> -----Original Message-----
> From: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
> Sent: Wednesday, February 23, 2022 9:50 PM
> To: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
> Cc: Horia Geanta <horia.geanta@xxxxxxx>; Aymen Sghaier
> <aymen.sghaier@xxxxxxx>; Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>;
> David S. Miller <davem@xxxxxxxxxxxxx>; kernel@xxxxxxxxxxxxxx; David Gstir
> <david@xxxxxxxxxxxxx>; Pankaj Gupta <pankaj.gupta@xxxxxxx>;
> tharvey@xxxxxxxxxxxxx; Matthias Schiffer <matthias.schiffer@xxxxx-
> group.com>; James Bottomley <jejb@xxxxxxxxxxxxx>; Mimi Zohar
> <zohar@xxxxxxxxxxxxx>; David Howells <dhowells@xxxxxxxxxx>; James Morris
> <jmorris@xxxxxxxxx>; Eric Biggers <ebiggers@xxxxxxxxxx>; Serge E. Hallyn
> <serge@xxxxxxxxxx>; Jan Luebbe <j.luebbe@xxxxxxxxxxxxxx>; Richard
> Weinberger <richard@xxxxxx>; Franck Lenormand
> <franck.lenormand@xxxxxxx>; Sumit Garg <sumit.garg@xxxxxxxxxx>; linux-
> integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux-
> crypto@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; linux-security-
> module@xxxxxxxxxxxxxxx
> Subject: [EXT] Re: [PATCH v5 4/5] crypto: caam - add in-kernel interface for blob
> generator
>
> Caution: EXT Email
>
> On 23.02.22 16:41, Jarkko Sakkinen wrote:
> > On Tue, Feb 22, 2022 at 08:58:18PM +0100, Ahmad Fatoum wrote:
> >> The NXP Cryptographic Acceleration and Assurance Module (CAAM) can be
> >> used to protect user-defined data across system reboot:
> >>
> >> - When the system is fused and boots into secure state, the master
> >> key is a unique never-disclosed device-specific key
> >> - random key is encrypted by key derived from master key
> >> - data is encrypted using the random key
> >> - encrypted data and its encrypted random key are stored alongside
> >> - This blob can now be safely stored in non-volatile memory
> >>
> >> On next power-on:
> >> - blob is loaded into CAAM
> >> - CAAM writes decrypted data either into memory or key register
> >>
> >> Add functions to realize encrypting and decrypting into memory
> >> alongside the CAAM driver.
> >>
> >> They will be used in a later commit as a source for the trusted key
> >> seal/unseal mechanism.
> >>
> >> Reviewed-by: David Gstir <david@xxxxxxxxxxxxx>
> >> Reviewed-by: Pankaj Gupta <pankaj.gupta@xxxxxxx>
> >> Tested-By: Tim Harvey <tharvey@xxxxxxxxxxxxx>
> >> Tested-by: Matthias Schiffer <matthias.schiffer@xxxxxxxxxxxxxxx>
> >> Signed-off-by: Steffen Trumtrar <s.trumtrar@xxxxxxxxxxxxxx>
> >> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
> >> ---
> >> To: "Horia Geantă" <horia.geanta@xxxxxxx>
> >> To: Aymen Sghaier <aymen.sghaier@xxxxxxx>
> >> To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> >> To: "David S. Miller" <davem@xxxxxxxxxxxxx>
> >> Cc: James Bottomley <jejb@xxxxxxxxxxxxx>
> >> Cc: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
> >> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> >> Cc: David Howells <dhowells@xxxxxxxxxx>
> >> Cc: James Morris <jmorris@xxxxxxxxx>
> >> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
> >> Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx>
> >> Cc: Jan Luebbe <j.luebbe@xxxxxxxxxxxxxx>
> >> Cc: David Gstir <david@xxxxxxxxxxxxx>
> >> Cc: Richard Weinberger <richard@xxxxxx>
> >> Cc: Franck LENORMAND <franck.lenormand@xxxxxxx>
> >> Cc: Sumit Garg <sumit.garg@xxxxxxxxxx>
> >> Cc: Tim Harvey <tharvey@xxxxxxxxxxxxx>
> >> Cc: Matthias Schiffer <matthias.schiffer@xxxxxxxxxxxxxxx>
> >> Cc: Pankaj Gupta <pankaj.gupta@xxxxxxx>
> >> Cc: linux-integrity@xxxxxxxxxxxxxxx
> >> Cc: keyrings@xxxxxxxxxxxxxxx
> >> Cc: linux-crypto@xxxxxxxxxxxxxxx
> >> Cc: linux-kernel@xxxxxxxxxxxxxxx
> >> Cc: linux-security-module@xxxxxxxxxxxxxxx
> >> ---
> >> drivers/crypto/caam/Kconfig | 3 +
> >> drivers/crypto/caam/Makefile | 1 +
> >> drivers/crypto/caam/blob_gen.c | 230
> +++++++++++++++++++++++++++++++++
> >> include/soc/fsl/caam-blob.h | 56 ++++++++
> >> 4 files changed, 290 insertions(+)
> >> create mode 100644 drivers/crypto/caam/blob_gen.c create mode
> >> 100644 include/soc/fsl/caam-blob.h
> >>
> >> diff --git a/drivers/crypto/caam/Kconfig
> >> b/drivers/crypto/caam/Kconfig index 84ea7cba5ee5..ea9f8b1ae981 100644
> >> --- a/drivers/crypto/caam/Kconfig
> >> +++ b/drivers/crypto/caam/Kconfig
> >> @@ -151,6 +151,9 @@ config CRYPTO_DEV_FSL_CAAM_RNG_API
> >> Selecting this will register the SEC4 hardware rng to
> >> the hw_random API for supplying the kernel entropy pool.
> >>
> >> +config CRYPTO_DEV_FSL_CAAM_BLOB_GEN
> >> + bool
> >> +
> >> endif # CRYPTO_DEV_FSL_CAAM_JR
> >>
> >> endif # CRYPTO_DEV_FSL_CAAM
> >> diff --git a/drivers/crypto/caam/Makefile
> >> b/drivers/crypto/caam/Makefile index 3570286eb9ce..25f7ae5a4642
> >> 100644
> >> --- a/drivers/crypto/caam/Makefile
> >> +++ b/drivers/crypto/caam/Makefile
> >> @@ -21,6 +21,7 @@ caam_jr-
> $(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI)
> >> += caamalg_qi.o
> >> caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API) += caamhash.o
> >> caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API) += caamrng.o
> >> caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API) += caampkc.o
> >> pkc_desc.o
> >> +caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_BLOB_GEN) += blob_gen.o
> >>
> >> caam-$(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI) += qi.o ifneq
> >> ($(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI),)
> >> diff --git a/drivers/crypto/caam/blob_gen.c
> >> b/drivers/crypto/caam/blob_gen.c new file mode 100644 index
> >> 000000000000..513d3f90e438
> >> --- /dev/null
> >> +++ b/drivers/crypto/caam/blob_gen.c
> >> @@ -0,0 +1,230 @@
> >> +// SPDX-License-Identifier: GPL-2.0-only
> >> +/*
> >> + * Copyright (C) 2015 Pengutronix, Steffen Trumtrar
> >> +<kernel@xxxxxxxxxxxxxx>
> >> + * Copyright (C) 2021 Pengutronix, Ahmad Fatoum
> >> +<kernel@xxxxxxxxxxxxxx> */
> >> +
> >> +#include <linux/device.h>
> >> +#include <soc/fsl/caam-blob.h>
> >> +
> >> +#include "compat.h"
> >> +#include "desc_constr.h"
> >> +#include "desc.h"
> >> +#include "error.h"
> >> +#include "intern.h"
> >> +#include "jr.h"
> >> +#include "regs.h"
> >> +
> >> +struct caam_blob_priv {
> >> + struct device jrdev;
> >> +};
> >> +
> >> +struct caam_blob_job_result {
> >> + int err;
> >> + struct completion completion;
> >> +};
> >> +
> >> +static void caam_blob_job_done(struct device *dev, u32 *desc, u32
> >> +err, void *context) {
> >> + struct caam_blob_job_result *res = context;
> >> + int ecode = 0;
> >> +
> >> + dev_dbg(dev, "%s %d: err 0x%x\n", __func__, __LINE__, err);
> >> +
> >> + if (err)
> >> + ecode = caam_jr_strstatus(dev, err);
> >> +
> >> + res->err = ecode;
> >> +
> >> + /*
> >> + * Upon completion, desc points to a buffer containing a CAAM job
> >> + * descriptor which encapsulates data into an externally-storable
> >> + * blob.
> >> + */
> >> + complete(&res->completion);
> >> +}
> >> +
> >> +static u32 *caam_blob_alloc_desc(size_t keymod_len) {
> >> + size_t len;
> >> +
> >> + /* header + (key mod immediate) + 2x pointers + op */
> >> + len = 4 + (4 + ALIGN(keymod_len, 4)) + 2*(4 + 4 +
> >> + CAAM_PTR_SZ_MAX) + 4;
> >
> > Nit: the amount of magic numbers is overwhelming here. I neither
> > understand the statement nor how that comment should help me to
> understand it.
>
> header = 4
> (key mod immediate) = (4 + ALIGN(keymod_len, 4))
> 2x pointer = 2 * (4 + 4 + CAAM_PTR_SZ_MAX)
> op = 4
Instead of the function caam_blob_alloc_desc(), it will be great if the caller functions caam_encap_blob()/caam_encap_blob (), could add local array:
uint32_t desc[CAAM_DESC_BYTES_MAX];
>
> I haven't heard back from the CAAM maintainers yet since v1. Perhaps now is a
> good occasion to chime in? :-)
>
> @Jarkko, could you take a look at patch 5? That's the gist of the series and I
> have yet to get maintainer feedback on that one.
>
> Cheers,
> Ahmad
>
>
> >
> > BR, Jarkko
> >
>
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 |
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pen
> gutronix.de%2F&data=04%7C01%7Cpankaj.gupta%40nxp.com%7Cc97e9d4
> aaf304124407908d9f6e87101%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%
> 7C0%7C637812300459173929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&s
> data=CvnfIXR68DPRCaYrOYQKSv2eSBSNSSJYx2BQJee4yLg%3D&reserved=0
> |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
