Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp646043lqh; Thu, 28 Mar 2024 11:50:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWmrsB+SBo7mkkuOHkzd2iHlJ2dEyAhoGqT4dhN2Tchwz5rTsdHUo8KlwGqtUiiZxJ8HdAMDUDrdR+T/qrSuLn1yvd4Jk9ziqw7tA51zA== X-Google-Smtp-Source: AGHT+IEgg3x8AV/4GcNOrefcFpzb+bLgIAcfC1KbGYcu8V73tMFoxGR5K5C83wRldwnHYRXVNXQQ X-Received: by 2002:a19:ee16:0:b0:513:ed17:af03 with SMTP id g22-20020a19ee16000000b00513ed17af03mr252691lfb.59.1711651838154; Thu, 28 Mar 2024 11:50:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711651838; cv=pass; d=google.com; s=arc-20160816; b=Jb++dSyZYeBmxqEDHLZISfgUWzoQIfa8zSvsodOYjnb4lk4hIXmNsZjlZ+bBKXRrgd C+A5/n96XUD2SDMdM2uhsDNKD2Xwleqh7L3w5kijESVQ/+OZgybWjKAYyBPK/GD6NBsq /dAiWdA+XtJLRS4G5nkObKFDdJPZKqWq9SVz78UXby2xqY/yj7ei2BVOvTzQCBC1BEFl flOST4q/dKJ6qIy8uhr+p54tCKOVt1pRD1CEP0ipzyaLiwPzcXCxk4vPtPwOeEp14TYo lpeOfgXL/utEz/RetN4fR1Kvx36sXryRKVMBdhibXn5emSkw6g5xRXGgdx1NZJ5f98y5 gpVA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:to:from:subject:cc:message-id:date :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=ssfcjX6v4wRCC/yJm8SuUkz2Ww7YlT//hmoPgL8I2GM=; fh=JZhAOijUwEWmKfnSvjSJCKdIHw/jYRGzxfBi3PiNWZM=; b=kDOp48JykJKT5bfGbd67OFMmd8RJfxbsThs4aNzwYgyDoo0YYCBKU/TjsCDSf373ml ywxsXlaeq4NzpRwjmJ27IZDE59tgaEP1KYAxY31XVlZghoFsw4TGtE4QWzABTap/D/9R Klp/avjxDTyY0Of7FMy88OJFJ4vqPuL+k3D9aBlxzMbCNVHuh1KYlyrpDD870Foej8A3 xkDcQYCdAVYsbmwXSrAMrqSwZ+WQkTB+YBQPfs2Lxca+g2LfREHrPzgKK5vULfHKA+Sa DEzxqDdL7cgqCO9B6VNuzrftPyS3XdxO9oc07X1NAo2GjJgDrRNF6i+ODV+UnH5LWtt1 hdWQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TtN5bh02; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3033-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3033-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id ga32-20020a1709070c2000b00a4d4254c397si978009ejc.323.2024.03.28.11.50.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Mar 2024 11:50:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto+bounces-3033-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TtN5bh02; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3033-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3033-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id AEF2E1F2620D for ; Thu, 28 Mar 2024 18:50:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7ACCF136E35; Thu, 28 Mar 2024 18:50:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TtN5bh02" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1ED541EA6E; Thu, 28 Mar 2024 18:50:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711651832; cv=none; b=Zi8uWS7BWxLc0HCxrOq145XDgALBns4lEyQRu4Abpl4JdNoxKNNcbf1M2OmB2dPix+OhN5qo7Hiubji0tObTYhDwtRPZ5gV6NODpQVF+LXMYVTAzICL9JhqDrprEUsc0GU8TIqX1TipSU2x2F0ouy4xJUeRK04yD0vkj6lnuSjo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711651832; c=relaxed/simple; bh=v47lKJs0Ij31Lu1i4dgbBcc3S1l62Crepl3XB+i3pHk=; h=Mime-Version:Content-Type:Date:Message-Id:Cc:Subject:From:To: References:In-Reply-To; b=OOlmDNKpth6b4s8+inbdjDHMSTVjFfQ67ETTMUJjzT06QcusntklTSoy+Nd+13XfsMG1tCk4lPT0t/sXyM27NJh+YbguTUZWzBJW1xp3ZtxfpwsbeHt1MVGLS1JrQwgsQZywh819Wdj1VqF0m6SCxJUhU29ZjvZ7GDobUKr6hWE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TtN5bh02; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 194FDC433C7; Thu, 28 Mar 2024 18:50:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711651830; bh=v47lKJs0Ij31Lu1i4dgbBcc3S1l62Crepl3XB+i3pHk=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=TtN5bh02FrPTKu9xC+1yTpzkaJuCahZccbAaMqgtJLIA3L/JGfowwOAoz6eY9Gt/x j1t/iJmTlhFZ1ebfpkyR3pulVZIqn25ghMzitDejpq8Idf0aMvh0Zmf6cj6ZY6YXZ5 ma9ykqNCCMRrXr2gq1XRpJRV01XLbXeelLym1+jgU+w/uijmzzEP/uXsCLOFFOg6W7 tub1teDBLgpxXzl8GHvd2BMBsywEkaQlU5tBGkJLoZB+7TJYYveRZoYTSTFsDk2bQh CN1sJqsJJU0vzPmplUKnRJ+7KCuz4BXg24vZsWJ/Vt8JjbhDiH0UI4+ZqGdguKTHpk xih3Pa+YcDsog== Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 28 Mar 2024 20:50:22 +0200 Message-Id: Cc: "Mimi Zohar" , "James Bottomley" , "Herbert Xu" , "David S. Miller" , "Shawn Guo" , "Jonathan Corbet" , "Sascha Hauer" , "kernel@pengutronix.de" , "Fabio Estevam" , "NXP Linux Team" , "Ahmad Fatoum" , "sigma star Kernel Team" , "David Howells" , "Li Yang" , "Paul Moore" , "James Morris" , "Serge E. Hallyn" , "Paul E. McKenney" , "Randy Dunlap" , "Catalin Marinas" , "Rafael J. Wysocki" , "Tejun Heo" , "Steven Rostedt (Google)" , , "linux-kernel@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-crypto@vger.kernel.org" , , , "linux-security-module@vger.kernel.org" , "Richard Weinberger" , "David Oberhollenzer" Subject: Re: [PATCH v7 6/6] docs: trusted-encrypted: add DCP as new trust source From: "Jarkko Sakkinen" To: "Jarkko Sakkinen" , "David Gstir" X-Mailer: aerc 0.17.0 References: <20240327082454.13729-1-david@sigma-star.at> <20240327082454.13729-7-david@sigma-star.at> In-Reply-To: On Thu Mar 28, 2024 at 8:47 PM EET, Jarkko Sakkinen wrote: > On Thu Mar 28, 2024 at 10:05 AM EET, David Gstir wrote: > > Jarkko, > > > > > On 27.03.2024, at 16:40, Jarkko Sakkinen wrote: > > >=20 > > > On Wed Mar 27, 2024 at 10:24 AM EET, David Gstir wrote: > > >> Update the documentation for trusted and encrypted KEYS with DCP as = new > > >> trust source: > > >>=20 > > >> - Describe security properties of DCP trust source > > >> - Describe key usage > > >> - Document blob format > > >>=20 > > >> Co-developed-by: Richard Weinberger > > >> Signed-off-by: Richard Weinberger > > >> Co-developed-by: David Oberhollenzer > > >> Signed-off-by: David Oberhollenzer > > >> Signed-off-by: David Gstir > > >> --- > > >> .../security/keys/trusted-encrypted.rst | 85 +++++++++++++++++= ++ > > >> 1 file changed, 85 insertions(+) > > >>=20 > > >> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Doc= umentation/security/keys/trusted-encrypted.rst > > >> index e989b9802f92..81fb3540bb20 100644 > > >> --- a/Documentation/security/keys/trusted-encrypted.rst > > >> +++ b/Documentation/security/keys/trusted-encrypted.rst > > >> @@ -42,6 +42,14 @@ safe. > > >> randomly generated and fused into each SoC at manufacturing= time. > > >> Otherwise, a common fixed test key is used instead. > > >>=20 > > >> + (4) DCP (Data Co-Processor: crypto accelerator of various i.MX= SoCs) > > >> + > > >> + Rooted to a one-time programmable key (OTP) that is genera= lly burnt > > >> + in the on-chip fuses and is accessible to the DCP encrypti= on engine only. > > >> + DCP provides two keys that can be used as root of trust: t= he OTP key > > >> + and the UNIQUE key. Default is to use the UNIQUE key, but = selecting > > >> + the OTP key can be done via a module parameter (dcp_use_ot= p_key). > > >> + > > >> * Execution isolation > > >>=20 > > >> (1) TPM > > >> @@ -57,6 +65,12 @@ safe. > > >>=20 > > >> Fixed set of operations running in isolated execution envir= onment. > > >>=20 > > >> + (4) DCP > > >> + > > >> + Fixed set of cryptographic operations running in isolated = execution > > >> + environment. Only basic blob key encryption is executed th= ere. > > >> + The actual key sealing/unsealing is done on main processor= /kernel space. > > >> + > > >> * Optional binding to platform integrity state > > >>=20 > > >> (1) TPM > > >> @@ -79,6 +93,11 @@ safe. > > >> Relies on the High Assurance Boot (HAB) mechanism of NXP So= Cs > > >> for platform integrity. > > >>=20 > > >> + (4) DCP > > >> + > > >> + Relies on Secure/Trusted boot process (called HAB by vendo= r) for > > >> + platform integrity. > > >> + > > >> * Interfaces and APIs > > >>=20 > > >> (1) TPM > > >> @@ -94,6 +113,11 @@ safe. > > >>=20 > > >> Interface is specific to silicon vendor. > > >>=20 > > >> + (4) DCP > > >> + > > >> + Vendor-specific API that is implemented as part of the DCP= crypto driver in > > >> + ``drivers/crypto/mxs-dcp.c``. > > >> + > > >> * Threat model > > >>=20 > > >> The strength and appropriateness of a particular trust source f= or a given > > >> @@ -129,6 +153,13 @@ selected trust source: > > >> CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the d= evice > > >> is probed. > > >>=20 > > >> + * DCP (Data Co-Processor: crypto accelerator of various i.MX SoC= s) > > >> + > > >> + The DCP hardware device itself does not provide a dedicated RN= G interface, > > >> + so the kernel default RNG is used. SoCs with DCP like the i.MX= 6ULL do have > > >> + a dedicated hardware RNG that is independent from DCP which ca= n be enabled > > >> + to back the kernel RNG. > > >> + > > >> Users may override this by specifying ``trusted.rng=3Dkernel`` on th= e kernel > > >> command-line to override the used RNG with the kernel's random numbe= r pool. > > >>=20 > > >> @@ -231,6 +262,19 @@ Usage:: > > >> CAAM-specific format. The key length for new keys is always in byte= s. > > >> Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). > > >>=20 > > >> +Trusted Keys usage: DCP > > >> +----------------------- > > >> + > > >> +Usage:: > > >> + > > >> + keyctl add trusted name "new keylen" ring > > >> + keyctl add trusted name "load hex_blob" ring > > >> + keyctl print keyid > > >> + > > >> +"keyctl print" returns an ASCII hex copy of the sealed key, which i= s in format > > >> +specific to this DCP key-blob implementation. The key length for n= ew keys is > > >> +always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bit= s). > > >> + > > >> Encrypted Keys usage > > >> -------------------- > > >>=20 > > >> @@ -426,3 +470,44 @@ string length. > > >> privkey is the binary representation of TPM2B_PUBLIC excluding the > > >> initial TPM2B header which can be reconstructed from the ASN.1 octed > > >> string length. > > >> + > > >> +DCP Blob Format > > >> +--------------- > > >> + > > >> +The Data Co-Processor (DCP) provides hardware-bound AES keys using = its > > >> +AES encryption engine only. It does not provide direct key sealing/= unsealing. > > >> +To make DCP hardware encryption keys usable as trust source, we def= ine > > >> +our own custom format that uses a hardware-bound key to secure the = sealing > > >> +key stored in the key blob. > > >> + > > >> +Whenever a new trusted key using DCP is generated, we generate a ra= ndom 128-bit > > >> +blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are = used to > > >> +encrypt the trusted key payload using AES-128-GCM. > > >> + > > >> +The BEK itself is encrypted using the hardware-bound key using the = DCP's AES > > >> +encryption engine with AES-128-ECB. The encrypted BEK, generated no= nce, > > >> +BEK-encrypted payload and authentication tag make up the blob forma= t together > > >> +with a version number, payload length and authentication tag:: > > >> + > > >> + /* > > >> + * struct dcp_blob_fmt - DCP BLOB format. > > >> + * > > >> + * @fmt_version: Format version, currently being %1 > > >> + * @blob_key: Random AES 128 key which is used to encrypt @payl= oad, > > >> + * @blob_key itself is encrypted with OTP or UNIQUE = device key in > > >> + * AES-128-ECB mode by DCP. > > >> + * @nonce: Random nonce used for @payload encryption. > > >> + * @payload_len: Length of the plain text @payload. > > >> + * @payload: The payload itself, encrypted using AES-128-GCM an= d @blob_key, > > >> + * GCM auth tag of size AES_BLOCK_SIZE is attached at= the end of it. > > >> + * > > >> + * The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) = + @payload_len + > > >> + * AES_BLOCK_SIZE. > > >> + */ > > >> + struct dcp_blob_fmt { > > >> + __u8 fmt_version; > > >> + __u8 blob_key[AES_KEYSIZE_128]; > > >> + __u8 nonce[AES_KEYSIZE_128]; > > >> + __le32 payload_len; > > >> + __u8 payload[]; > > >> + } __packed; > > >=20 > > > I'm thinking here given that you need to replicate the same thing tha= t > > > is in the source files. E.g. Documentation/gpu/i915.rst. > > >=20 > > > The rationale would so many sources so maybe it would make sense to > > > maintain this in the source code. > > >=20 > > > Also this documents how to generally insert documentation inline: > > > https://docs.kernel.org/doc-guide/kernel-doc.html > > >=20 > > > I.e. I'm feeling that this is good time to improve scalability so tha= t > > > documentation will keep up to date. Also then backend specific patche= s > > > mostly go to their subdirectories and not to Documentation/ subtree > > > (or that would be more rare case). > > >=20 > > > So a good chance to do more than just a new backend for the benefit > > > of the trusted keys subsystem :-) > > >=20 > > > Also, later on if something is changed e.g. in the above struct you > > > don't have to do matching update to the documentation so it will save > > > time too (over time). > > > > sound good! I=E2=80=99ll maintain the blob format documentation to the = source and insert=20 > > a reference in the documentation. Thanks for pointing that out! > > > > Is there anything else I can improve for this patchset? I=E2=80=99d lik= e to include that in v8 > > too and make it the last iteration of this patchset. > > Yeah, I don't enforce you to convert all the existing work to this > model, but we could use this as a reference for that work. I mean that way documentation update will become more natural part of the code update and less frustrating to do which usually encourages to document stuff better and also later on tweak and improve it. So yeah I feel that GPU documentation in kernel is doing lot's of things right, and other subsystems should follow. I.e. it is good reference model for trusted keys documentation, and said I'm cool with realizing this for only this new key type :-) Otherwise, finishing this patch set will torture for you and also for me if it tries to fix everything. BR, Jarkko