Hello Jarkko,

On 05.12.21 01:18, Jarkko Sakkinen wrote:

On Mon, Oct 11, 2021 at 12:02:37PM +0200, Ahmad Fatoum wrote:

quoted

The CAAM can be used to protect user-defined data across system reboot:

  - When the system is fused and boots into secure state, the master
    key is a unique never-disclosed device-specific key
  - random key is encrypted by key derived from master key
  - data is encrypted using the random key
  - encrypted data and its encrypted random key are stored alongside
  - This blob can now be safely stored in non-volatile memory

On next power-on:
  - blob is loaded into CAAM
  - CAAM writes decrypted data either into memory or key register

Add functions to realize encrypting and decrypting into memory alongside
the CAAM driver.

They will be used in a later commit as a source for the trusted key
seal/unseal mechanism.

Reviewed-by: David Gstir <david@sigma-star.at>
Tested-By: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Steffen Trumtrar <redacted>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>

What is CAAM? This is missing.

That's Crypto Accelerator on NXP SoCs. There is a description in the cover
letter and in the follow-up patch wiring this into the new trusted key
source. I didn't elaborate on this here as this patch touches
drivers/crypto/caam and I assumed familiarity.

For v5, I can add some extra info:

"The NXP Cryptographic Acceleration and Assurance Module (CAAM)
 can be used to protect user-defined data across system reboot..."

Sounds good? Does the last patch in the series look ok to you?

Cheers,
Ahmad

/Jarkko

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |