On Friday 01 June 2018 09:16 AM, Christoph Hellwig wrote: > On Wed, May 30, 2018 at 02:52:07PM +0000, Ladvine D Almeida wrote: >> when the optional argument "perform_inline_encrypt" is set, we are not unconditionally sending the bio >> to the block devices. The steps are explained below: >> 1. user invokes the dm-setup command with the registered cipher "xts" and with the optional argument >> "perform_inline_encrypt". >> 2. dm-setup invokes the setkey function of the newly introduced algorithm, which finds the available key slots >> to be programmed(UFS Host controller Inline Encryption engine has multiple keyslots), program the key slot, >> and return the key slot index as return value of the set key function. >> 3. When read/write operation happens, crypt_map() function in dm-crypt validates whether there is associated >> key configuration index for the request. The Bio will be submitted directly in this case only with the associated >> crypto context. >> 4. Block device driver, eg. UFS host controller driver will create the Transfer requests as per this crypto context and >> encryption happens inside the controller. > Why isn't this all controlled by the ufs drivers, using helpers as > required? The idea is to make use of the existing utilities like dmsetup to configure the keys, mapping etc. > > Also why do we even need this API over just implementing TCG > Opal/Opalite on the device? > TCG Opal/Opalite is FDE solution. right? File Based Encryption is accomplished in the ext4/f2fs layer by invoking the registered algorithms from LKCF. There is a scope for FBE, if the implementation is crypto API. Regards, Ladvine
