Re: [PATCH v3 00/12] Hardware wrapped key support for qcom ice and ufs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi Gaurav,

On 22/11/2023 06:38, Gaurav Kashyap wrote:
These are the third iteration of patches that add support to Qualcomm ICE (Inline Crypto Engine) for hardware wrapped keys using Qualcomm Hardware Key Manager (HWKM)

They patches do the following:
- Address comments from v2 (Found here:
- Rebased and tested on top of Eric's latest patchset:
- Rebased and tested on top of SM8650 patches from Linaro:

Information about patches copied over from v2:

Explanation and use of hardware-wrapped-keys can be found here:

This patch is organized as follows:

Patch 1 - Prepares ICE and storage layers (UFS and EMMC) to pass around wrapped keys.
Patch 2 - Adds a new SCM api to support deriving software secret when wrapped keys are used
Patch 3-4 - Adds support for wrapped keys in the ICE driver. This includes adding HWKM support
Patch 5-6 - Adds support for wrapped keys in UFS
Patch 7-10 - Supports generate, prepare and import functionality in ICE and UFS

NOTE: MMC will have similar changes to UFS and will be uploaded in a different patchset
       Patch 3, 4, 8, 10 will have MMC equivalents.

Test platform: SM8650 MTP

The changes were tested by mounting initramfs and running the fscryptctl
tool (Ref: to
generate and prepare keys, as well as to set policies on folders, which
consequently invokes disk encryption flows through UFS.

Tested both standard and wrapped keys (Removing qcom,ice-use-hwkm from dtsi will support using standard keys)

Steps to test:

The following configs were enabled:

Flash boot image, boot to shell and run the following commands

Creating and preparing keys
- mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/userdata
- mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt
- ./fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/userdata > /mnt/key.longterm
Note: import_hw_wrapped_key currently has a big which just got fixed, so it will be functional in the next SM8650 release
(It might already be available by the time the boards are available to public)
- ./fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral
- ./fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt

Create a folder and associate created keys with the folder
- rm -rf /mnt/dir
- mkdir /mnt/dir
- ./fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$keyid" /mnt/dir
- dmesg > /mnt/dir/test.txt
- sync

- Reboot
- mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt
- ls /mnt/dir (You should see an encrypted file)
- ./fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral
- ./fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt
- cat /mnt/dir/test.txt

I successfully tested with those instructions on the SM8650 QRD,

Tested-by: Neil Armstrong <neil.armstrong@xxxxxxxxxx> # on SM8650-QRD

however I got some build errors on sdhci-msm:

drivers/mmc/host/sdhci-msm.c:1862:19: error: ‘blk_crypto_key_type’ defined as wrong kind of tag
 1862 |      const struct blk_crypto_key_type *bkey,
      |                   ^~~~~~~~~~~~~~~~~~~
drivers/mmc/host/sdhci-msm.c:1862:19: warning: ‘struct blk_crypto_key_type’ declared inside parameter list will not be visible outside of thi
s definition or declaration
drivers/mmc/host/sdhci-msm.c: In function ‘sdhci_msm_program_key’:
drivers/mmc/host/sdhci-msm.c:1882:24: error: passing argument 4 of ‘qcom_ice_program_key’ from incompatible pointer type [-Werror=incompatibl
 1882 |          ice_key_size, bkey,
      |                        ^~~~
      |                        |
      |                        const struct blk_crypto_key_type *
In file included from drivers/mmc/host/sdhci-msm.c:21:
include/soc/qcom/ice.h:35:34: note: expected ‘const struct blk_crypto_key *’ but argument is of type ‘const struct blk_crypto_key_type *’
   35 |     const struct blk_crypto_key *bkey,
      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~
drivers/mmc/host/sdhci-msm.c: At top level:
drivers/mmc/host/sdhci-msm.c:1993:17: error: initialization of ‘int (*)(struct cqhci_host *, const struct blk_crypto_key *, const union cqhci
_crypto_cfg_entry *, int)’ from incompatible pointer type ‘int (*)(struct cqhci_host *, const struct blk_crypto_key_type *, const union cqhci_crypto_cfg_entry *, int)’ [-Werro
 1993 |  .program_key = sdhci_msm_program_key,
      |                 ^~~~~~~~~~~~~~~~~~~~~
drivers/mmc/host/sdhci-msm.c:1993:17: note: (near initialization for ‘sdhci_msm_cqhci_ops.program_key’)


Gaurav Kashyap (12):
   ice, ufs, mmc: use blk_crypto_key for program_key
   qcom_scm: scm call for deriving a software secret
   soc: qcom: ice: add hwkm support in ice
   soc: qcom: ice: support for hardware wrapped keys
   ufs: core: support wrapped keys in ufs core
   ufs: host: wrapped keys support in ufs qcom
   qcom_scm: scm call for create, prepare and import keys
   ufs: core: add support for generate, import and prepare keys
   soc: qcom: support for generate, import and prepare key
   ufs: host: support for generate, import and prepare key
   arm64: dts: qcom: sm8650: add hwkm support to ufs ice
   dt-bindings: crypto: ice: document the hwkm property

  .../crypto/qcom,inline-crypto-engine.yaml     |   7 +
  arch/arm64/boot/dts/qcom/sm8650.dtsi          |   3 +-
  drivers/firmware/qcom/qcom_scm.c              | 276 +++++++++++++++
  drivers/firmware/qcom/qcom_scm.h              |   4 +
  drivers/mmc/host/cqhci-crypto.c               |   7 +-
  drivers/mmc/host/cqhci.h                      |   2 +
  drivers/mmc/host/sdhci-msm.c                  |   6 +-
  drivers/soc/qcom/ice.c                        | 321 +++++++++++++++++-
  drivers/ufs/core/ufshcd-crypto.c              |  87 ++++-
  drivers/ufs/host/ufs-qcom.c                   |  61 +++-
  include/linux/firmware/qcom/qcom_scm.h        |   7 +
  include/soc/qcom/ice.h                        |  18 +-
  include/ufs/ufshcd.h                          |  22 ++
  13 files changed, 784 insertions(+), 37 deletions(-)

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux