Re: [PATCH RESEND v7 00/17] Hardware wrapped key support for QCom ICE and UFS core

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Dec 02, 2024 at 01:02:16PM +0100, Bartosz Golaszewski wrote:
> The previous iteration[1] has been on the list for many weeks without
> receiving any comments - neither positive nor negative. If there are no
> objections - could we start discussing how to make these patches go
> upstream for v6.14?

The way to do it will be for the block patches to be taken through the block
tree first.  That will unblock the rest, which can be taken through their
respective trees in subsequent cycles.

I'm really hoping to be able to test these patches with upstream myself, which
I'm not able to do yet.  I'll try to leave some review comments on the parts not
authored by me the mean time.  Anyway, thanks for continuing to work on this.

> Tested on sm8650-qrd.
> 
> How to test:
> 
> Use the wip-wrapped-keys branch from https://github.com/ebiggers/fscryptctl
> to build a custom fscryptctl that supports generating wrapped keys.
> 
> Enable the following config options:
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=m
> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> CONFIG_SCSI_UFS_CRYPTO=y
> 
> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/userdata
> $ mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt
> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/userdata > /mnt/key.longterm
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ rm -rf /mnt/dir
> $ mkdir /mnt/dir
> $ fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$KEYID" /mnt/dir
> $ dmesg > /mnt/dir/test.txt
> $ sync
> 
> Reboot the board
> 
> $ mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt
> $ ls /mnt/dir
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$KEYID" /mnt/dir
> $ cat /mnt/dir/test.txt # File should now be decrypted

That doesn't verify that the encryption is being done correctly, which is the
most important thing to test.  For that we'll need to resurrect the following
patchset for xfstests:
https://lore.kernel.org/fstests/20220228074722.77008-1-ebiggers@xxxxxxxxxx/

- Eric




[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux