Herbert, On Mon, Jun 14, 2021 at 10:18 PM Richard Weinberger <richard@xxxxxx> wrote: > > DCP is capable to performing AES with hardware-bound keys. > These keys are not stored in main memory and are therefore not directly > accessible by the operating system. > > So instead of feeding the key into DCP, we need to place a > reference to such a key before initiating the crypto operation. > Keys are referenced by a one byte identifiers. > > DCP supports 6 different keys: 4 slots in the secure memory area, > a one time programmable key which can be burnt via on-chip fuses > and an unique device key. > > Using these keys is restricted to in-kernel users that use them as building > block for other crypto tools such as trusted keys. Allowing userspace > (e.g. via AF_ALG) to use these keys to crypt or decrypt data is a security > risk, because there is no access control mechanism. > > Cc: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> > Cc: David Gstir <david@xxxxxxxxxxxxx> > Cc: David Howells <dhowells@xxxxxxxxxx> > Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> > Cc: Fabio Estevam <festevam@xxxxxxxxx> > Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Cc: James Bottomley <jejb@xxxxxxxxxxxxx> > Cc: James Morris <jmorris@xxxxxxxxx> > Cc: Jarkko Sakkinen <jarkko@xxxxxxxxxx> > Cc: Jonathan Corbet <corbet@xxxxxxx> > Cc: keyrings@xxxxxxxxxxxxxxx > Cc: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx > Cc: linux-crypto@xxxxxxxxxxxxxxx > Cc: linux-doc@xxxxxxxxxxxxxxx > Cc: linux-integrity@xxxxxxxxxxxxxxx > Cc: linux-kernel@xxxxxxxxxxxxxxx > Cc: linux-security-module@xxxxxxxxxxxxxxx > Cc: Mimi Zohar <zohar@xxxxxxxxxxxxx> > Cc: NXP Linux Team <linux-imx@xxxxxxx> > Cc: Pengutronix Kernel Team <kernel@xxxxxxxxxxxxxx> > Cc: Richard Weinberger <richard@xxxxxx> > Cc: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> > Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx> > Cc: Shawn Guo <shawnguo@xxxxxxxxxx> > Co-developed-by: David Gstir <david@xxxxxxxxxxxxx> > Signed-off-by: David Gstir <david@xxxxxxxxxxxxx> > Signed-off-by: Richard Weinberger <richard@xxxxxx> > --- > drivers/crypto/mxs-dcp.c | 110 ++++++++++++++++++++++++++++++++++----- > include/linux/mxs-dcp.h | 19 +++++++ > 2 files changed, 117 insertions(+), 12 deletions(-) > create mode 100644 include/linux/mxs-dcp.h This patch was judged as not applicable in your patchwork. Is something missing? How can we proceed? -- Thanks, //richard
