mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-16 09:56:46 +00:00
2e8a0f40a3
DCP (Data Co-Processor) is the little brother of NXP's CAAM IP.
Beside of accelerated crypto operations, it also offers support for
hardware-bound keys. Using this feature it is possible to implement a blob
mechanism similar to what CAAM offers. Unlike on CAAM, constructing and
parsing the blob has to happen in software (i.e. the kernel).
The software-based blob format used by DCP trusted keys encrypts
the payload using AES-128-GCM with a freshly generated random key and nonce.
The random key itself is AES-128-ECB encrypted using the DCP unique
or OTP key.
The DCP trusted key blob format is:
/*
* struct dcp_blob_fmt - DCP BLOB format.
*
* @fmt_version: Format version, currently being %1
* @blob_key: Random AES 128 key which is used to encrypt @payload,
* @blob_key itself is encrypted with OTP or UNIQUE device key in
* AES-128-ECB mode by DCP.
* @nonce: Random nonce used for @payload encryption.
* @payload_len: Length of the plain text @payload.
* @payload: The payload itself, encrypted using AES-128-GCM and @blob_key,
* GCM auth tag of size AES_BLOCK_SIZE is attached at the end of it.
*
* The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) + @payload_len +
* AES_BLOCK_SIZE.
*/
struct dcp_blob_fmt {
__u8 fmt_version;
__u8 blob_key[AES_KEYSIZE_128];
__u8 nonce[AES_KEYSIZE_128];
__le32 payload_len;
__u8 payload[];
} __packed;
By default the unique key is used. It is also possible to use the
OTP key. While the unique key should be unique it is not documented how
this key is derived. Therefore selection the OTP key is supported as
well via the use_otp_key module parameter.
Co-developed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Co-developed-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Gstir <david@sigma-star.at>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
53 lines
1.3 KiB
Plaintext
53 lines
1.3 KiB
Plaintext
config HAVE_TRUSTED_KEYS
|
|
bool
|
|
|
|
config TRUSTED_KEYS_TPM
|
|
bool "TPM-based trusted keys"
|
|
depends on TCG_TPM >= TRUSTED_KEYS
|
|
default y
|
|
select CRYPTO
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_HASH_INFO
|
|
select ASN1_ENCODER
|
|
select OID_REGISTRY
|
|
select ASN1
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of the Trusted Platform Module (TPM) as trusted key
|
|
backend. Trusted keys are random number symmetric keys,
|
|
which will be generated and RSA-sealed by the TPM.
|
|
The TPM only unseals the keys, if the boot PCRs and other
|
|
criteria match.
|
|
|
|
config TRUSTED_KEYS_TEE
|
|
bool "TEE-based trusted keys"
|
|
depends on TEE >= TRUSTED_KEYS
|
|
default y
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of the Trusted Execution Environment (TEE) as trusted
|
|
key backend.
|
|
|
|
config TRUSTED_KEYS_CAAM
|
|
bool "CAAM-based trusted keys"
|
|
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
|
|
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
|
|
default y
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of NXP's Cryptographic Accelerator and Assurance Module
|
|
(CAAM) as trusted key backend.
|
|
|
|
config TRUSTED_KEYS_DCP
|
|
bool "DCP-based trusted keys"
|
|
depends on CRYPTO_DEV_MXS_DCP >= TRUSTED_KEYS
|
|
default y
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.
|
|
|
|
if !HAVE_TRUSTED_KEYS
|
|
comment "No trust source selected!"
|
|
endif
|