MIRRORS/linux-imx
1
0
Fork 0
mirror of https://github.com/nxp-imx/linux-imx.git synced 2025-09-03 02:16:09 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
lf-6.6.y
linux-imx/drivers/crypto/caam/caamkeyblob.h
Iuliana Prodan e60fcf9fdb MLK-24420-2 crypto: caam - add support for black keys and blobs 
CAAM's Black Key mechanism is intended for protection
of user keys against bus snooping. This automatically
encapsulates and decapsulates cryptographic keys ''on-the-fly''
in an encrypted data structure called a Black Key.
Before a value is copied from a Key Register to memory,
CAAM will automatically encrypt the key as a Black Key
(encrypted key) using the current value in the JDKEKR or
TDKEKR as the encryption key.

CAAM's built-in Blob Protocol provides a method for protecting
user-defined data across system power cycles. CAAM protects data
in a data structure called a Blob, which provides both confidentiality
and integrity protection. The data to be protected is encrypted so that
it can be safely placed into non-volatile storage before the SoC is
powered down.

This patch includes the support to generate a black key from random or
from a plaintext. Also one can encapsulate it into a blob or decapsulate
a black key from a blob.
The key and blob generation descriptors are exported into a separate file,
such that they could be shared with other interfaces (qi, qi2).

This feature has support only for black keys, encapsulated in
black blobs in General Memory.

In caamkeyblob_test.c file is a test that validates the above
operations: create a black key from plaintext or from random,
encapsulate and decapsulate a blob and compare the obtained black key.
This test is configured as a kernel module.

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
(cherry picked from commit 84287c5d3b)

Squashed fixes:
9c24012e6b ("MLK-24496 crypto: caam - fix blob encapsulation/decapsulation")
cd078fac33 ("MLK-24517-1 crypto: caam - removed unnecessary validation of black key for blob decapsulation")
8888926c54 ("MLK-24517-2 crypto: caam - removed unnecessary validation of black key for blob encapsulation")
e4b484ce2d ("MLK-24497 crypto: caam - update job descriptor with inline commands")

Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>

Squashed LF commit (rebase-v5.10-rc2/crypto/caam):
035f5933cc45 ("crypto: caam: change kzfree to kfree_sensitive")

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
2023-10-30 17:37:36 +08:00

83 lines
2.6 KiB
C
Raw Permalink Blame History

/* SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause) */
/*
* Black key generation and blob encapsulation/decapsualtion for CAAM
*
* Copyright 2018-2020 NXP
*/
#ifndef _CAAMKEYBLOB_H_
#define _CAAMKEYBLOB_H_
#include <linux/device.h>
#include "caamkeyblob_desc.h"
/*
* Minimum key size to be used is 16 bytes and maximum key size fixed
* is 64 bytes.
* Blob size to be kept is Maximum key size + tag object header added by CAAM.
*/
#define MIN_KEY_SIZE 16
#define MAX_KEY_SIZE 64
#define MAX_BLACK_KEY_SIZE (MAX_KEY_SIZE + CCM_OVERHEAD +\
TAG_OVERHEAD_SIZE)
/*
* For blobs a randomly-generated, 256-bit blob key is used to
* encrypt the data using the AES-CCM cryptographic algorithm.
* Therefore, blob size is max key size, CCM_OVERHEAD, blob header
* added by CAAM and the tagged object header size.
*/
#define MAX_BLOB_SIZE (MAX_KEY_SIZE + CCM_OVERHEAD +\
BLOB_OVERHEAD + TAG_OVERHEAD_SIZE)
/* Key modifier for CAAM blobs, used as a revision number */
static const char caam_key_modifier[KEYMOD_SIZE_GM] = {
'C', 'A', 'A', 'M', '_', 'K', 'E', 'Y',
'_', 'T', 'Y', 'P', 'E', '_', 'V', '1',
};
/**
* struct keyblob_info - Structure that contains all the data necessary
* to generate a black key and encapsulate it into a blob
*
* @key : The plaintext used as input key
* for black key generation
* @key_len : Size of plaintext or size of key in case of
* black key generated from random
* @type : The type of data contained (e.g. black key, blob, etc.)
* @black_key_len : Length of the generated black key
* @black_key : Black key data obtained from CAAM
* @blob_len : Length of the blob that encapsulates the black key
* @blob : Blob data obtained from CAAM
* @key_modifier_len : 8-byte or 16-byte Key_Modifier based on general or
* secure memory blob type
* @key_modifier : can be either a secret value, or used as a revision
* number, revision date or nonce
* In this case is used as a revision number.
*/
struct keyblob_info {
char *key;
size_t key_len;
u32 type;
size_t black_key_len;
unsigned char black_key[MAX_BLACK_KEY_SIZE];
size_t blob_len;
unsigned char blob[MAX_BLOB_SIZE];
size_t key_mod_len;
const void *key_mod;
};
int generate_black_key(struct device *dev, struct keyblob_info *info);
int caam_blob_encap(struct device *dev, struct keyblob_info *info);
int caam_blob_decap(struct device *dev, struct keyblob_info *info);
#endif /* _CAAMKEYBLOB_H_ */
Reference in New Issue View Git Blame Copy Permalink