| Message ID | 20231122053817.3401748-10-quic_gaurkash@quicinc.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Hardware wrapped key support for qcom ice and ufs | expand |
On 11/22/2023 11:08 AM, Gaurav Kashyap wrote: > Implements the ICE apis for generate, prepare and import key > apis and hooks it up the scm calls defined for them. We can avoid mentioning below text as it is also possibility to have HWKM Linux driver. > Key management has to be done from Qualcomm Trustzone as only > it can interface with HWKM. > > Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> > --- > drivers/soc/qcom/ice.c | 66 ++++++++++++++++++++++++++++++++++++++++++ > include/soc/qcom/ice.h | 8 +++++ > 2 files changed, 74 insertions(+) > > diff --git a/drivers/soc/qcom/ice.c b/drivers/soc/qcom/ice.c > index ee7c0beef3d2..b00f314521ca 100644 > --- a/drivers/soc/qcom/ice.c > +++ b/drivers/soc/qcom/ice.c > @@ -21,6 +21,13 @@ > > #define AES_256_XTS_KEY_SIZE 64 > > +/* > + * Wrapped key sizes from HWKm is different for different versions of "HWKM" > + * HW. It is not expected to change again in the future. we can avoid mentioning "It is not expected to change again in the future" > + */ > +#define QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(v) \ > + ((v) == 1 ? 68 : 100) > + > /* QCOM ICE registers */ > #define QCOM_ICE_REG_VERSION 0x0008 > #define QCOM_ICE_REG_FUSE_SETTING 0x0010 > @@ -426,6 +433,65 @@ int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[], > } > EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret); > > +/** > + * qcom_ice_generate_key() - Generate a wrapped key for inline encryption > + * @lt_key: longterm wrapped key that is generated, which is > + * BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size. > + * > + * Make a scm call into trustzone to generate a wrapped key for storage > + * encryption using hwkm. > + * > + * Return: 0 on success; err on failure. > + */ > +int qcom_ice_generate_key(struct qcom_ice *ice, > + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) > +{ > + return qcom_scm_generate_ice_key(lt_key, > + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); > +} > +EXPORT_SYMBOL_GPL(qcom_ice_generate_key); > + > +/** > + * qcom_ice_prepare_key() - Prepare a longterm wrapped key for inline encryption > + * @lt_key: longterm wrapped key that is generated or imported. > + * @lt_key_size: size of the longterm wrapped_key > + * @eph_key: wrapped key returned which has been wrapped with a per-boot ephemeral key, > + * size of which is BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size. > + * > + * Make a scm call into trustzone to prepare a wrapped key for storage > + * encryption by rewrapping the longterm wrapped key with a per boot ephemeral > + * key using hwkm. > + * > + * Return: 0 on success; err on failure. avoid Return value documentation as it is not adding any specific information. > + */ > +int qcom_ice_prepare_key(struct qcom_ice *ice, const u8 *lt_key, size_t lt_key_size, > + u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) > +{ > + return qcom_scm_prepare_ice_key(lt_key, lt_key_size, eph_key, > + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); > +} > +EXPORT_SYMBOL_GPL(qcom_ice_prepare_key); > + > +/** > + * qcom_ice_import_key() - Import a raw key for inline encryption > + * @imp_key: raw key that has to be imported > + * @imp_key_size: size of the imported key > + * @lt_key: longterm wrapped key that is imported, which is > + * BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size. > + * > + * Make a scm call into trustzone to import a raw key for storage encryption > + * and generate a longterm wrapped key using hwkm. > + * > + * Return: 0 on success; err on failure. > + */ > +int qcom_ice_import_key(struct qcom_ice *ice, const u8 *imp_key, size_t imp_key_size, > + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) > +{ > + return qcom_scm_import_ice_key(imp_key, imp_key_size, lt_key, > + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); > +} > +EXPORT_SYMBOL_GPL(qcom_ice_import_key); > + > static struct qcom_ice *qcom_ice_create(struct device *dev, > void __iomem *base) > { > diff --git a/include/soc/qcom/ice.h b/include/soc/qcom/ice.h > index dabe0d3a1fd0..dcf277d196ff 100644 > --- a/include/soc/qcom/ice.h > +++ b/include/soc/qcom/ice.h > @@ -39,5 +39,13 @@ bool qcom_ice_hwkm_supported(struct qcom_ice *ice); > int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[], > unsigned int wkey_size, > u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]); > +int qcom_ice_generate_key(struct qcom_ice *ice, > + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]); > +int qcom_ice_prepare_key(struct qcom_ice *ice, > + const u8 *lt_key, size_t lt_key_size, > + u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]); > +int qcom_ice_import_key(struct qcom_ice *ice, > + const u8 *imp_key, size_t imp_key_size, > + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]); > struct qcom_ice *of_qcom_ice_get(struct device *dev); > #endif /* __QCOM_ICE_H__ */
diff --git a/drivers/soc/qcom/ice.c b/drivers/soc/qcom/ice.c index ee7c0beef3d2..b00f314521ca 100644 --- a/drivers/soc/qcom/ice.c +++ b/drivers/soc/qcom/ice.c @@ -21,6 +21,13 @@ #define AES_256_XTS_KEY_SIZE 64 +/* + * Wrapped key sizes from HWKm is different for different versions of + * HW. It is not expected to change again in the future. + */ +#define QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(v) \ + ((v) == 1 ? 68 : 100) + /* QCOM ICE registers */ #define QCOM_ICE_REG_VERSION 0x0008 #define QCOM_ICE_REG_FUSE_SETTING 0x0010 @@ -426,6 +433,65 @@ int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[], } EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret); +/** + * qcom_ice_generate_key() - Generate a wrapped key for inline encryption + * @lt_key: longterm wrapped key that is generated, which is + * BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size. + * + * Make a scm call into trustzone to generate a wrapped key for storage + * encryption using hwkm. + * + * Return: 0 on success; err on failure. + */ +int qcom_ice_generate_key(struct qcom_ice *ice, + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) +{ + return qcom_scm_generate_ice_key(lt_key, + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); +} +EXPORT_SYMBOL_GPL(qcom_ice_generate_key); + +/** + * qcom_ice_prepare_key() - Prepare a longterm wrapped key for inline encryption + * @lt_key: longterm wrapped key that is generated or imported. + * @lt_key_size: size of the longterm wrapped_key + * @eph_key: wrapped key returned which has been wrapped with a per-boot ephemeral key, + * size of which is BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size. + * + * Make a scm call into trustzone to prepare a wrapped key for storage + * encryption by rewrapping the longterm wrapped key with a per boot ephemeral + * key using hwkm. + * + * Return: 0 on success; err on failure. + */ +int qcom_ice_prepare_key(struct qcom_ice *ice, const u8 *lt_key, size_t lt_key_size, + u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) +{ + return qcom_scm_prepare_ice_key(lt_key, lt_key_size, eph_key, + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); +} +EXPORT_SYMBOL_GPL(qcom_ice_prepare_key); + +/** + * qcom_ice_import_key() - Import a raw key for inline encryption + * @imp_key: raw key that has to be imported + * @imp_key_size: size of the imported key + * @lt_key: longterm wrapped key that is imported, which is + * BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE in size. + * + * Make a scm call into trustzone to import a raw key for storage encryption + * and generate a longterm wrapped key using hwkm. + * + * Return: 0 on success; err on failure. + */ +int qcom_ice_import_key(struct qcom_ice *ice, const u8 *imp_key, size_t imp_key_size, + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) +{ + return qcom_scm_import_ice_key(imp_key, imp_key_size, lt_key, + QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); +} +EXPORT_SYMBOL_GPL(qcom_ice_import_key); + static struct qcom_ice *qcom_ice_create(struct device *dev, void __iomem *base) { diff --git a/include/soc/qcom/ice.h b/include/soc/qcom/ice.h index dabe0d3a1fd0..dcf277d196ff 100644 --- a/include/soc/qcom/ice.h +++ b/include/soc/qcom/ice.h @@ -39,5 +39,13 @@ bool qcom_ice_hwkm_supported(struct qcom_ice *ice); int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[], unsigned int wkey_size, u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]); +int qcom_ice_generate_key(struct qcom_ice *ice, + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]); +int qcom_ice_prepare_key(struct qcom_ice *ice, + const u8 *lt_key, size_t lt_key_size, + u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]); +int qcom_ice_import_key(struct qcom_ice *ice, + const u8 *imp_key, size_t imp_key_size, + u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]); struct qcom_ice *of_qcom_ice_get(struct device *dev); #endif /* __QCOM_ICE_H__ */
Implements the ICE apis for generate, prepare and import key apis and hooks it up the scm calls defined for them. Key management has to be done from Qualcomm Trustzone as only it can interface with HWKM. Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> --- drivers/soc/qcom/ice.c | 66 ++++++++++++++++++++++++++++++++++++++++++ include/soc/qcom/ice.h | 8 +++++ 2 files changed, 74 insertions(+)