[PATCH v7 00/17] Hardware wrapped key support for QCom ICE and UFS core
From: Bartosz Golaszewski
Date: Fri Oct 11 2024 - 14:56:40 EST
The preferred solution to the HWKM configuration issue seems to be
using a module param so this is what I did in this iteration.
Hardware-wrapped keys are encrypted keys that can only be unwrapped
(decrypted) and used by hardware - either by the inline encryption
hardware itself, or by a dedicated hardware block that can directly
provision keys to the inline encryption hardware. For more details,
please see patches 1-3 in this series which extend the inline encryption
docs with more information.
This series adds support for wrapped keys to the block layer, fscrypt
and then build upwards from there by implementing relevant callbacks in
QCom SCM driver, then the ICE driver and finally in UFS core and QCom
layer.
Tested on sm8650-qrd.
How to test:
Use the wip-wrapped-keys branch from https://github.com/ebiggers/fscryptctl
to build a custom fscryptctl that supports generating wrapped keys.
Enable the following config options:
CONFIG_BLK_INLINE_ENCRYPTION=y
CONFIG_QCOM_INLINE_CRYPTO_ENGINE=m
CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
CONFIG_SCSI_UFS_CRYPTO=y
$ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/userdata
$ mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt
$ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/userdata > /mnt/key.longterm
$ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral
$ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
$ rm -rf /mnt/dir
$ mkdir /mnt/dir
$ fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$KEYID" /mnt/dir
$ dmesg > /mnt/dir/test.txt
$ sync
Reboot the board
$ mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt
$ ls /mnt/dir
$ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral
$ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
$ fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$KEYID" /mnt/dir
$ cat /mnt/dir/test.txt # File should now be decrypted
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx>
---
Changes in v7:
- use a module param in conjunction with checking the platform support
at run-time to determine whether to use wrapped keys in the ICE driver
- various minor refactorings, replacing magic numbers with defines etc.
- fix kernel doc issues raised by autobuilders
- Link to v6: https://lore.kernel.org/r/20240906-wrapped-keys-v6-0-d59e61bc0cb4@xxxxxxxxxx
Changes in v6:
- add the wrapped key support from Eric Biggers to the series
- remove the new DT property from the series and instead query the
at run-time rustZone to find out if wrapped keys are supported
- make the wrapped key support into a UFS capability, not a quirk
- improve kerneldocs
- improve and rework coding style in most patches
- improve and reformat commit messages
- simplify the offset calculation for CRYPTOCFG
- split out the DTS changes into a separate series
---
Bartosz Golaszewski (1):
firmware: qcom: scm: add a call for checking wrapped key support
Eric Biggers (4):
blk-crypto: add basic hardware-wrapped key support
blk-crypto: show supported key types in sysfs
blk-crypto: add ioctls to create and prepare hardware-wrapped keys
fscrypt: add support for hardware-wrapped keys
Gaurav Kashyap (12):
ice, ufs, mmc: use the blk_crypto_key struct when programming the key
firmware: qcom: scm: add a call for deriving the software secret
firmware: qcom: scm: add calls for creating, preparing and importing keys
soc: qcom: ice: add HWKM support to the ICE driver
soc: qcom: ice: add support for hardware wrapped keys
soc: qcom: ice: add support for generating, importing and preparing keys
ufs: core: add support for wrapped keys to UFS core
ufs: core: add support for deriving the software secret
ufs: core: add support for generating, importing and preparing keys
ufs: host: add support for wrapped keys in QCom UFS
ufs: host: add a callback for deriving software secrets and use it
ufs: host: add support for generating, importing and preparing wrapped keys
Documentation/ABI/stable/sysfs-block | 18 +
Documentation/block/inline-encryption.rst | 245 +++++++++++++-
Documentation/filesystems/fscrypt.rst | 154 ++++++++-
Documentation/userspace-api/ioctl/ioctl-number.rst | 2 +
block/blk-crypto-fallback.c | 5 +-
block/blk-crypto-internal.h | 10 +
block/blk-crypto-profile.c | 103 ++++++
block/blk-crypto-sysfs.c | 35 ++
block/blk-crypto.c | 194 ++++++++++-
block/ioctl.c | 5 +
drivers/firmware/qcom/qcom_scm.c | 233 +++++++++++++
drivers/firmware/qcom/qcom_scm.h | 4 +
drivers/md/dm-table.c | 1 +
drivers/mmc/host/cqhci-crypto.c | 9 +-
drivers/mmc/host/cqhci.h | 2 +
drivers/mmc/host/sdhci-msm.c | 6 +-
drivers/soc/qcom/ice.c | 365 ++++++++++++++++++++-
drivers/ufs/core/ufshcd-crypto.c | 86 ++++-
drivers/ufs/host/ufs-qcom.c | 61 +++-
fs/crypto/fscrypt_private.h | 71 +++-
fs/crypto/hkdf.c | 4 +-
fs/crypto/inline_crypt.c | 44 ++-
fs/crypto/keyring.c | 124 +++++--
fs/crypto/keysetup.c | 54 ++-
fs/crypto/keysetup_v1.c | 5 +-
fs/crypto/policy.c | 11 +-
include/linux/blk-crypto-profile.h | 73 +++++
include/linux/blk-crypto.h | 75 ++++-
include/linux/firmware/qcom/qcom_scm.h | 8 +
include/soc/qcom/ice.h | 18 +-
include/uapi/linux/blk-crypto.h | 44 +++
include/uapi/linux/fs.h | 6 +-
include/uapi/linux/fscrypt.h | 7 +-
include/ufs/ufshcd.h | 21 ++
34 files changed, 1968 insertions(+), 135 deletions(-)
---
base-commit: eae80d86fb04e37032e5bdaec64e0b70316d11ae
change-id: 20240802-wrapped-keys-eea0032fbfed
Best regards,
--
Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx>