On 7/16/2020 10:36 AM, Herbert Xu wrote:
> On Mon, Jul 13, 2020 at 01:05:36AM +0300, Iuliana Prodan wrote:
>> Tagged keys are keys that contain metadata indicating what
>> they are and how to handle them using tag_object API.
>>
>> Add support, for tagged keys, to skcipher algorithms by
>> adding new transformations, with _tk_ prefix to distinguish
>> between plaintext and tagged keys.
>>
>> For job descriptors a new option (key_cmd_opt) was added for KEY command.
>> Tagged keys can be loaded using only a KEY command with ENC=1
>> and the proper setting of the EKT bit. The EKT bit in the
>> KEY command indicates which encryption algorithm (AES-ECB or
>> AES-CCM) should be used to decrypt the key. These options will be kept in
>> key_cmd_opt.
>>
>> The tk_ transformations can be used directly by their name:
>> struct sockaddr_alg sa = {
>> .salg_family = AF_ALG,
>> .salg_type = "skcipher", /* this selects the symmetric cipher */
>> .salg_name = "tk(cbc(aes))" /* this is the cipher name */
>> };
>> or for dm-crypt, e.g. using dmsetup:
>> dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk2p10)
>> crypt capi:tk(cbc(aes))-plain :32:logon:seckey 0 /dev/mmcblk2p10 0 1
>> sector_size:512".
>>
>> Signed-off-by: Franck LENORMAND <franck.lenormand@xxxxxxx>
>> Signed-off-by: Iuliana Prodan <iuliana.prodan@xxxxxxx>
>
> Can this use the existing paes name instead of tk as done in
> other drivers?
>
This patch set adds support only for some AES-based algorithms.
However, going further the plan is to add all keyed algorithms
supported by caam.
Thus I wouldn't tie the name to AES.
Possible alternatives would be:
pk - protected keys
tk - with "t" standing for "trusted" instead of "tagged"
Wrt. "trusted", I am not sure this term should strictly be tied
to a TPM or not.
Thanks,
Horia
