Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-21 19:41:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
2e8a0f40a3
linux/include/keys
History
David Gstir 2e8a0f40a3 KEYS: trusted: Introduce NXP DCP-backed trusted keys 
DCP (Data Co-Processor) is the little brother of NXP's CAAM IP.
Beside of accelerated crypto operations, it also offers support for
hardware-bound keys. Using this feature it is possible to implement a blob
mechanism similar to what CAAM offers. Unlike on CAAM, constructing and
parsing the blob has to happen in software (i.e. the kernel).

The software-based blob format used by DCP trusted keys encrypts
the payload using AES-128-GCM with a freshly generated random key and nonce.
The random key itself is AES-128-ECB encrypted using the DCP unique
or OTP key.

The DCP trusted key blob format is:
/*
 * struct dcp_blob_fmt - DCP BLOB format.
 *
 * @fmt_version: Format version, currently being %1
 * @blob_key: Random AES 128 key which is used to encrypt @payload,
 *            @blob_key itself is encrypted with OTP or UNIQUE device key in
 *            AES-128-ECB mode by DCP.
 * @nonce: Random nonce used for @payload encryption.
 * @payload_len: Length of the plain text @payload.
 * @payload: The payload itself, encrypted using AES-128-GCM and @blob_key,
 *           GCM auth tag of size AES_BLOCK_SIZE is attached at the end of it.
 *
 * The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) + @payload_len +
 * AES_BLOCK_SIZE.
 */
struct dcp_blob_fmt {
	__u8 fmt_version;
	__u8 blob_key[AES_KEYSIZE_128];
	__u8 nonce[AES_KEYSIZE_128];
	__le32 payload_len;
	__u8 payload[];
} __packed;

By default the unique key is used. It is also possible to use the
OTP key. While the unique key should be unique it is not documented how
this key is derived. Therefore selection the OTP key is supported as
well via the use_otp_key module parameter.

Co-developed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Co-developed-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Gstir <david@sigma-star.at>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2024-05-09 18:29:03 +03:00
..
asymmetric-parser.h KEYS: Add forward declaration in asymmetric-parser.h 2023-06-23 16:15:37 +08:00
asymmetric-subtype.h docs: crypto: convert asymmetric-keys.txt to ReST 2020-06-19 14:03:46 -06:00
asymmetric-type.h certs: Move load_certificate_list() to be with the asymmetric keys code 2022-06-21 16:05:06 +01:00
big_key-type.h keys: Implement update for the big_key type 2020-06-02 17:22:31 +01:00
ceph-type.h
dns_resolver-type.h
encrypted-type.h encrypted-keys: Replace HTTP links with HTTPS ones 2021-01-21 16:16:09 +00:00
keyring-type.h
request_key_auth-type.h request_key improvements 2019-07-08 19:19:37 -07:00
rxrpc-type.h rxrpc: Don't leak the service-side session key to userspace 2020-11-23 18:09:29 +00:00
system_keyring.h integrity: PowerVM support for loading third party code signing keys 2023-08-17 20:12:35 +00:00
trusted_caam.h KEYS: trusted: Introduce support for NXP CAAM-based trusted keys 2022-05-23 18:47:50 +03:00
trusted_dcp.h KEYS: trusted: Introduce NXP DCP-backed trusted keys 2024-05-09 18:29:03 +03:00
trusted_tee.h KEYS: trusted: Introduce TEE based Trusted Keys 2021-04-14 16:30:30 +03:00
trusted_tpm.h KEYS: trusted: Add generic trusted keys framework 2021-04-14 16:30:30 +03:00
trusted-type.h KEYS: trusted: allow use of kernel RNG for key material 2022-05-23 18:47:50 +03:00
user-type.h KEYS: Replace zero-length array with flexible-array 2020-06-02 17:22:31 +01:00