Winkler, Tomas [off-list ref] writes:

quoted

quoted

"Winkler, Tomas" [off-list ref] writes:

quoted

quoted

The user space API is achieved via a number of synchronous IOCTLs.

  * RPMB_IOC_VER_CMD - simple versioning API
  * RPMB_IOC_CAP_CMD - query of underlying capabilities
  * RPMB_IOC_PKEY_CMD - one time programming of access key
  * RPMB_IOC_COUNTER_CMD - query the write counter
  * RPMB_IOC_WBLOCKS_CMD - write blocks to device
  * RPMB_IOC_RBLOCKS_CMD - read blocks from device

The keys used for programming and writing blocks to the device are
key_serial_t handles as provided by the keyctl() interface.

[AJB: here there are two key differences between this and the
original proposal. The first is the dropping of the sequence of
preformated frames in favour of explicit actions. The second is
the introduction of key_serial_t and the keyring API for
referencing the key to use]

Putting it gently I'm not sure this is good idea, from the security
point of

view.

quoted

The key has to be possession of the one that signs the frames as
they are,

it doesn't mean it is linux kernel keyring, it can be other party on
different system.

quoted

With this approach you will make the other usecases not applicable.
It is less then trivial to move key securely from one system to another.

OK I can understand the desire for such a use-case but it does
constrain the interface on the kernel with access to the hardware to
purely providing a pipe to the raw hardware while also having to
expose the details of the HW to userspace.

This is the use case in Android. The key is in the "trusty" which
different os running in a virtual environment. The file storage
abstraction is implemented there. I'm not sure the point of
constraining the kernel, can you please elaborate on that.

Well the kernel is all about abstracting differences not baking in assumptions.
However can I ask a bit more about this security model?
Is the secure enclave just a separate userspace process or is it in a separate
virtual machine? Is it accessible at all by the kernel running the driver?

It's not an assumption this is working for few years already (https://source.android.com/security/trusty#application_services) 
The model is that you have a trusted environment (TEE)  in which can be in any of the form you described above.
And there is established agreement via the RPMB key that TEE is only entity that can produce content to be stored on RPBM,
The RPMB hardware also ensure that nobody can catch it in the middle and replay that storage event. 

My point is that interface you are suggesting is not covering all possible usages of RPMB, actually usages that are already in place.

The fact that key id is passed down into the kernel doesn't have to imply the
kernel does the final cryptographic operation. In the ARM world you could
make a call to the secure world to do the operation for you. I note the
keyctl() interface already has support for going to userspace to make queries
of the keyring.  Maybe what is really needed is an abstraction for the kernel
to delegate the MAC calculation to some other trusted process that also
understands the keyid.

Sure but that you want need to make sure that the entity that creates the content has the right to use this specific key, so you will need to create another channel of trust. 
And this trust has to be established somewhere at the manufacturing time. 

quoted

Also doesn't this break down after a PROGRAM_KEY event as

quoted

the key will have had to traverse into the "untrusted" kernel?

This is one in a life event of the card happening on the manufacturing
floor, maybe even not performed on Linux.

In an off list conversation it was suggested that maybe the PROGRAM_KEY
ioctl should be disabled for locked down kernels to dissuade production use
of the facility (it is handy for testing t

This is really protected by the hardware,  also once you are programming key your platform would be rather sealed already at least it's TEE environment, as this is the other part that knows the key.

quoted

quoted

I wonder if virtio-rpmb may be of help here? You could wrap up up the
front- end in the security domain that has the keys although I don't
know how easy it would be for a backend to work with real hardware?

I'm open to see any proposal, not sure I can wrap may head about it right

now.

quoted

Anyway I was about to send the new round of my code,  but let's come to

common ground first.

quoted

OK - I'll see what the others say.

--
Alex Bennée