docs: trusted-encrypted: add DCP as new trust source

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Update the documentation for trusted and encrypted KEYS with DCP as new
trust source:

- Describe security properties of DCP trust source
- Describe key usage
- Document blob format

Co-developed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Co-developed-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Gstir <david@sigma-star.at>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Bagas Sanjaya <bagasdotme@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

authored by

David Gstir and committed by

Jarkko Sakkinen 2 years ago 28c5f596 b85b253e

+72

2 changed files

expand all

Documentation

security

keys

trusted-encrypted.rst

security

keys

trusted-keys

trusted_dcp.c

+53

Documentation/security/keys/trusted-encrypted.rst

··· 42 42 randomly generated and fused into each SoC at manufacturing time. 43 43 Otherwise, a common fixed test key is used instead. 44 44 45 + (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) 46 + 47 + Rooted to a one-time programmable key (OTP) that is generally burnt 48 + in the on-chip fuses and is accessible to the DCP encryption engine only. 49 + DCP provides two keys that can be used as root of trust: the OTP key 50 + and the UNIQUE key. Default is to use the UNIQUE key, but selecting 51 + the OTP key can be done via a module parameter (dcp_use_otp_key). 52 + 45 53 * Execution isolation 46 54 47 55 (1) TPM ··· 64 56 (3) CAAM 65 57 66 58 Fixed set of operations running in isolated execution environment. 59 + 60 + (4) DCP 61 + 62 + Fixed set of cryptographic operations running in isolated execution 63 + environment. Only basic blob key encryption is executed there. 64 + The actual key sealing/unsealing is done on main processor/kernel space. 67 65 68 66 * Optional binding to platform integrity state 69 67 ··· 93 79 Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs 94 80 for platform integrity. 95 81 82 + (4) DCP 83 + 84 + Relies on Secure/Trusted boot process (called HAB by vendor) for 85 + platform integrity. 86 + 96 87 * Interfaces and APIs 97 88 98 89 (1) TPM ··· 112 93 (3) CAAM 113 94 114 95 Interface is specific to silicon vendor. 96 + 97 + (4) DCP 98 + 99 + Vendor-specific API that is implemented as part of the DCP crypto driver in 100 + ``drivers/crypto/mxs-dcp.c``. 115 101 116 102 * Threat model 117 103 ··· 152 128 The normal kernel random number generator is used. To seed it from the 153 129 CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the device 154 130 is probed. 131 + 132 + * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs) 133 + 134 + The DCP hardware device itself does not provide a dedicated RNG interface, 135 + so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have 136 + a dedicated hardware RNG that is independent from DCP which can be enabled 137 + to back the kernel RNG. 155 138 156 139 Users may override this by specifying ``trusted.rng=kernel`` on the kernel 157 140 command-line to override the used RNG with the kernel's random number pool. ··· 261 230 "keyctl print" returns an ASCII hex copy of the sealed key, which is in a 262 231 CAAM-specific format. The key length for new keys is always in bytes. 263 232 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 233 + 234 + Trusted Keys usage: DCP 235 + ----------------------- 236 + 237 + Usage:: 238 + 239 + keyctl add trusted name "new keylen" ring 240 + keyctl add trusted name "load hex_blob" ring 241 + keyctl print keyid 242 + 243 + "keyctl print" returns an ASCII hex copy of the sealed key, which is in format 244 + specific to this DCP key-blob implementation. The key length for new keys is 245 + always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 264 246 265 247 Encrypted Keys usage 266 248 -------------------- ··· 470 426 privkey is the binary representation of TPM2B_PUBLIC excluding the 471 427 initial TPM2B header which can be reconstructed from the ASN.1 octed 472 428 string length. 429 + 430 + DCP Blob Format 431 + --------------- 432 + 433 + .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c 434 + :doc: dcp blob format 435 + 436 + .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c 437 + :identifiers: struct dcp_blob_fmt

+19

security/keys/trusted-keys/trusted_dcp.c

··· 20 20 #define DCP_BLOB_AUTHLEN 16 21 21 22 22 /** 23 + * DOC: dcp blob format 24 + * 25 + * The Data Co-Processor (DCP) provides hardware-bound AES keys using its 26 + * AES encryption engine only. It does not provide direct key sealing/unsealing. 27 + * To make DCP hardware encryption keys usable as trust source, we define 28 + * our own custom format that uses a hardware-bound key to secure the sealing 29 + * key stored in the key blob. 30 + * 31 + * Whenever a new trusted key using DCP is generated, we generate a random 128-bit 32 + * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are used to 33 + * encrypt the trusted key payload using AES-128-GCM. 34 + * 35 + * The BEK itself is encrypted using the hardware-bound key using the DCP's AES 36 + * encryption engine with AES-128-ECB. The encrypted BEK, generated nonce, 37 + * BEK-encrypted payload and authentication tag make up the blob format together 38 + * with a version number, payload length and authentication tag. 39 + */ 40 + 41 + /** 23 42 * struct dcp_blob_fmt - DCP BLOB format. 24 43 * 25 44 * @fmt_version: Format version, currently being %1.