caam_blob_alloc_desc(size_t keymod_len) {
> >> +    size_t len;
> >> +
> >> +    /* header + (key mod immediate) + 2x pointers + op */
> >> +    len =3D 4 + (4 + ALIGN(keymod_len, 4)) + 2*(4 + 4 +
> >> + CAAM_PTR_SZ_MAX) + 4;
> >
> > Nit: the amount of magic numbers is overwhelming here. I neither
> > understand the statement nor how that comment should help me to
> understand it.
>=20
> header              =3D  4
> (key mod immediate) =3D (4 + ALIGN(keymod_len, 4))
> 2x pointer          =3D  2 * (4 + 4 + CAAM_PTR_SZ_MAX)
> op                  =3D  4

Instead of the function caam_blob_alloc_desc(), it will be great if the cal=
ler functions caam_encap_blob()/caam_encap_blob (), could add local array:
uint32_t desc[CAAM_DESC_BYTES_MAX];

>=20
> I haven't heard back from the CAAM maintainers yet since v1. Perhaps now =
is a
> good occasion to chime in? :-)
>=20
> @Jarkko, could you take a look at patch 5? That's the gist of the series =
and I
> have yet to get maintainer feedback on that one.
>=20
> Cheers,
> Ahmad
>=20
>=20
> >
> > BR, Jarkko
> >
>=20
>=20
> --
> Pengutronix e.K.                           |                             =
|
> Steuerwalder Str. 21                       |
> https://eur01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fwww.pe=
n
> gutronix.de%2F&amp;data=3D04%7C01%7Cpankaj.gupta%40nxp.com%7Cc97e9d4
> aaf304124407908d9f6e87101%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%
> 7C0%7C637812300459173929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;s
> data=3DCvnfIXR68DPRCaYrOYQKSv2eSBSNSSJYx2BQJee4yLg%3D&amp;reserved=3D0
> |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    =
|
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 =
|