On 5/14/21 1:14 PM, Chang S. Bae wrote: > Key Locker [1][2] is a new security feature available in new Intel CPUs to > protect data encryption keys for the Advanced Encryption Standard > algorithm. The protection limits the amount of time an AES key is exposed > in memory by sealing a key and referencing it with new AES instructions. > > The new AES instruction set is a successor of Intel's AES-NI (AES New > Instruction). Users may switch to the Key Locker version from crypto > libraries. This series includes a new AES implementation for the Crypto > API, which was validated through the crypto unit tests. The performance in > the test cases was measured and found comparable to the AES-NI version. > > Key Locker introduces a (CPU-)internal key to encode AES keys. The kernel > needs to load it and ensure it unchanged as long as CPUs are operational. I have high-level questions: What is the expected use case? My personal hypothesis, based on various public Intel slides, is that the actual intended use case was internal to the ME, and that KL was ported to end-user CPUs more or less verbatim. I certainly understand how KL is valuable in a context where a verified boot process installs some KL keys that are not subsequently accessible outside the KL ISA, but Linux does not really work like this. I'm wondering what people will use it for. On a related note, does Intel plan to extend KL with ways to securely load keys? (E.g. the ability to, in effect, LOADIWKEY from inside an enclave? Key wrapping/unwrapping operations?) In other words, is should we look at KL the way we look at MKTME, i.e. the foundation of something neat but not necessarily very useful as is, or should we expect that KL is in its more or less final form? What is the expected interaction between a KL-using VM guest and the host VMM? Will there be performance impacts (to context switching, for example) if a guest enables KL, even if the guest does not subsequently do anything with it? Should Linux actually enable KL if it detects that it's a VM guest? Should Linux have use a specific keying method as a guest? --Andy