Message ID | 20240127232436.2632187-1-quic_gaurkash@quicinc.com |
---|---|
Headers | show |
Series | Hardware wrapped key support for qcom ice and ufs | expand |
On 28/01/2024 00:14, Gaurav Kashyap wrote: > The Inline Crypto Engine (ICE) for UFS/EMMC supports the > Hardware Key Manager (HWKM) to securely manage storage > keys. Enable using this hardware on sm8650. > > This requires two changes: > 1. Register size increase: HWKM is an additional piece of hardware > sitting alongside ICE, and extends the old ICE's register space. > 2. Explicitly tell the ICE driver to use HWKM with ICE so that > wrapped keys are used in sm8650. > > Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> > Reviewed-by: Om Prakash Singh <quic_omprsing@quicinc.com> > Tested-by: Neil Armstrong <neil.armstrong@linaro.org> > --- > arch/arm64/boot/dts/qcom/sm8650.dtsi | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/boot/dts/qcom/sm8650.dtsi b/arch/arm64/boot/dts/qcom/sm8650.dtsi > index 2df77123a8c7..c27daf576af5 100644 > --- a/arch/arm64/boot/dts/qcom/sm8650.dtsi > +++ b/arch/arm64/boot/dts/qcom/sm8650.dtsi > @@ -2524,7 +2524,8 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, > ice: crypto@1d88000 { > compatible = "qcom,sm8650-inline-crypto-engine", > "qcom,inline-crypto-engine"; > - reg = <0 0x01d88000 0 0x8000>; > + reg = <0 0x01d88000 0 0x10000>; > + qcom,ice-use-hwkm; Vendor properties go to the end. Please consult DTS coding style. Best regards, Krzysztof
On 28/01/2024 00:14, Gaurav Kashyap wrote: > When Qualcomm's Inline Crypto Engine (ICE) contains Hardware > Key Manager (HWKM), and the 'HWKM' mode is enabled, it > supports wrapped keys. However, this also requires firmware > support in Trustzone to work correctly, which may not be available > on all chipsets. In the above scenario, ICE needs to support standard > keys even though HWKM is integrated from a hardware perspective. > > Introducing this property so that Hardware wrapped key support > can be enabled/disabled from software based on chipset firmware, > and not just based on hardware version. > > Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> > Tested-by: Neil Armstrong <neil.armstrong@linaro.org> > --- > .../bindings/crypto/qcom,inline-crypto-engine.yaml | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml > index 09e43157cc71..6415d7be9b73 100644 > --- a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml > +++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml > @@ -25,6 +25,16 @@ properties: > clocks: > maxItems: 1 > > + qcom,ice-use-hwkm: > + type: boolean > + description: > + Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE > + to support wrapped keys. Having this entry helps scenarios where > + the ICE hardware supports HWKM, but the Trustzone firmware does > + not have the full capability to use this HWKM and support wrapped How does it help in this scenario? You enable this property, Trustzone does not support it, so what happens? Also, which SoCs have incomplete Trustzone support? I expect this to be a quirk, thus limited to specific SoCs with issues. Best regards, Krzysztof
On 29.01.2024 09:18, Krzysztof Kozlowski wrote: > On 28/01/2024 00:14, Gaurav Kashyap wrote: >> When Qualcomm's Inline Crypto Engine (ICE) contains Hardware >> Key Manager (HWKM), and the 'HWKM' mode is enabled, it >> supports wrapped keys. However, this also requires firmware >> support in Trustzone to work correctly, which may not be available >> on all chipsets. In the above scenario, ICE needs to support standard >> keys even though HWKM is integrated from a hardware perspective. >> >> Introducing this property so that Hardware wrapped key support >> can be enabled/disabled from software based on chipset firmware, >> and not just based on hardware version. >> >> Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> >> Tested-by: Neil Armstrong <neil.armstrong@linaro.org> >> --- >> .../bindings/crypto/qcom,inline-crypto-engine.yaml | 10 ++++++++++ >> 1 file changed, 10 insertions(+) >> >> diff --git a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml >> index 09e43157cc71..6415d7be9b73 100644 >> --- a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml >> +++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml >> @@ -25,6 +25,16 @@ properties: >> clocks: >> maxItems: 1 >> >> + qcom,ice-use-hwkm: >> + type: boolean >> + description: >> + Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE >> + to support wrapped keys. Having this entry helps scenarios where >> + the ICE hardware supports HWKM, but the Trustzone firmware does >> + not have the full capability to use this HWKM and support wrapped > > How does it help in this scenario? You enable this property, Trustzone > does not support it, so what happens? > > Also, which SoCs have incomplete Trustzone support? I expect this to be > a quirk, thus limited to specific SoCs with issues. Can we simply evaluate the return value of the secure calls? Konrad
Hello Konrad and Krzysztof On 02/01/2024 11:14, Konrad Dybcio wrote > On 29.01.2024 09:18, Krzysztof Kozlowski wrote: > > On 28/01/2024 00:14, Gaurav Kashyap wrote: > >> When Qualcomm's Inline Crypto Engine (ICE) contains Hardware Key > >> Manager (HWKM), and the 'HWKM' mode is enabled, it supports wrapped > >> keys. However, this also requires firmware support in Trustzone to > >> work correctly, which may not be available on all chipsets. In the > >> above scenario, ICE needs to support standard keys even though HWKM > >> is integrated from a hardware perspective. > >> > >> Introducing this property so that Hardware wrapped key support can be > >> enabled/disabled from software based on chipset firmware, and not > >> just based on hardware version. > >> > >> Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> > >> Tested-by: Neil Armstrong <neil.armstrong@linaro.org> > >> --- > >> .../bindings/crypto/qcom,inline-crypto-engine.yaml | 10 ++++++++++ > >> 1 file changed, 10 insertions(+) > >> > >> diff --git > >> a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto- > engine. > >> yaml > >> b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto- > engine. > >> yaml index 09e43157cc71..6415d7be9b73 100644 > >> --- > >> a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto- > engine. > >> yaml > >> +++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto- > eng > >> +++ ine.yaml > >> @@ -25,6 +25,16 @@ properties: > >> clocks: > >> maxItems: 1 > >> > >> + qcom,ice-use-hwkm: > >> + type: boolean > >> + description: > >> + Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE > >> + to support wrapped keys. Having this entry helps scenarios where > >> + the ICE hardware supports HWKM, but the Trustzone firmware does > >> + not have the full capability to use this HWKM and support > >> + wrapped > > > > How does it help in this scenario? You enable this property, Trustzone > > does not support it, so what happens? > > > > Also, which SoCs have incomplete Trustzone support? I expect this to > > be a quirk, thus limited to specific SoCs with issues. Apologies for not addressing this earlier, we can perhaps continue this discussion in the new patch thread. I will link to this there. SM8450 and SM8350 QCOM ICE both support HWKM in their ICE hardware. However, wrapped keys can not be enabled on those targets due to certain missing trustzone support. If we solely rely on hardware version to decide if ICE has to use wrapped keys for data encryption, then it becomes untestable on those chipsets. So, we want another way to distinguish this scenario, and hence I chose a DT vendor property to explicitly mention if we have to use the supported HWKM. If there is another way, I am open to exploring that as well. > > Can we simply evaluate the return value of the secure calls? > This might not work as UFS crypto needs this information much earlier, and based on that , it would need to register with the keyslot manager (and block crypto), on whether wrapped keys are supported. https://lore.kernel.org/all/20231104211259.17448-2-ebiggers@kernel.org/ > Konrad