blk-crypto: add basic hardware-wrapped key support

+215 -4

Documentation/block/inline-encryption.rst

··· 77 77 ============ 78 78 79 79 We introduce ``struct blk_crypto_key`` to represent an inline encryption key and 80 - how it will be used. This includes the actual bytes of the key; the size of the 81 - key; the algorithm and data unit size the key will be used with; and the number 82 - of bytes needed to represent the maximum data unit number the key will be used 83 - with. 80 + how it will be used. This includes the type of the key (raw or 81 + hardware-wrapped); the actual bytes of the key; the size of the key; the 82 + algorithm and data unit size the key will be used with; and the number of bytes 83 + needed to represent the maximum data unit number the key will be used with. 84 84 85 85 We introduce ``struct bio_crypt_ctx`` to represent an encryption context. It 86 86 contains a data unit number and a pointer to a blk_crypto_key. We add pointers ··· 301 301 When the crypto API fallback is enabled, this means that all bios with and 302 302 encryption context will use the fallback, and IO will complete as usual. When 303 303 the fallback is disabled, a bio with an encryption context will be failed. 304 + 305 + .. _hardware_wrapped_keys: 306 + 307 + Hardware-wrapped keys 308 + ===================== 309 + 310 + Motivation and threat model 311 + --------------------------- 312 + 313 + Linux storage encryption (dm-crypt, fscrypt, eCryptfs, etc.) traditionally 314 + relies on the raw encryption key(s) being present in kernel memory so that the 315 + encryption can be performed. This traditionally isn't seen as a problem because 316 + the key(s) won't be present during an offline attack, which is the main type of 317 + attack that storage encryption is intended to protect from. 318 + 319 + However, there is an increasing desire to also protect users' data from other 320 + types of attacks (to the extent possible), including: 321 + 322 + - Cold boot attacks, where an attacker with physical access to a system suddenly 323 + powers it off, then immediately dumps the system memory to extract recently 324 + in-use encryption keys, then uses these keys to decrypt user data on-disk. 325 + 326 + - Online attacks where the attacker is able to read kernel memory without fully 327 + compromising the system, followed by an offline attack where any extracted 328 + keys can be used to decrypt user data on-disk. An example of such an online 329 + attack would be if the attacker is able to run some code on the system that 330 + exploits a Meltdown-like vulnerability but is unable to escalate privileges. 331 + 332 + - Online attacks where the attacker fully compromises the system, but their data 333 + exfiltration is significantly time-limited and/or bandwidth-limited, so in 334 + order to completely exfiltrate the data they need to extract the encryption 335 + keys to use in a later offline attack. 336 + 337 + Hardware-wrapped keys are a feature of inline encryption hardware that is 338 + designed to protect users' data from the above attacks (to the extent possible), 339 + without introducing limitations such as a maximum number of keys. 340 + 341 + Note that it is impossible to **fully** protect users' data from these attacks. 342 + Even in the attacks where the attacker "just" gets read access to kernel memory, 343 + they can still extract any user data that is present in memory, including 344 + plaintext pagecache pages of encrypted files. The focus here is just on 345 + protecting the encryption keys, as those instantly give access to **all** user 346 + data in any following offline attack, rather than just some of it (where which 347 + data is included in that "some" might not be controlled by the attacker). 348 + 349 + Solution overview 350 + ----------------- 351 + 352 + Inline encryption hardware typically has "keyslots" into which software can 353 + program keys for the hardware to use; the contents of keyslots typically can't 354 + be read back by software. As such, the above security goals could be achieved 355 + if the kernel simply erased its copy of the key(s) after programming them into 356 + keyslot(s) and thereafter only referred to them via keyslot number. 357 + 358 + However, that naive approach runs into a couple problems: 359 + 360 + - It limits the number of unlocked keys to the number of keyslots, which 361 + typically is a small number. In cases where there is only one encryption key 362 + system-wide (e.g., a full-disk encryption key), that can be tolerable. 363 + However, in general there can be many logged-in users with many different 364 + keys, and/or many running applications with application-specific encrypted 365 + storage areas. This is especially true if file-based encryption (e.g. 366 + fscrypt) is being used. 367 + 368 + - Inline crypto engines typically lose the contents of their keyslots if the 369 + storage controller (usually UFS or eMMC) is reset. Resetting the storage 370 + controller is a standard error recovery procedure that is executed if certain 371 + types of storage errors occur, and such errors can occur at any time. 372 + Therefore, when inline crypto is being used, the operating system must always 373 + be ready to reprogram the keyslots without user intervention. 374 + 375 + Thus, it is important for the kernel to still have a way to "remind" the 376 + hardware about a key, without actually having the raw key itself. 377 + 378 + Somewhat less importantly, it is also desirable that the raw keys are never 379 + visible to software at all, even while being initially unlocked. This would 380 + ensure that a read-only compromise of system memory will never allow a key to be 381 + extracted to be used off-system, even if it occurs when a key is being unlocked. 382 + 383 + To solve all these problems, some vendors of inline encryption hardware have 384 + made their hardware support *hardware-wrapped keys*. Hardware-wrapped keys 385 + are encrypted keys that can only be unwrapped (decrypted) and used by hardware 386 + -- either by the inline encryption hardware itself, or by a dedicated hardware 387 + block that can directly provision keys to the inline encryption hardware. 388 + 389 + (We refer to them as "hardware-wrapped keys" rather than simply "wrapped keys" 390 + to add some clarity in cases where there could be other types of wrapped keys, 391 + such as in file-based encryption. Key wrapping is a commonly used technique.) 392 + 393 + The key which wraps (encrypts) hardware-wrapped keys is a hardware-internal key 394 + that is never exposed to software; it is either a persistent key (a "long-term 395 + wrapping key") or a per-boot key (an "ephemeral wrapping key"). The long-term 396 + wrapped form of the key is what is initially unlocked, but it is erased from 397 + memory as soon as it is converted into an ephemerally-wrapped key. In-use 398 + hardware-wrapped keys are always ephemerally-wrapped, not long-term wrapped. 399 + 400 + As inline encryption hardware can only be used to encrypt/decrypt data on-disk, 401 + the hardware also includes a level of indirection; it doesn't use the unwrapped 402 + key directly for inline encryption, but rather derives both an inline encryption 403 + key and a "software secret" from it. Software can use the "software secret" for 404 + tasks that can't use the inline encryption hardware, such as filenames 405 + encryption. The software secret is not protected from memory compromise. 406 + 407 + Key hierarchy 408 + ------------- 409 + 410 + Here is the key hierarchy for a hardware-wrapped key:: 411 + 412 + Hardware-wrapped key 413 + | 414 + | 415 + <Hardware KDF> 416 + | 417 + ----------------------------- 418 + | | 419 + Inline encryption key Software secret 420 + 421 + The components are: 422 + 423 + - *Hardware-wrapped key*: a key for the hardware's KDF (Key Derivation 424 + Function), in ephemerally-wrapped form. The key wrapping algorithm is a 425 + hardware implementation detail that doesn't impact kernel operation, but a 426 + strong authenticated encryption algorithm such as AES-256-GCM is recommended. 427 + 428 + - *Hardware KDF*: a KDF (Key Derivation Function) which the hardware uses to 429 + derive subkeys after unwrapping the wrapped key. The hardware's choice of KDF 430 + doesn't impact kernel operation, but it does need to be known for testing 431 + purposes, and it's also assumed to have at least a 256-bit security strength. 432 + All known hardware uses the SP800-108 KDF in Counter Mode with AES-256-CMAC, 433 + with a particular choice of labels and contexts; new hardware should use this 434 + already-vetted KDF. 435 + 436 + - *Inline encryption key*: a derived key which the hardware directly provisions 437 + to a keyslot of the inline encryption hardware, without exposing it to 438 + software. In all known hardware, this will always be an AES-256-XTS key. 439 + However, in principle other encryption algorithms could be supported too. 440 + Hardware must derive distinct subkeys for each supported encryption algorithm. 441 + 442 + - *Software secret*: a derived key which the hardware returns to software so 443 + that software can use it for cryptographic tasks that can't use inline 444 + encryption. This value is cryptographically isolated from the inline 445 + encryption key, i.e. knowing one doesn't reveal the other. (The KDF ensures 446 + this.) Currently, the software secret is always 32 bytes and thus is suitable 447 + for cryptographic applications that require up to a 256-bit security strength. 448 + Some use cases (e.g. full-disk encryption) won't require the software secret. 449 + 450 + Example: in the case of fscrypt, the fscrypt master key (the key that protects a 451 + particular set of encrypted directories) is made hardware-wrapped. The inline 452 + encryption key is used as the file contents encryption key, while the software 453 + secret (rather than the master key directly) is used to key fscrypt's KDF 454 + (HKDF-SHA512) to derive other subkeys such as filenames encryption keys. 455 + 456 + Note that currently this design assumes a single inline encryption key per 457 + hardware-wrapped key, without any further key derivation. Thus, in the case of 458 + fscrypt, currently hardware-wrapped keys are only compatible with the "inline 459 + encryption optimized" settings, which use one file contents encryption key per 460 + encryption policy rather than one per file. This design could be extended to 461 + make the hardware derive per-file keys using per-file nonces passed down the 462 + storage stack, and in fact some hardware already supports this; future work is 463 + planned to remove this limitation by adding the corresponding kernel support. 464 + 465 + Kernel support 466 + -------------- 467 + 468 + The inline encryption support of the kernel's block layer ("blk-crypto") has 469 + been extended to support hardware-wrapped keys as an alternative to raw keys, 470 + when hardware support is available. This works in the following way: 471 + 472 + - A ``key_types_supported`` field is added to the crypto capabilities in 473 + ``struct blk_crypto_profile``. This allows device drivers to declare that 474 + they support raw keys, hardware-wrapped keys, or both. 475 + 476 + - ``struct blk_crypto_key`` can now contain a hardware-wrapped key as an 477 + alternative to a raw key; a ``key_type`` field is added to 478 + ``struct blk_crypto_config`` to distinguish between the different key types. 479 + This allows users of blk-crypto to en/decrypt data using a hardware-wrapped 480 + key in a way very similar to using a raw key. 481 + 482 + - A new method ``blk_crypto_ll_ops::derive_sw_secret`` is added. Device drivers 483 + that support hardware-wrapped keys must implement this method. Users of 484 + blk-crypto can call ``blk_crypto_derive_sw_secret()`` to access this method. 485 + 486 + - The programming and eviction of hardware-wrapped keys happens via 487 + ``blk_crypto_ll_ops::keyslot_program`` and 488 + ``blk_crypto_ll_ops::keyslot_evict``, just like it does for raw keys. If a 489 + driver supports hardware-wrapped keys, then it must handle hardware-wrapped 490 + keys being passed to these methods. 491 + 492 + blk-crypto-fallback doesn't support hardware-wrapped keys. Therefore, 493 + hardware-wrapped keys can only be used with actual inline encryption hardware. 494 + 495 + Testability 496 + ----------- 497 + 498 + Both the hardware KDF and the inline encryption itself are well-defined 499 + algorithms that don't depend on any secrets other than the unwrapped key. 500 + Therefore, if the unwrapped key is known to software, these algorithms can be 501 + reproduced in software in order to verify the ciphertext that is written to disk 502 + by the inline encryption hardware. 503 + 504 + However, the unwrapped key will only be known to software for testing if the 505 + "import" functionality is used. Proper testing is not possible in the 506 + "generate" case where the hardware generates the key itself. The correct 507 + operation of the "generate" mode thus relies on the security and correctness of 508 + the hardware RNG and its use to generate the key, as well as the testing of the 509 + "import" mode as that should cover all parts other than the key generation. 510 + 511 + For an example of a test that verifies the ciphertext written to disk in the 512 + "import" mode, see the fscrypt hardware-wrapped key tests in xfstests, or 513 + `Android's vts_kernel_encryption_test 514 + <https://android.googlesource.com/platform/test/vts-testcase/kernel/+/refs/heads/main/encryption/>`_.

+4 -3

block/blk-crypto-fallback.c

··· 87 87 * This is the key we set when evicting a keyslot. This *should* be the all 0's 88 88 * key, but AES-XTS rejects that key, so we use some random bytes instead. 89 89 */ 90 - static u8 blank_key[BLK_CRYPTO_MAX_KEY_SIZE]; 90 + static u8 blank_key[BLK_CRYPTO_MAX_RAW_KEY_SIZE]; 91 91 92 92 static void blk_crypto_fallback_evict_keyslot(unsigned int slot) 93 93 { ··· 119 119 blk_crypto_fallback_evict_keyslot(slot); 120 120 121 121 slotp->crypto_mode = crypto_mode; 122 - err = crypto_skcipher_setkey(slotp->tfms[crypto_mode], key->raw, 122 + err = crypto_skcipher_setkey(slotp->tfms[crypto_mode], key->bytes, 123 123 key->size); 124 124 if (err) { 125 125 blk_crypto_fallback_evict_keyslot(slot); ··· 539 539 if (blk_crypto_fallback_inited) 540 540 return 0; 541 541 542 - get_random_bytes(blank_key, BLK_CRYPTO_MAX_KEY_SIZE); 542 + get_random_bytes(blank_key, sizeof(blank_key)); 543 543 544 544 err = bioset_init(&crypto_bio_split, 64, 0, 0); 545 545 if (err) ··· 561 561 562 562 blk_crypto_fallback_profile->ll_ops = blk_crypto_fallback_ll_ops; 563 563 blk_crypto_fallback_profile->max_dun_bytes_supported = BLK_CRYPTO_MAX_IV_SIZE; 564 + blk_crypto_fallback_profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW; 564 565 565 566 /* All blk-crypto modes have a crypto API fallback. */ 566 567 for (i = 0; i < BLK_ENCRYPTION_MODE_MAX; i++)

+1

block/blk-crypto-internal.h

··· 14 14 const char *name; /* name of this mode, shown in sysfs */ 15 15 const char *cipher_str; /* crypto API name (for fallback case) */ 16 16 unsigned int keysize; /* key size in bytes */ 17 + unsigned int security_strength; /* security strength in bytes */ 17 18 unsigned int ivsize; /* iv size in bytes */ 18 19 }; 19 20

+46

block/blk-crypto-profile.c

··· 352 352 return false; 353 353 if (profile->max_dun_bytes_supported < cfg->dun_bytes) 354 354 return false; 355 + if (!(profile->key_types_supported & cfg->key_type)) 356 + return false; 355 357 return true; 356 358 } 357 359 ··· 465 463 EXPORT_SYMBOL_GPL(blk_crypto_register); 466 464 467 465 /** 466 + * blk_crypto_derive_sw_secret() - Derive software secret from wrapped key 467 + * @bdev: a block device that supports hardware-wrapped keys 468 + * @eph_key: a hardware-wrapped key in ephemerally-wrapped form 469 + * @eph_key_size: size of @eph_key in bytes 470 + * @sw_secret: (output) the software secret 471 + * 472 + * Given a hardware-wrapped key in ephemerally-wrapped form (the same form that 473 + * it is used for I/O), ask the hardware to derive the secret which software can 474 + * use for cryptographic tasks other than inline encryption. This secret is 475 + * guaranteed to be cryptographically isolated from the inline encryption key, 476 + * i.e. derived with a different KDF context. 477 + * 478 + * Return: 0 on success, -EOPNOTSUPP if the block device doesn't support 479 + * hardware-wrapped keys, -EBADMSG if the key isn't a valid 480 + * ephemerally-wrapped key, or another -errno code. 481 + */ 482 + int blk_crypto_derive_sw_secret(struct block_device *bdev, 483 + const u8 *eph_key, size_t eph_key_size, 484 + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) 485 + { 486 + struct blk_crypto_profile *profile = 487 + bdev_get_queue(bdev)->crypto_profile; 488 + int err; 489 + 490 + if (!profile) 491 + return -EOPNOTSUPP; 492 + if (!(profile->key_types_supported & BLK_CRYPTO_KEY_TYPE_HW_WRAPPED)) 493 + return -EOPNOTSUPP; 494 + if (!profile->ll_ops.derive_sw_secret) 495 + return -EOPNOTSUPP; 496 + blk_crypto_hw_enter(profile); 497 + err = profile->ll_ops.derive_sw_secret(profile, eph_key, eph_key_size, 498 + sw_secret); 499 + blk_crypto_hw_exit(profile); 500 + return err; 501 + } 502 + 503 + /** 468 504 * blk_crypto_intersect_capabilities() - restrict supported crypto capabilities 469 505 * by child device 470 506 * @parent: the crypto profile for the parent device ··· 525 485 child->max_dun_bytes_supported); 526 486 for (i = 0; i < ARRAY_SIZE(child->modes_supported); i++) 527 487 parent->modes_supported[i] &= child->modes_supported[i]; 488 + parent->key_types_supported &= child->key_types_supported; 528 489 } else { 529 490 parent->max_dun_bytes_supported = 0; 530 491 memset(parent->modes_supported, 0, 531 492 sizeof(parent->modes_supported)); 493 + parent->key_types_supported = 0; 532 494 } 533 495 } 534 496 EXPORT_SYMBOL_GPL(blk_crypto_intersect_capabilities); ··· 561 519 562 520 if (reference->max_dun_bytes_supported > 563 521 target->max_dun_bytes_supported) 522 + return false; 523 + 524 + if (reference->key_types_supported & ~target->key_types_supported) 564 525 return false; 565 526 566 527 return true; ··· 600 555 sizeof(dst->modes_supported)); 601 556 602 557 dst->max_dun_bytes_supported = src->max_dun_bytes_supported; 558 + dst->key_types_supported = src->key_types_supported; 603 559 } 604 560 EXPORT_SYMBOL_GPL(blk_crypto_update_capabilities);

+47 -14

block/blk-crypto.c

··· 23 23 .name = "AES-256-XTS", 24 24 .cipher_str = "xts(aes)", 25 25 .keysize = 64, 26 + .security_strength = 32, 26 27 .ivsize = 16, 27 28 }, 28 29 [BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV] = { 29 30 .name = "AES-128-CBC-ESSIV", 30 31 .cipher_str = "essiv(cbc(aes),sha256)", 31 32 .keysize = 16, 33 + .security_strength = 16, 32 34 .ivsize = 16, 33 35 }, 34 36 [BLK_ENCRYPTION_MODE_ADIANTUM] = { 35 37 .name = "Adiantum", 36 38 .cipher_str = "adiantum(xchacha12,aes)", 37 39 .keysize = 32, 40 + .security_strength = 32, 38 41 .ivsize = 32, 39 42 }, 40 43 [BLK_ENCRYPTION_MODE_SM4_XTS] = { 41 44 .name = "SM4-XTS", 42 45 .cipher_str = "xts(sm4)", 43 46 .keysize = 32, 47 + .security_strength = 16, 44 48 .ivsize = 16, 45 49 }, 46 50 }; ··· 80 76 /* This is assumed in various places. */ 81 77 BUILD_BUG_ON(BLK_ENCRYPTION_MODE_INVALID != 0); 82 78 83 - /* Sanity check that no algorithm exceeds the defined limits. */ 79 + /* 80 + * Validate the crypto mode properties. This ideally would be done with 81 + * static assertions, but boot-time checks are the next best thing. 82 + */ 84 83 for (i = 0; i < BLK_ENCRYPTION_MODE_MAX; i++) { 85 - BUG_ON(blk_crypto_modes[i].keysize > BLK_CRYPTO_MAX_KEY_SIZE); 84 + BUG_ON(blk_crypto_modes[i].keysize > 85 + BLK_CRYPTO_MAX_RAW_KEY_SIZE); 86 + BUG_ON(blk_crypto_modes[i].security_strength > 87 + blk_crypto_modes[i].keysize); 86 88 BUG_ON(blk_crypto_modes[i].ivsize > BLK_CRYPTO_MAX_IV_SIZE); 87 89 } 88 90 ··· 325 315 /** 326 316 * blk_crypto_init_key() - Prepare a key for use with blk-crypto 327 317 * @blk_key: Pointer to the blk_crypto_key to initialize. 328 - * @raw_key: Pointer to the raw key. Must be the correct length for the chosen 329 - * @crypto_mode; see blk_crypto_modes[]. 318 + * @key_bytes: the bytes of the key 319 + * @key_size: size of the key in bytes 320 + * @key_type: type of the key -- either raw or hardware-wrapped 330 321 * @crypto_mode: identifier for the encryption algorithm to use 331 322 * @dun_bytes: number of bytes that will be used to specify the DUN when this 332 323 * key is used 333 324 * @data_unit_size: the data unit size to use for en/decryption 334 325 * 335 326 * Return: 0 on success, -errno on failure. The caller is responsible for 336 - * zeroizing both blk_key and raw_key when done with them. 327 + * zeroizing both blk_key and key_bytes when done with them. 337 328 */ 338 - int blk_crypto_init_key(struct blk_crypto_key *blk_key, const u8 *raw_key, 329 + int blk_crypto_init_key(struct blk_crypto_key *blk_key, 330 + const u8 *key_bytes, size_t key_size, 331 + enum blk_crypto_key_type key_type, 339 332 enum blk_crypto_mode_num crypto_mode, 340 333 unsigned int dun_bytes, 341 334 unsigned int data_unit_size) ··· 351 338 return -EINVAL; 352 339 353 340 mode = &blk_crypto_modes[crypto_mode]; 354 - if (mode->keysize == 0) 341 + switch (key_type) { 342 + case BLK_CRYPTO_KEY_TYPE_RAW: 343 + if (key_size != mode->keysize) 344 + return -EINVAL; 345 + break; 346 + case BLK_CRYPTO_KEY_TYPE_HW_WRAPPED: 347 + if (key_size < mode->security_strength || 348 + key_size > BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE) 349 + return -EINVAL; 350 + break; 351 + default: 355 352 return -EINVAL; 353 + } 356 354 357 355 if (dun_bytes == 0 || dun_bytes > mode->ivsize) 358 356 return -EINVAL; ··· 374 350 blk_key->crypto_cfg.crypto_mode = crypto_mode; 375 351 blk_key->crypto_cfg.dun_bytes = dun_bytes; 376 352 blk_key->crypto_cfg.data_unit_size = data_unit_size; 353 + blk_key->crypto_cfg.key_type = key_type; 377 354 blk_key->data_unit_size_bits = ilog2(data_unit_size); 378 - blk_key->size = mode->keysize; 379 - memcpy(blk_key->raw, raw_key, mode->keysize); 355 + blk_key->size = key_size; 356 + memcpy(blk_key->bytes, key_bytes, key_size); 380 357 381 358 return 0; 382 359 } ··· 397 372 bool blk_crypto_config_supported(struct block_device *bdev, 398 373 const struct blk_crypto_config *cfg) 399 374 { 400 - return IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) || 401 - blk_crypto_config_supported_natively(bdev, cfg); 375 + if (IS_ENABLED(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) && 376 + cfg->key_type == BLK_CRYPTO_KEY_TYPE_RAW) 377 + return true; 378 + return blk_crypto_config_supported_natively(bdev, cfg); 402 379 } 403 380 404 381 /** ··· 414 387 * an skcipher, and *should not* be called from the data path, since that might 415 388 * cause a deadlock 416 389 * 417 - * Return: 0 on success; -ENOPKG if the hardware doesn't support the key and 418 - * blk-crypto-fallback is either disabled or the needed algorithm 419 - * is disabled in the crypto API; or another -errno code. 390 + * Return: 0 on success; -EOPNOTSUPP if the key is wrapped but the hardware does 391 + * not support wrapped keys; -ENOPKG if the key is a raw key but the 392 + * hardware does not support raw keys and blk-crypto-fallback is either 393 + * disabled or the needed algorithm is disabled in the crypto API; or 394 + * another -errno code if something else went wrong. 420 395 */ 421 396 int blk_crypto_start_using_key(struct block_device *bdev, 422 397 const struct blk_crypto_key *key) 423 398 { 424 399 if (blk_crypto_config_supported_natively(bdev, &key->crypto_cfg)) 425 400 return 0; 401 + if (key->crypto_cfg.key_type != BLK_CRYPTO_KEY_TYPE_RAW) { 402 + pr_warn_ratelimited("%pg: no support for wrapped keys\n", bdev); 403 + return -EOPNOTSUPP; 404 + } 426 405 return blk_crypto_fallback_start_using_mode(key->crypto_cfg.crypto_mode); 427 406 } 428 407

+1

drivers/md/dm-table.c

··· 1250 1250 profile->max_dun_bytes_supported = UINT_MAX; 1251 1251 memset(profile->modes_supported, 0xFF, 1252 1252 sizeof(profile->modes_supported)); 1253 + profile->key_types_supported = ~0; 1253 1254 1254 1255 for (i = 0; i < t->num_targets; i++) { 1255 1256 struct dm_target *ti = dm_table_get_target(t, i);

+5 -3

drivers/mmc/host/cqhci-crypto.c

··· 84 84 85 85 if (ccap_array[cap_idx].algorithm_id == CQHCI_CRYPTO_ALG_AES_XTS) { 86 86 /* In XTS mode, the blk_crypto_key's size is already doubled */ 87 - memcpy(cfg.crypto_key, key->raw, key->size/2); 87 + memcpy(cfg.crypto_key, key->bytes, key->size/2); 88 88 memcpy(cfg.crypto_key + CQHCI_CRYPTO_KEY_MAX_SIZE/2, 89 - key->raw + key->size/2, key->size/2); 89 + key->bytes + key->size/2, key->size/2); 90 90 } else { 91 - memcpy(cfg.crypto_key, key->raw, key->size); 91 + memcpy(cfg.crypto_key, key->bytes, key->size); 92 92 } 93 93 94 94 cqhci_crypto_program_key(cq_host, &cfg, slot); ··· 203 203 204 204 /* Unfortunately, CQHCI crypto only supports 32 DUN bits. */ 205 205 profile->max_dun_bytes_supported = 4; 206 + 207 + profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW; 206 208 207 209 /* 208 210 * Cache all the crypto capabilities and advertise the supported crypto

+2 -1

drivers/mmc/host/sdhci-msm.c

··· 1895 1895 1896 1896 profile->ll_ops = sdhci_msm_crypto_ops; 1897 1897 profile->max_dun_bytes_supported = 4; 1898 + profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW; 1898 1899 profile->dev = dev; 1899 1900 1900 1901 /* ··· 1969 1968 return qcom_ice_program_key(msm_host->ice, 1970 1969 QCOM_ICE_CRYPTO_ALG_AES_XTS, 1971 1970 QCOM_ICE_CRYPTO_KEY_SIZE_256, 1972 - key->raw, 1971 + key->bytes, 1973 1972 key->crypto_cfg.data_unit_size / 512, 1974 1973 slot); 1975 1974 }

+4 -3

drivers/ufs/core/ufshcd-crypto.c

··· 72 72 73 73 if (ccap_array[cap_idx].algorithm_id == UFS_CRYPTO_ALG_AES_XTS) { 74 74 /* In XTS mode, the blk_crypto_key's size is already doubled */ 75 - memcpy(cfg.crypto_key, key->raw, key->size/2); 75 + memcpy(cfg.crypto_key, key->bytes, key->size/2); 76 76 memcpy(cfg.crypto_key + UFS_CRYPTO_KEY_MAX_SIZE/2, 77 - key->raw + key->size/2, key->size/2); 77 + key->bytes + key->size/2, key->size/2); 78 78 } else { 79 - memcpy(cfg.crypto_key, key->raw, key->size); 79 + memcpy(cfg.crypto_key, key->bytes, key->size); 80 80 } 81 81 82 82 ufshcd_program_key(hba, &cfg, slot); ··· 185 185 hba->crypto_profile.ll_ops = ufshcd_crypto_ops; 186 186 /* UFS only supports 8 bytes for any DUN */ 187 187 hba->crypto_profile.max_dun_bytes_supported = 8; 188 + hba->crypto_profile.key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW; 188 189 hba->crypto_profile.dev = hba->dev; 189 190 190 191 /*

+2 -1

drivers/ufs/host/ufs-exynos.c

··· 1320 1320 return; 1321 1321 } 1322 1322 profile->max_dun_bytes_supported = AES_BLOCK_SIZE; 1323 + profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW; 1323 1324 profile->dev = hba->dev; 1324 1325 profile->modes_supported[BLK_ENCRYPTION_MODE_AES_256_XTS] = 1325 1326 DATA_UNIT_SIZE; ··· 1367 1366 void *prdt, unsigned int num_segments) 1368 1367 { 1369 1368 struct fmp_sg_entry *fmp_prdt = prdt; 1370 - const u8 *enckey = crypt_ctx->bc_key->raw; 1369 + const u8 *enckey = crypt_ctx->bc_key->bytes; 1371 1370 const u8 *twkey = enckey + AES_KEYSIZE_256; 1372 1371 u64 dun_lo = crypt_ctx->bc_dun[0]; 1373 1372 u64 dun_hi = crypt_ctx->bc_dun[1];

+2 -1

drivers/ufs/host/ufs-qcom.c

··· 147 147 148 148 profile->ll_ops = ufs_qcom_crypto_ops; 149 149 profile->max_dun_bytes_supported = 8; 150 + profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW; 150 151 profile->dev = dev; 151 152 152 153 /* ··· 203 202 err = qcom_ice_program_key(host->ice, 204 203 QCOM_ICE_CRYPTO_ALG_AES_XTS, 205 204 QCOM_ICE_CRYPTO_KEY_SIZE_256, 206 - key->raw, 205 + key->bytes, 207 206 key->crypto_cfg.data_unit_size / 512, 208 207 slot); 209 208 ufshcd_release(hba);

+3 -1

fs/crypto/inline_crypt.c

··· 130 130 crypto_cfg.crypto_mode = ci->ci_mode->blk_crypto_mode; 131 131 crypto_cfg.data_unit_size = 1U << ci->ci_data_unit_bits; 132 132 crypto_cfg.dun_bytes = fscrypt_get_dun_bytes(ci); 133 + crypto_cfg.key_type = BLK_CRYPTO_KEY_TYPE_RAW; 133 134 134 135 devs = fscrypt_get_devices(sb, &num_devs); 135 136 if (IS_ERR(devs)) ··· 167 166 if (!blk_key) 168 167 return -ENOMEM; 169 168 170 - err = blk_crypto_init_key(blk_key, raw_key, crypto_mode, 169 + err = blk_crypto_init_key(blk_key, raw_key, ci->ci_mode->keysize, 170 + BLK_CRYPTO_KEY_TYPE_RAW, crypto_mode, 171 171 fscrypt_get_dun_bytes(ci), 172 172 1U << ci->ci_data_unit_bits); 173 173 if (err) {

+20

include/linux/blk-crypto-profile.h

··· 57 57 int (*keyslot_evict)(struct blk_crypto_profile *profile, 58 58 const struct blk_crypto_key *key, 59 59 unsigned int slot); 60 + 61 + /** 62 + * @derive_sw_secret: Derive the software secret from a hardware-wrapped 63 + * key in ephemerally-wrapped form. 64 + * 65 + * This only needs to be implemented if BLK_CRYPTO_KEY_TYPE_HW_WRAPPED 66 + * is supported. 67 + * 68 + * Must return 0 on success, -EBADMSG if the key is invalid, or another 69 + * -errno code on other errors. 70 + */ 71 + int (*derive_sw_secret)(struct blk_crypto_profile *profile, 72 + const u8 *eph_key, size_t eph_key_size, 73 + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]); 60 74 }; 61 75 62 76 /** ··· 97 83 * supported DUNs is 0 through (1 << (8 * max_dun_bytes_supported)) - 1. 98 84 */ 99 85 unsigned int max_dun_bytes_supported; 86 + 87 + /** 88 + * @key_types_supported: A bitmask of the supported key types: 89 + * BLK_CRYPTO_KEY_TYPE_RAW and/or BLK_CRYPTO_KEY_TYPE_HW_WRAPPED. 90 + */ 91 + unsigned int key_types_supported; 100 92 101 93 /** 102 94 * @modes_supported: Array of bitmasks that specifies whether each

+65 -7

include/linux/blk-crypto.h

··· 6 6 #ifndef __LINUX_BLK_CRYPTO_H 7 7 #define __LINUX_BLK_CRYPTO_H 8 8 9 + #include <linux/minmax.h> 9 10 #include <linux/types.h> 10 11 11 12 enum blk_crypto_mode_num { ··· 18 17 BLK_ENCRYPTION_MODE_MAX, 19 18 }; 20 19 21 - #define BLK_CRYPTO_MAX_KEY_SIZE 64 20 + /* 21 + * Supported types of keys. Must be bitflags due to their use in 22 + * blk_crypto_profile::key_types_supported. 23 + */ 24 + enum blk_crypto_key_type { 25 + /* 26 + * Raw keys (i.e. "software keys"). These keys are simply kept in raw, 27 + * plaintext form in kernel memory. 28 + */ 29 + BLK_CRYPTO_KEY_TYPE_RAW = 0x1, 30 + 31 + /* 32 + * Hardware-wrapped keys. These keys are only present in kernel memory 33 + * in ephemerally-wrapped form, and they can only be unwrapped by 34 + * dedicated hardware. For details, see the "Hardware-wrapped keys" 35 + * section of Documentation/block/inline-encryption.rst. 36 + */ 37 + BLK_CRYPTO_KEY_TYPE_HW_WRAPPED = 0x2, 38 + }; 39 + 40 + /* 41 + * Currently the maximum raw key size is 64 bytes, as that is the key size of 42 + * BLK_ENCRYPTION_MODE_AES_256_XTS which takes the longest key. 43 + * 44 + * The maximum hardware-wrapped key size depends on the hardware's key wrapping 45 + * algorithm, which is a hardware implementation detail, so it isn't precisely 46 + * specified. But currently 128 bytes is plenty in practice. Implementations 47 + * are recommended to wrap a 32-byte key for the hardware KDF with AES-256-GCM, 48 + * which should result in a size closer to 64 bytes than 128. 49 + * 50 + * Both of these values can trivially be increased if ever needed. 51 + */ 52 + #define BLK_CRYPTO_MAX_RAW_KEY_SIZE 64 53 + #define BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE 128 54 + 55 + #define BLK_CRYPTO_MAX_ANY_KEY_SIZE \ 56 + MAX(BLK_CRYPTO_MAX_RAW_KEY_SIZE, BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE) 57 + 58 + /* 59 + * Size of the "software secret" which can be derived from a hardware-wrapped 60 + * key. This is currently always 32 bytes. Note, the choice of 32 bytes 61 + * assumes that the software secret is only used directly for algorithms that 62 + * don't require more than a 256-bit key to get the desired security strength. 63 + * If it were to be used e.g. directly as an AES-256-XTS key, then this would 64 + * need to be increased (which is possible if hardware supports it, but care 65 + * would need to be taken to avoid breaking users who need exactly 32 bytes). 66 + */ 67 + #define BLK_CRYPTO_SW_SECRET_SIZE 32 68 + 22 69 /** 23 70 * struct blk_crypto_config - an inline encryption key's crypto configuration 24 71 * @crypto_mode: encryption algorithm this key is for ··· 75 26 * ciphertext. This is always a power of 2. It might be e.g. the 76 27 * filesystem block size or the disk sector size. 77 28 * @dun_bytes: the maximum number of bytes of DUN used when using this key 29 + * @key_type: the type of this key -- either raw or hardware-wrapped 78 30 */ 79 31 struct blk_crypto_config { 80 32 enum blk_crypto_mode_num crypto_mode; 81 33 unsigned int data_unit_size; 82 34 unsigned int dun_bytes; 35 + enum blk_crypto_key_type key_type; 83 36 }; 84 37 85 38 /** 86 39 * struct blk_crypto_key - an inline encryption key 87 - * @crypto_cfg: the crypto configuration (like crypto_mode, key size) for this 88 - * key 40 + * @crypto_cfg: the crypto mode, data unit size, key type, and other 41 + * characteristics of this key and how it will be used 89 42 * @data_unit_size_bits: log2 of data_unit_size 90 - * @size: size of this key in bytes (determined by @crypto_cfg.crypto_mode) 91 - * @raw: the raw bytes of this key. Only the first @size bytes are used. 43 + * @size: size of this key in bytes. The size of a raw key is fixed for a given 44 + * crypto mode, but the size of a hardware-wrapped key can vary. 45 + * @bytes: the bytes of this key. Only the first @size bytes are significant. 92 46 * 93 47 * A blk_crypto_key is immutable once created, and many bios can reference it at 94 48 * the same time. It must not be freed until all bios using it have completed ··· 101 49 struct blk_crypto_config crypto_cfg; 102 50 unsigned int data_unit_size_bits; 103 51 unsigned int size; 104 - u8 raw[BLK_CRYPTO_MAX_KEY_SIZE]; 52 + u8 bytes[BLK_CRYPTO_MAX_ANY_KEY_SIZE]; 105 53 }; 106 54 107 55 #define BLK_CRYPTO_MAX_IV_SIZE 32 ··· 139 87 unsigned int bytes, 140 88 const u64 next_dun[BLK_CRYPTO_DUN_ARRAY_SIZE]); 141 89 142 - int blk_crypto_init_key(struct blk_crypto_key *blk_key, const u8 *raw_key, 90 + int blk_crypto_init_key(struct blk_crypto_key *blk_key, 91 + const u8 *key_bytes, size_t key_size, 92 + enum blk_crypto_key_type key_type, 143 93 enum blk_crypto_mode_num crypto_mode, 144 94 unsigned int dun_bytes, 145 95 unsigned int data_unit_size); ··· 156 102 const struct blk_crypto_config *cfg); 157 103 bool blk_crypto_config_supported(struct block_device *bdev, 158 104 const struct blk_crypto_config *cfg); 105 + 106 + int blk_crypto_derive_sw_secret(struct block_device *bdev, 107 + const u8 *eph_key, size_t eph_key_size, 108 + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]); 159 109 160 110 #else /* CONFIG_BLK_INLINE_ENCRYPTION */ 161 111