On Wed, Nov 24, 2021 at 12:06:56PM -0800, Chang S. Bae wrote:
> + encodekey256 %eax, %eax
So this thing uses the fancy new keylocker instructions, however:
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 285f82647d2b..784a04433549 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -1113,6 +1113,50 @@ config CRYPTO_AES_NI_INTEL
> ECB, CBC, LRW, XTS. The 64 bit version has additional
> acceleration for CTR.
>
> +config CRYPTO_AES_KL
> + tristate "AES cipher algorithms (AES-KL)"
> + depends on (LD_VERSION >= 23600) || (LLD_VERSION >= 120000)
> + depends on DM_CRYPT
> + select X86_KEYLOCKER
> + select CRYPTO_AES_NI_INTEL
There is no dependency on the compiler actually supporting them..
config AS_HAS_KEYLOCKER
def_bool $(as-instr,encodekey256)
depends on AS_HAS_KEYLOCKER
Hmm?
> +
> + help
> + Key Locker provides AES SIMD instructions (AES-KL) for secure
> + data encryption and decryption. While this new instruction
> + set is analogous to AES-NI, AES-KL supports to encode an AES
> + key to an encoded form ('key handle') and uses it to transform
> + data instead of accessing the AES key.
> +
> + The setkey() transforms an AES key to a key handle, then the AES
> + key is no longer needed for data transformation. A user may
> + displace their keys from possible exposition.
> +
> + This key encryption is done by the CPU-internal wrapping key. The
> + x86 core code loads a new random key at every boot time and
> + restores it from deep sleep states. This wrapping key support is
> + provided with X86_KEYLOCKER.
> +
> + AES-KL supports 128-/256-bit keys only. While giving a 192-bit
> + key does not return an error, as AES-NI is chosen to process it,
> + the claimed security property is not available with that.
> +
> + GNU binutils version 2.36 or above and LLVM version 12 or above
> + are assemblers that support AES-KL instructions.
> +
> + Bare metal disk encryption is the preferred use case. Make it
> + depend on DM_CRYPT.
> +
> + This selection enables an alternative crypto cipher for
> + cryptsetup, e.g. "capi:xts-aes-aeskl-plain", to use with dm-crypt
> + volumes. It trades off raw performance for reduced clear-text key
> + exposure and has an additional failure mode compared to AES-NI.
> + See Documentation/x86/keylocker.rst for more details. Key Locker
> + usage requires explicit opt-in at cryptsetup time. So, select it
> + if unsure.
> +
> + See also the CRYPTO_AES_NI_INTEL description for more about the
> + AES cipher algorithm.
> +
> config CRYPTO_AES_SPARC64
> tristate "AES cipher algorithms (SPARC64)"
> depends on SPARC64
> --
> 2.17.1
>
