3a354e1fa88d77223ab7368fc37c49c53d2cd5d0
[openwrt/openwrt.git] /
1 From a8b1717089d6d215a48bb2816dff4a02376f3d16 Mon Sep 17 00:00:00 2001
2 From: Udit Agarwal <udit.agarwal@nxp.com>
3 Date: Wed, 4 Jul 2018 11:24:49 +0530
4 Subject: [PATCH] encrypted_keys: Adds support for secure key-type as master
5 key.
6
7 Encrypted keys can use secure key-type as master key along with
8 trusted/user keys.
9
10 Secure key as master key uses, secure key type payload derieved
11 using CAAM hardware.
12
13 Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
14 Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
15 ---
16 MAINTAINERS | 1 +
17 security/keys/encrypted-keys/Makefile | 2 ++
18 security/keys/encrypted-keys/encrypted.c | 13 +++++++--
19 security/keys/encrypted-keys/encrypted.h | 13 +++++++++
20 security/keys/encrypted-keys/masterkey_secure.c | 37 +++++++++++++++++++++++++
21 5 files changed, 64 insertions(+), 2 deletions(-)
22 create mode 100644 security/keys/encrypted-keys/masterkey_secure.c
23
24 --- a/MAINTAINERS
25 +++ b/MAINTAINERS
26 @@ -9085,6 +9085,7 @@ F: include/keys/secure-type.h
27 F: security/keys/secure_key.c
28 F: security/keys/securekey_desc.c
29 F: security/keys/securekey_desc.h
30 +F: security/keys/encrypted-keys/masterkey_secure.c
31
32 KEYS/KEYRINGS:
33 M: David Howells <dhowells@redhat.com>
34 --- a/security/keys/encrypted-keys/Makefile
35 +++ b/security/keys/encrypted-keys/Makefile
36 @@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypte
37
38 encrypted-keys-y := encrypted.o ecryptfs_format.o
39 masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
40 +masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
41 masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
42 +masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
43 encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
44 --- a/security/keys/encrypted-keys/encrypted.c
45 +++ b/security/keys/encrypted-keys/encrypted.c
46 @@ -36,6 +36,7 @@
47 #include "ecryptfs_format.h"
48
49 static const char KEY_TRUSTED_PREFIX[] = "trusted:";
50 +static const char KEY_SECURE_PREFIX[] = "secure:";
51 static const char KEY_USER_PREFIX[] = "user:";
52 static const char hash_alg[] = "sha256";
53 static const char hmac_alg[] = "hmac(sha256)";
54 @@ -47,6 +48,7 @@ static unsigned int ivsize;
55 static int blksize;
56
57 #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
58 +#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
59 #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
60 #define KEY_ECRYPTFS_DESC_LEN 16
61 #define HASH_SIZE SHA256_DIGEST_SIZE
62 @@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const cha
63 /*
64 * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
65 *
66 - * key-type:= "trusted:" | "user:"
67 + * key-type:= "trusted:" | "user:" | "secure:"
68 * desc:= master-key description
69 *
70 * Verify that 'key-type' is valid and that 'desc' exists. On key update,
71 @@ -140,6 +142,8 @@ static int valid_master_desc(const char
72
73 if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
74 prefix_len = KEY_TRUSTED_PREFIX_LEN;
75 + else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
76 + prefix_len = KEY_SECURE_PREFIX_LEN;
77 else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
78 prefix_len = KEY_USER_PREFIX_LEN;
79 else
80 @@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u
81
82 enum derived_key_type { ENC_KEY, AUTH_KEY };
83
84 -/* Derive authentication/encryption key from trusted key */
85 +/* Derive authentication/encryption key from trusted/secure key */
86 static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
87 const u8 *master_key, size_t master_keylen)
88 {
89 @@ -429,6 +433,11 @@ static struct key *request_master_key(st
90 mkey = request_trusted_key(epayload->master_desc +
91 KEY_TRUSTED_PREFIX_LEN,
92 master_key, master_keylen);
93 + } else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
94 + KEY_SECURE_PREFIX_LEN)) {
95 + mkey = request_secure_key(epayload->master_desc +
96 + KEY_SECURE_PREFIX_LEN,
97 + master_key, master_keylen);
98 } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
99 KEY_USER_PREFIX_LEN)) {
100 mkey = request_user_key(epayload->master_desc +
101 --- a/security/keys/encrypted-keys/encrypted.h
102 +++ b/security/keys/encrypted-keys/encrypted.h
103 @@ -16,6 +16,19 @@ static inline struct key *request_truste
104 }
105 #endif
106
107 +#if defined(CONFIG_SECURE_KEYS)
108 +extern struct key *request_secure_key(const char *secure_desc,
109 + const u8 **master_key,
110 + size_t *master_keylen);
111 +#else
112 +static inline struct key *request_secure_key(const char *secure_desc,
113 + const u8 **master_key,
114 + size_t *master_keylen)
115 +{
116 + return ERR_PTR(-EOPNOTSUPP);
117 +}
118 +#endif
119 +
120 #if ENCRYPTED_DEBUG
121 static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
122 {
123 --- /dev/null
124 +++ b/security/keys/encrypted-keys/masterkey_secure.c
125 @@ -0,0 +1,37 @@
126 +// SPDX-License-Identifier: GPL-2.0
127 +/*
128 + * Copyright (C) 2018 NXP.
129 + *
130 + */
131 +
132 +#include <linux/uaccess.h>
133 +#include <linux/module.h>
134 +#include <linux/err.h>
135 +#include <keys/secure-type.h>
136 +#include <keys/encrypted-type.h>
137 +#include "encrypted.h"
138 +
139 +/*
140 + * request_secure_key - request the secure key
141 + *
142 + * Secure keys and their blobs are derived from CAAM hardware.
143 + * Userspace manages secure key-type data, but key data is not
144 + * visible in plain form. It is presented as blobs.
145 + */
146 +struct key *request_secure_key(const char *secure_desc,
147 + const u8 **master_key, size_t *master_keylen)
148 +{
149 + struct secure_key_payload *spayload;
150 + struct key *skey;
151 +
152 + skey = request_key(&key_type_secure, secure_desc, NULL);
153 + if (IS_ERR(skey))
154 + goto error;
155 +
156 + down_read(&skey->sem);
157 + spayload = skey->payload.data[0];
158 + *master_key = spayload->key;
159 + *master_keylen = spayload->key_len;
160 +error:
161 + return skey;
162 +}