a8f636f2ba
We need a way to tell which type of keys the inline crypto hardware
supports (standard, wrapped, or both), so that fallbacks can be used
when needed (either blk-crypto-fallback, or fscrypt fs-layer crypto).
We can't simply assume that
keyslot_mgmt_ll_ops::derive_raw_secret == NULL
means only standard keys are supported and that
keyslot_mgmt_ll_ops::derive_raw_secret != NULL
means that only wrapped keys are supported, because device-mapper
devices always implement this method. Also, hardware might support both
types of keys.
Therefore, add a field keyslot_manager::features which contains a
bitmask of flags which indicate the supported types of keys. Drivers
will need to fill this in. This patch makes the UFS standard crypto
code set BLK_CRYPTO_FEATURE_STANDARD_KEYS, but UFS variant drivers may
need to set BLK_CRYPTO_FEATURE_WRAPPED_KEYS instead.
Then, make keyslot_manager_crypto_mode_supported() take the key type
into account.
Bug: 137270441
Bug: 151100202
Test: 'atest vts_kernel_encryption_test' on Pixel 4 with the
inline crypto patches backported, and also on Cuttlefish.
Change-Id: Ied846c2767c1fd2f438792dcfd3649157e68b005
Signed-off-by: Eric Biggers <ebiggers@google.com>
Git-commit: 8f078b1b3a
Git-repo: https://android.googlesource.com/kernel/common/+/refs/heads/android-4.19
[neersoni@codeaurora.org: key capability parameter added for ufs and emmc]
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
100 lines
3.3 KiB
C
100 lines
3.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright 2019 Google LLC
|
|
*/
|
|
|
|
#ifndef __LINUX_KEYSLOT_MANAGER_H
|
|
#define __LINUX_KEYSLOT_MANAGER_H
|
|
|
|
#include <linux/bio.h>
|
|
|
|
/* Inline crypto feature bits. Must set at least one. */
|
|
enum {
|
|
/* Support for standard software-specified keys */
|
|
BLK_CRYPTO_FEATURE_STANDARD_KEYS = BIT(0),
|
|
|
|
/* Support for hardware-wrapped keys */
|
|
BLK_CRYPTO_FEATURE_WRAPPED_KEYS = BIT(1),
|
|
};
|
|
|
|
#ifdef CONFIG_BLK_INLINE_ENCRYPTION
|
|
|
|
struct keyslot_manager;
|
|
|
|
/**
|
|
* struct keyslot_mgmt_ll_ops - functions to manage keyslots in hardware
|
|
* @keyslot_program: Program the specified key into the specified slot in the
|
|
* inline encryption hardware.
|
|
* @keyslot_evict: Evict key from the specified keyslot in the hardware.
|
|
* The key is provided so that e.g. dm layers can evict
|
|
* keys from the devices that they map over.
|
|
* Returns 0 on success, -errno otherwise.
|
|
* @derive_raw_secret: (Optional) Derive a software secret from a
|
|
* hardware-wrapped key. Returns 0 on success, -EOPNOTSUPP
|
|
* if unsupported on the hardware, or another -errno code.
|
|
*
|
|
* This structure should be provided by storage device drivers when they set up
|
|
* a keyslot manager - this structure holds the function ptrs that the keyslot
|
|
* manager will use to manipulate keyslots in the hardware.
|
|
*/
|
|
struct keyslot_mgmt_ll_ops {
|
|
int (*keyslot_program)(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key,
|
|
unsigned int slot);
|
|
int (*keyslot_evict)(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key,
|
|
unsigned int slot);
|
|
int (*derive_raw_secret)(struct keyslot_manager *ksm,
|
|
const u8 *wrapped_key,
|
|
unsigned int wrapped_key_size,
|
|
u8 *secret, unsigned int secret_size);
|
|
};
|
|
|
|
struct keyslot_manager *keyslot_manager_create(
|
|
struct device *dev,
|
|
unsigned int num_slots,
|
|
const struct keyslot_mgmt_ll_ops *ksm_ops,
|
|
unsigned int features,
|
|
const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX],
|
|
void *ll_priv_data);
|
|
|
|
int keyslot_manager_get_slot_for_key(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key);
|
|
|
|
void keyslot_manager_get_slot(struct keyslot_manager *ksm, unsigned int slot);
|
|
|
|
void keyslot_manager_put_slot(struct keyslot_manager *ksm, unsigned int slot);
|
|
|
|
bool keyslot_manager_crypto_mode_supported(struct keyslot_manager *ksm,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size,
|
|
bool is_hw_wrapped_key);
|
|
|
|
int keyslot_manager_evict_key(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key);
|
|
|
|
void keyslot_manager_reprogram_all_keys(struct keyslot_manager *ksm);
|
|
|
|
void *keyslot_manager_private(struct keyslot_manager *ksm);
|
|
|
|
void keyslot_manager_destroy(struct keyslot_manager *ksm);
|
|
|
|
struct keyslot_manager *keyslot_manager_create_passthrough(
|
|
struct device *dev,
|
|
const struct keyslot_mgmt_ll_ops *ksm_ops,
|
|
unsigned int features,
|
|
const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX],
|
|
void *ll_priv_data);
|
|
|
|
void keyslot_manager_intersect_modes(struct keyslot_manager *parent,
|
|
const struct keyslot_manager *child);
|
|
|
|
int keyslot_manager_derive_raw_secret(struct keyslot_manager *ksm,
|
|
const u8 *wrapped_key,
|
|
unsigned int wrapped_key_size,
|
|
u8 *secret, unsigned int secret_size);
|
|
|
|
#endif /* CONFIG_BLK_INLINE_ENCRYPTION */
|
|
|
|
#endif /* __LINUX_KEYSLOT_MANAGER_H */
|