Hello Jarkko, On 05.12.21 01:18, Jarkko Sakkinen wrote: > On Mon, Oct 11, 2021 at 12:02:37PM +0200, Ahmad Fatoum wrote: >> The CAAM can be used to protect user-defined data across system reboot: >> >> - When the system is fused and boots into secure state, the master >> key is a unique never-disclosed device-specific key >> - random key is encrypted by key derived from master key >> - data is encrypted using the random key >> - encrypted data and its encrypted random key are stored alongside >> - This blob can now be safely stored in non-volatile memory >> >> On next power-on: >> - blob is loaded into CAAM >> - CAAM writes decrypted data either into memory or key register >> >> Add functions to realize encrypting and decrypting into memory alongside >> the CAAM driver. >> >> They will be used in a later commit as a source for the trusted key >> seal/unseal mechanism. >> >> Reviewed-by: David Gstir <david@xxxxxxxxxxxxx> >> Tested-By: Tim Harvey <tharvey@xxxxxxxxxxxxx> >> Signed-off-by: Steffen Trumtrar <s.trumtrar@xxxxxxxxxxxxxx> >> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> > > What is CAAM? This is missing. That's Crypto Accelerator on NXP SoCs. There is a description in the cover letter and in the follow-up patch wiring this into the new trusted key source. I didn't elaborate on this here as this patch touches drivers/crypto/caam and I assumed familiarity. For v5, I can add some extra info: "The NXP Cryptographic Acceleration and Assurance Module (CAAM) can be used to protect user-defined data across system reboot..." Sounds good? Does the last patch in the series look ok to you? Cheers, Ahmad > > /Jarkko > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
