On Tue, Oct 24, 2023 at 06:20:15PM +0200, David Gstir wrote:

DCP is capable of performing AES with two hardware-bound keys:

- The one-time programmable (OTP) key which is burnt via on-chip fuses
- The unique key (UK) which is derived from the OTP key

In addition to the two hardware-bound keys, DCP also supports
storing keys in 4 dedicated key slots within its secure memory area
(internal SRAM).

These keys are not stored in main memory and are therefore
not directly accessible by the operating system. To use them
for AES operations, a one-byte key reference has to supplied
with the DCP operation descriptor in the control register.

This adds support for using any of these 6 keys through the crypto API
via their key reference after they have been set up. The main purpose
is to add support for DCP-backed trusted keys. Other use cases are
possible too (see similar existing paes implementations), but these
should carefully be evaluated as e.g. enabling AF_ALG will give
userspace full access to use keys. In scenarios with untrustworthy
userspace, this will enable en-/decryption oracles.

Co-developed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Co-developed-by: David Oberhollenzer <redacted>
Signed-off-by: David Oberhollenzer <redacted>
Signed-off-by: David Gstir <david@sigma-star.at>
---
 drivers/crypto/mxs-dcp.c | 104 ++++++++++++++++++++++++++++++++++-----
 include/soc/fsl/dcp.h    |  17 +++++++
 2 files changed, 110 insertions(+), 11 deletions(-)
 create mode 100644 include/soc/fsl/dcp.h

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-- 
Email: Herbert Xu [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt