Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp644584lqh; Thu, 28 Mar 2024 11:47:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWhbH3EG6+0jatzb57pb49BaddW9jE3hp8xz4y/vAWVnFgVsliyUbuN8ca6+1D5dS8VQVj+F4yxetnycORAK/wE9ttZGXBNhVEcGuHsxw== X-Google-Smtp-Source: AGHT+IGTnT26ZwAnOASBYnNDzsdt0etI6664W+FWh/vh2JmWF3MtXtKw+Uf9X1fatkDjpXmsus+T X-Received: by 2002:a50:931d:0:b0:564:f6d5:f291 with SMTP id m29-20020a50931d000000b00564f6d5f291mr81108eda.34.1711651645595; Thu, 28 Mar 2024 11:47:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711651645; cv=pass; d=google.com; s=arc-20160816; b=HiWcqBRH1jvqRT+4IZtcof15XGxctx+2ddgWekTGHwVmIPVdSHktNXYIi3xhYXDCeY cejKF2V4hlU0uYCF2uRvQTGTcyT7XhFeknyFgFsUUlIcyegKuhjoyD2tfvyA7cfDTcKX cVryzvMf9JG9R4VM1Jw68EDxTFcSwB0aTGY3MrLvpm9ujdAmAsC7UJufWQNEfgHrXqx1 RFK3+XcgVcAulYhMBtQADqenI1evILEyqNynQad8c1IoPEkhbf/KJW9zBrPVMyVcg/a6 jgmB/E8LcOKqOTLO9m+OFaxAr/v4hlxSutYO04O6DTGrGf9uZLcf9JfegvHBsBV+Nb6E no0A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:to:from:subject:cc:message-id:date :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=bPEsA7nUxGV7/x3aS//V73lAZm8nHrpb7P9PeFP7mU0=; fh=Y3DaxvBIOhe6BxPmOl+jeL0BaTHms1I+HQ2cPR7pcfU=; b=YTdmvNrMbBkwoDYiu+AoxAkDeVpIlFZni4dCpwAl9mkAp7Anz0LIkKJmGeaFHlP3y8 lovoLb1m67l8AJl7CARQmiuBwWsbIT3LpclK2lEDRZVUCH6M76qgAOhoj0uUqixe0vN9 uT8rkc5qx5r1zvaTXz3H/j9su6mtuA7zUSDVos4BugQCSe9KyLEm6gWV7eX96DREB0TG prPxQ4/0zgR7arpwY8J0eTzoanU/uAeCIX5dJHJAd5yreiP5IVoqaWIJy3xuQKxdMAFR RB48WFb4xj4WvTVXkyEa530LUSHz9XCb6pskaPy8zIKkubTHo5VAWJ20pmgdF9UkirQf Sjmw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=M8qRP8j9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3032-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3032-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id z16-20020a05640235d000b0056b8075f140si1004262edc.322.2024.03.28.11.47.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Mar 2024 11:47:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto+bounces-3032-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=M8qRP8j9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3032-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3032-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 2D2C31F2407A for ; Thu, 28 Mar 2024 18:47:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A3F1B137750; Thu, 28 Mar 2024 18:47:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="M8qRP8j9" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4B81612F38B; Thu, 28 Mar 2024 18:47:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711651636; cv=none; b=ZQa/lWxAcQX58wUJWs3Bc0Q7BZZuVlUn6esiNc17UGY8UClaaSCdpSnXiHDM/Nv8AenaTREFaIgMMweiP8WldhjSEsAt0ILMpLULLDcPmhpVpNrQd7OrXWfGyH/4p8Sa3HaksVpR764QZvtGlfLebqupQ9AB4ltBz5XNG2+5T5Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711651636; c=relaxed/simple; bh=0TWJjs/gIGRkhPuMH4c0WZ3PmI7Wu7THN8xx4oFmQb4=; h=Mime-Version:Content-Type:Date:Message-Id:Cc:Subject:From:To: References:In-Reply-To; b=sY8uVMwKsa3oxXMG3B/x0ka6oIZYL0RtYeqVd2CLBfY9PrZkS+iTvft4G5d0gSsia+5PKLy4N8jqvCdUuRzsN65xeyTHg2D2nO+7sIl2x7r+eXM6clObjq0B/ZfjMXvjqsKDkCoSC5RnmRVHdRaTuOm4T1lorR3ImLYr8VdEDX8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=M8qRP8j9; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3BC56C433F1; Thu, 28 Mar 2024 18:47:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711651635; bh=0TWJjs/gIGRkhPuMH4c0WZ3PmI7Wu7THN8xx4oFmQb4=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=M8qRP8j9t7rUbqJsllGH9HpVFiTiP2EhaPKjPPgzRGt63GOpm5oanZBm/bUc9+qSm tgGKglNOR/7CPuLlsYgfxmnlk3zOovqM5IlISNnGvVj8sVOirqRAudy0vGhGYrPAuO +7NTSLojn1KiqAtbvIBrMijJ6/KRv09wrmNBvr6F8e4LYfT+/bjkTzIo4xFqjNlVhR N4DA0tSEyaM/b9KsBV7hphDr/b+HP8TUB4KfXm4nV/qLc9dMFpSHrufwyEC43R98KE xR8v2aotJmV3rFHV1FtzfmOIwA2lpt5mY/6+vAvFgE++LNVRLEyM5dEma3D0GSVCWy jkU846Vln42/Q== Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 28 Mar 2024 20:47:07 +0200 Message-Id: Cc: "Mimi Zohar" , "James Bottomley" , "Herbert Xu" , "David S. Miller" , "Shawn Guo" , "Jonathan Corbet" , "Sascha Hauer" , "kernel@pengutronix.de" , "Fabio Estevam" , "NXP Linux Team" , "Ahmad Fatoum" , "sigma star Kernel Team" , "David Howells" , "Li Yang" , "Paul Moore" , "James Morris" , "Serge E. Hallyn" , "Paul E. McKenney" , "Randy Dunlap" , "Catalin Marinas" , "Rafael J. Wysocki" , "Tejun Heo" , "Steven Rostedt (Google)" , , "linux-kernel@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-crypto@vger.kernel.org" , , , "linux-security-module@vger.kernel.org" , "Richard Weinberger" , "David Oberhollenzer" Subject: Re: [PATCH v7 6/6] docs: trusted-encrypted: add DCP as new trust source From: "Jarkko Sakkinen" To: "David Gstir" X-Mailer: aerc 0.17.0 References: <20240327082454.13729-1-david@sigma-star.at> <20240327082454.13729-7-david@sigma-star.at> In-Reply-To: On Thu Mar 28, 2024 at 10:05 AM EET, David Gstir wrote: > Jarkko, > > > On 27.03.2024, at 16:40, Jarkko Sakkinen wrote: > >=20 > > On Wed Mar 27, 2024 at 10:24 AM EET, David Gstir wrote: > >> Update the documentation for trusted and encrypted KEYS with DCP as ne= w > >> trust source: > >>=20 > >> - Describe security properties of DCP trust source > >> - Describe key usage > >> - Document blob format > >>=20 > >> Co-developed-by: Richard Weinberger > >> Signed-off-by: Richard Weinberger > >> Co-developed-by: David Oberhollenzer > >> Signed-off-by: David Oberhollenzer > >> Signed-off-by: David Gstir > >> --- > >> .../security/keys/trusted-encrypted.rst | 85 +++++++++++++++++++ > >> 1 file changed, 85 insertions(+) > >>=20 > >> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Docum= entation/security/keys/trusted-encrypted.rst > >> index e989b9802f92..81fb3540bb20 100644 > >> --- a/Documentation/security/keys/trusted-encrypted.rst > >> +++ b/Documentation/security/keys/trusted-encrypted.rst > >> @@ -42,6 +42,14 @@ safe. > >> randomly generated and fused into each SoC at manufacturing t= ime. > >> Otherwise, a common fixed test key is used instead. > >>=20 > >> + (4) DCP (Data Co-Processor: crypto accelerator of various i.MX S= oCs) > >> + > >> + Rooted to a one-time programmable key (OTP) that is generall= y burnt > >> + in the on-chip fuses and is accessible to the DCP encryption= engine only. > >> + DCP provides two keys that can be used as root of trust: the= OTP key > >> + and the UNIQUE key. Default is to use the UNIQUE key, but se= lecting > >> + the OTP key can be done via a module parameter (dcp_use_otp_= key). > >> + > >> * Execution isolation > >>=20 > >> (1) TPM > >> @@ -57,6 +65,12 @@ safe. > >>=20 > >> Fixed set of operations running in isolated execution environ= ment. > >>=20 > >> + (4) DCP > >> + > >> + Fixed set of cryptographic operations running in isolated ex= ecution > >> + environment. Only basic blob key encryption is executed ther= e. > >> + The actual key sealing/unsealing is done on main processor/k= ernel space. > >> + > >> * Optional binding to platform integrity state > >>=20 > >> (1) TPM > >> @@ -79,6 +93,11 @@ safe. > >> Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs > >> for platform integrity. > >>=20 > >> + (4) DCP > >> + > >> + Relies on Secure/Trusted boot process (called HAB by vendor)= for > >> + platform integrity. > >> + > >> * Interfaces and APIs > >>=20 > >> (1) TPM > >> @@ -94,6 +113,11 @@ safe. > >>=20 > >> Interface is specific to silicon vendor. > >>=20 > >> + (4) DCP > >> + > >> + Vendor-specific API that is implemented as part of the DCP c= rypto driver in > >> + ``drivers/crypto/mxs-dcp.c``. > >> + > >> * Threat model > >>=20 > >> The strength and appropriateness of a particular trust source for= a given > >> @@ -129,6 +153,13 @@ selected trust source: > >> CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the dev= ice > >> is probed. > >>=20 > >> + * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) > >> + > >> + The DCP hardware device itself does not provide a dedicated RNG = interface, > >> + so the kernel default RNG is used. SoCs with DCP like the i.MX6U= LL do have > >> + a dedicated hardware RNG that is independent from DCP which can = be enabled > >> + to back the kernel RNG. > >> + > >> Users may override this by specifying ``trusted.rng=3Dkernel`` on the = kernel > >> command-line to override the used RNG with the kernel's random number = pool. > >>=20 > >> @@ -231,6 +262,19 @@ Usage:: > >> CAAM-specific format. The key length for new keys is always in bytes. > >> Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > >>=20 > >> +Trusted Keys usage: DCP > >> +----------------------- > >> + > >> +Usage:: > >> + > >> + keyctl add trusted name "new keylen" ring > >> + keyctl add trusted name "load hex_blob" ring > >> + keyctl print keyid > >> + > >> +"keyctl print" returns an ASCII hex copy of the sealed key, which is = in format > >> +specific to this DCP key-blob implementation. The key length for new= keys is > >> +always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits)= . > >> + > >> Encrypted Keys usage > >> -------------------- > >>=20 > >> @@ -426,3 +470,44 @@ string length. > >> privkey is the binary representation of TPM2B_PUBLIC excluding the > >> initial TPM2B header which can be reconstructed from the ASN.1 octed > >> string length. > >> + > >> +DCP Blob Format > >> +--------------- > >> + > >> +The Data Co-Processor (DCP) provides hardware-bound AES keys using it= s > >> +AES encryption engine only. It does not provide direct key sealing/un= sealing. > >> +To make DCP hardware encryption keys usable as trust source, we defin= e > >> +our own custom format that uses a hardware-bound key to secure the se= aling > >> +key stored in the key blob. > >> + > >> +Whenever a new trusted key using DCP is generated, we generate a rand= om 128-bit > >> +blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are us= ed to > >> +encrypt the trusted key payload using AES-128-GCM. > >> + > >> +The BEK itself is encrypted using the hardware-bound key using the DC= P's AES > >> +encryption engine with AES-128-ECB. The encrypted BEK, generated nonc= e, > >> +BEK-encrypted payload and authentication tag make up the blob format = together > >> +with a version number, payload length and authentication tag:: > >> + > >> + /* > >> + * struct dcp_blob_fmt - DCP BLOB format. > >> + * > >> + * @fmt_version: Format version, currently being %1 > >> + * @blob_key: Random AES 128 key which is used to encrypt @payloa= d, > >> + * @blob_key itself is encrypted with OTP or UNIQUE de= vice key in > >> + * AES-128-ECB mode by DCP. > >> + * @nonce: Random nonce used for @payload encryption. > >> + * @payload_len: Length of the plain text @payload. > >> + * @payload: The payload itself, encrypted using AES-128-GCM and = @blob_key, > >> + * GCM auth tag of size AES_BLOCK_SIZE is attached at t= he end of it. > >> + * > >> + * The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) + = @payload_len + > >> + * AES_BLOCK_SIZE. > >> + */ > >> + struct dcp_blob_fmt { > >> + __u8 fmt_version; > >> + __u8 blob_key[AES_KEYSIZE_128]; > >> + __u8 nonce[AES_KEYSIZE_128]; > >> + __le32 payload_len; > >> + __u8 payload[]; > >> + } __packed; > >=20 > > I'm thinking here given that you need to replicate the same thing that > > is in the source files. E.g. Documentation/gpu/i915.rst. > >=20 > > The rationale would so many sources so maybe it would make sense to > > maintain this in the source code. > >=20 > > Also this documents how to generally insert documentation inline: > > https://docs.kernel.org/doc-guide/kernel-doc.html > >=20 > > I.e. I'm feeling that this is good time to improve scalability so that > > documentation will keep up to date. Also then backend specific patches > > mostly go to their subdirectories and not to Documentation/ subtree > > (or that would be more rare case). > >=20 > > So a good chance to do more than just a new backend for the benefit > > of the trusted keys subsystem :-) > >=20 > > Also, later on if something is changed e.g. in the above struct you > > don't have to do matching update to the documentation so it will save > > time too (over time). > > sound good! I=E2=80=99ll maintain the blob format documentation to the so= urce and insert=20 > a reference in the documentation. Thanks for pointing that out! > > Is there anything else I can improve for this patchset? I=E2=80=99d like = to include that in v8 > too and make it the last iteration of this patchset. Yeah, I don't enforce you to convert all the existing work to this model, but we could use this as a reference for that work. The patch set is overally in a pretty good shape I think :-) BR, Jarkko