RE: [EXT] Re: [PATCH v0 3/8] crypto: hbk flags & info added to the tfm
From: Pankaj Gupta <pankaj.gupta@nxp.com>
Date: 2022-10-10 11:15:19
Also in:
keyrings, linux-crypto, linux-integrity, lkml
-----Original Message----- From: Herbert Xu <herbert@gondor.apana.org.au> Sent: Friday, October 7, 2022 12:28 PM To: Pankaj Gupta <pankaj.gupta@nxp.com> Cc: jarkko@kernel.org; a.fatoum@pengutronix.de; gilad@benyossef.com; Jason@zx2c4.com; jejb@linux.ibm.com; zohar@linux.ibm.com; dhowells@redhat.com; sumit.garg@linaro.org; david@sigma-star.at; michael@walle.cc; john.ernberg@actia.se; jmorris@namei.org; serge@hallyn.com; davem@davemloft.net; j.luebbe@pengutronix.de; ebiggers@kernel.org; richard@nod.at; keyrings@vger.kernel.org; linux- crypto@vger.kernel.org; linux-integrity@vger.kernel.org; linux- kernel@vger.kernel.org; linux-security-module@vger.kernel.org; Sahil Malhotra [off-list ref]; Kshitiz Varshney [off-list ref]; Horia Geanta [off-list ref]; Varun Sethi [off-list ref] Subject: [EXT] Re: [PATCH v0 3/8] crypto: hbk flags & info added to the tfm Caution: EXT Email On Thu, Oct 06, 2022 at 06:38:32PM +0530, Pankaj Gupta wrote:quoted
Consumer of the kernel crypto api, after allocating the transformation (tfm), sets the: - flag 'is_hbk' - structure 'struct hw_bound_key_info hbk_info' based on the type of key, the consumer is using. This helps: - This helps to influence the core processing logic for the encapsulated algorithm. - This flag is set by the consumer after allocating the tfm and before calling the function crypto_xxx_setkey(). Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com> --- include/linux/crypto.h | 5 +++++ 1 file changed, 5 insertions(+)Nack. You still have not provided a convincing argument why this is necessary since there are plenty of existing drivers in the kernel already providing similar features.
CAAM is used as a trusted source for trusted keyring. CAAM can expose these keys either as plain key or HBK(hardware bound key- managed by the hardware only and never visible in plain outside of hardware). Thus, Keys that are inside CAAM-backed-trusted-keyring, can either be plain key or HBK. So the trusted-key-payload requires additional flag & info(key-encryption-protocol) to help differentiate it from each other. Now when CAAM trusted-key is presented to the kernel crypto framework, the additional information associated with the key, needs to be passed to the hardware driver. Currently the kernel keyring and kernel crypto frameworks are associated for plain key, but completely dis-associated for HBK. This patch addresses this problem. Similar capabilities (trusted source), are there in other crypto accelerators on NXP SoC(s). Having hardware specific crypto algorithm name, does not seems to be a scalable solution.
Cheers, -- Email: Herbert Xu [off-list ref] Home Page: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap ana.org.au%2F~herbert%2F&data=05%7C01%7Cpankaj.gupta%40nxp.com %7C33055110772a4d4bb97508daa8317e93%7C686ea1d3bc2b4c6fa92cd99c5c3 01635%7C0%7C0%7C638007227793511347%7CUnknown%7CTWFpbGZsb3d8ey JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C 3000%7C%7C%7C&sdata=H0fzzxQhsV%2FyPphBAHBDmzQfTFnjDE7jYstTM ok%2F09I%3D&reserved=0 PGP Key: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgondor.ap ana.org.au%2F~herbert%2Fpubkey.txt&data=05%7C01%7Cpankaj.gupta%4 0nxp.com%7C33055110772a4d4bb97508daa8317e93%7C686ea1d3bc2b4c6fa9 2cd99c5c301635%7C0%7C0%7C638007227793667554%7CUnknown%7CTWFpb GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M n0%3D%7C3000%7C%7C%7C&sdata=SclJ9G7jBWhOW%2Fm3Gt0jP1oicqVp 5ghH%2BDT8Vd5maag%3D&reserved=0