Message ID | 20231122053817.3401748-1-quic_gaurkash@quicinc.com |
---|---|
Headers | show |
Series | Hardware wrapped key support for qcom ice and ufs | expand |
Hi Gaurav, On 22/11/2023 06:38, Gaurav Kashyap wrote: > These are the third iteration of patches that add support to Qualcomm ICE (Inline Crypto Engine) for hardware wrapped keys using Qualcomm Hardware Key Manager (HWKM) > > They patches do the following: > - Address comments from v2 (Found here: https://lore.kernel.org/all/20230719170423.220033-1-quic_gaurkash@quicinc.com/) > - Rebased and tested on top of Eric's latest patchset: https://lore.kernel.org/all/20231104211259.17448-1-ebiggers@kernel.org/ > - Rebased and tested on top of SM8650 patches from Linaro: https://lore.kernel.org/all/?q=sm8650 > > Information about patches copied over from v2: > > " > Explanation and use of hardware-wrapped-keys can be found here: > Documentation/block/inline-encryption.rst > > This patch is organized as follows: > > Patch 1 - Prepares ICE and storage layers (UFS and EMMC) to pass around wrapped keys. > Patch 2 - Adds a new SCM api to support deriving software secret when wrapped keys are used > Patch 3-4 - Adds support for wrapped keys in the ICE driver. This includes adding HWKM support > Patch 5-6 - Adds support for wrapped keys in UFS > Patch 7-10 - Supports generate, prepare and import functionality in ICE and UFS > > NOTE: MMC will have similar changes to UFS and will be uploaded in a different patchset > Patch 3, 4, 8, 10 will have MMC equivalents. > " > > Testing: > Test platform: SM8650 MTP > > The changes were tested by mounting initramfs and running the fscryptctl > tool (Ref: https://github.com/ebiggers/fscryptctl/tree/wip-wrapped-keys) to > generate and prepare keys, as well as to set policies on folders, which > consequently invokes disk encryption flows through UFS. > > Tested both standard and wrapped keys (Removing qcom,ice-use-hwkm from dtsi will support using standard keys) > > Steps to test: > > The following configs were enabled: > CONFIG_BLK_INLINE_ENCRYPTION=y > CONFIG_QCOM_INLINE_CRYPTO_ENGINE=m > CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y > CONFIG_SCSI_UFS_CRYPTO=y > > Flash boot image, boot to shell and run the following commands > > Creating and preparing keys > - mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/userdata > - mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt > - ./fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/userdata > /mnt/key.longterm > Note: import_hw_wrapped_key currently has a big which just got fixed, so it will be functional in the next SM8650 release > (It might already be available by the time the boards are available to public) > - ./fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral > - ./fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt > > Create a folder and associate created keys with the folder > - rm -rf /mnt/dir > - mkdir /mnt/dir > - ./fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$keyid" /mnt/dir > - dmesg > /mnt/dir/test.txt > - sync > > - Reboot > - mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt > - ls /mnt/dir (You should see an encrypted file) > - ./fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral > - ./fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt > - cat /mnt/dir/test.txt I successfully tested with those instructions on the SM8650 QRD, Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-QRD however I got some build errors on sdhci-msm: drivers/mmc/host/sdhci-msm.c:1862:19: error: ‘blk_crypto_key_type’ defined as wrong kind of tag 1862 | const struct blk_crypto_key_type *bkey, | ^~~~~~~~~~~~~~~~~~~ drivers/mmc/host/sdhci-msm.c:1862:19: warning: ‘struct blk_crypto_key_type’ declared inside parameter list will not be visible outside of thi s definition or declaration drivers/mmc/host/sdhci-msm.c: In function ‘sdhci_msm_program_key’: drivers/mmc/host/sdhci-msm.c:1882:24: error: passing argument 4 of ‘qcom_ice_program_key’ from incompatible pointer type [-Werror=incompatibl e-pointer-types] 1882 | ice_key_size, bkey, | ^~~~ | | | const struct blk_crypto_key_type * In file included from drivers/mmc/host/sdhci-msm.c:21: include/soc/qcom/ice.h:35:34: note: expected ‘const struct blk_crypto_key *’ but argument is of type ‘const struct blk_crypto_key_type *’ 35 | const struct blk_crypto_key *bkey, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ drivers/mmc/host/sdhci-msm.c: At top level: drivers/mmc/host/sdhci-msm.c:1993:17: error: initialization of ‘int (*)(struct cqhci_host *, const struct blk_crypto_key *, const union cqhci _crypto_cfg_entry *, int)’ from incompatible pointer type ‘int (*)(struct cqhci_host *, const struct blk_crypto_key_type *, const union cqhci_crypto_cfg_entry *, int)’ [-Werro r=incompatible-pointer-types] 1993 | .program_key = sdhci_msm_program_key, | ^~~~~~~~~~~~~~~~~~~~~ drivers/mmc/host/sdhci-msm.c:1993:17: note: (near initialization for ‘sdhci_msm_cqhci_ops.program_key’) Thanks, Neil > > Gaurav Kashyap (12): > ice, ufs, mmc: use blk_crypto_key for program_key > qcom_scm: scm call for deriving a software secret > soc: qcom: ice: add hwkm support in ice > soc: qcom: ice: support for hardware wrapped keys > ufs: core: support wrapped keys in ufs core > ufs: host: wrapped keys support in ufs qcom > qcom_scm: scm call for create, prepare and import keys > ufs: core: add support for generate, import and prepare keys > soc: qcom: support for generate, import and prepare key > ufs: host: support for generate, import and prepare key > arm64: dts: qcom: sm8650: add hwkm support to ufs ice > dt-bindings: crypto: ice: document the hwkm property > > .../crypto/qcom,inline-crypto-engine.yaml | 7 + > arch/arm64/boot/dts/qcom/sm8650.dtsi | 3 +- > drivers/firmware/qcom/qcom_scm.c | 276 +++++++++++++++ > drivers/firmware/qcom/qcom_scm.h | 4 + > drivers/mmc/host/cqhci-crypto.c | 7 +- > drivers/mmc/host/cqhci.h | 2 + > drivers/mmc/host/sdhci-msm.c | 6 +- > drivers/soc/qcom/ice.c | 321 +++++++++++++++++- > drivers/ufs/core/ufshcd-crypto.c | 87 ++++- > drivers/ufs/host/ufs-qcom.c | 61 +++- > include/linux/firmware/qcom/qcom_scm.h | 7 + > include/soc/qcom/ice.h | 18 +- > include/ufs/ufshcd.h | 22 ++ > 13 files changed, 784 insertions(+), 37 deletions(-) >