Re: [PATCH v11 0/7] Support for hardware-wrapped inline encryption keys

From: Bartosz Golaszewski
Date: Tue Feb 04 2025 - 05:43:12 EST

Next message: Rabara, Niravkumar L: "RE: [PATCH v2 1/3] mtd: rawnand: cadence: support deferred prob when DMA is not ready"
Previous message: Paolo Abeni: "Re: [PATCH net-next v3 08/10] net: pktgen: fix access outside of user given buffer in pktgen_if_write()"
In reply to: Eric Biggers: "[PATCH v11 6/7] soc: qcom: ice: add HWKM support to the ICE driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 4, 2025 at 7:03 AM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> This patchset is based on v6.14-rc1 and is also available at:
>
> git fetch https://git.kernel.org/pub/scm/fs/fscrypt/linux.git wrapped-keys-v11
>
> This patchset adds support for hardware-wrapped inline encryption keys,
> a security feature supported by some SoCs. It adds the block and
> fscrypt framework for the feature as well as support for it with UFS on
> Qualcomm SoCs.
>
> This feature is described in full detail in the included Documentation
> changes. But to summarize, hardware-wrapped keys are inline encryption
> keys that are wrapped (encrypted) by a key internal to the hardware so
> that they can only be unwrapped (decrypted) by the hardware. Initially
> keys are wrapped with a permanent hardware key, but during actual use
> they are re-wrapped with a per-boot ephemeral key for improved security.
> The hardware supports importing keys as well as generating keys itself.
>
> This differs from the existing support for hardware-wrapped keys in the
> kernel crypto API (also called "hardware-bound keys" in some places) in
> the same way that the crypto API differs from blk-crypto: the crypto API
> is for general crypto operations, whereas blk-crypto is for inline
> storage encryption.
>
> This feature is already being used by Android downstream for several
> years
> (https://source.android.com/docs/security/features/encryption/hw-wrapped-keys),
> but on other platforms userspace support will be provided via fscryptctl
> and tests via xfstests. The tests have been merged into xfstests, and
> they pass on the SM8650 HDK with the upstream kernel plus this patchset.
>
> This is targeting 6.15. As per the suggestion from Jens
> (https://lore.kernel.org/linux-block/c3407d1c-6c5c-42ee-b446-ccbab1643a62@xxxxxxxxx/),
> I'd like patches 1-3 to be queued up into a branch that gets pulled into
> the block tree. I'll then take patches 4-7 through the fscrypt tree,
> also for 6.15. If I end up with too many merge conflicts by trying to
> take patches 5-7 (given that this is a cross-subsystem feature), my
> fallback plan will be to wait until 6.16 to land patches 5-7, when they
> will finally be unblocked by the block patches having landed.
>
> Changed in v11:
> - Rebased onto v6.14-rc1. Dropped the patches that were upstreamed in
> 6.14, and put the block patches first in the series again.
> - Significantly cleaned up the patch "soc: qcom: ice: add HWKM support
> to the ICE driver". Some of the notable changes were dropping the
> unnecessary support for HWKM v1, and replacing qcom_ice_using_hwkm()
> with qcom_ice_get_supported_key_type().
> - Consistently used and documented the EBADMSG error code for invalid
> hardware-wrapped keys.
> - Other minor cleanups.
>

Tested-by: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx> # sm8650

Next message: Rabara, Niravkumar L: "RE: [PATCH v2 1/3] mtd: rawnand: cadence: support deferred prob when DMA is not ready"
Previous message: Paolo Abeni: "Re: [PATCH net-next v3 08/10] net: pktgen: fix access outside of user given buffer in pktgen_if_write()"
In reply to: Eric Biggers: "[PATCH v11 6/7] soc: qcom: ice: add HWKM support to the ICE driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]