On Tue, Oct 24, 2023 at 06:20:15PM +0200, David Gstir wrote: > DCP is capable of performing AES with two hardware-bound keys: > > - The one-time programmable (OTP) key which is burnt via on-chip fuses > - The unique key (UK) which is derived from the OTP key > > In addition to the two hardware-bound keys, DCP also supports > storing keys in 4 dedicated key slots within its secure memory area > (internal SRAM). > > These keys are not stored in main memory and are therefore > not directly accessible by the operating system. To use them > for AES operations, a one-byte key reference has to supplied > with the DCP operation descriptor in the control register. > > This adds support for using any of these 6 keys through the crypto API > via their key reference after they have been set up. The main purpose > is to add support for DCP-backed trusted keys. Other use cases are > possible too (see similar existing paes implementations), but these > should carefully be evaluated as e.g. enabling AF_ALG will give > userspace full access to use keys. In scenarios with untrustworthy > userspace, this will enable en-/decryption oracles. > > Co-developed-by: Richard Weinberger <[email protected]> > Signed-off-by: Richard Weinberger <[email protected]> > Co-developed-by: David Oberhollenzer <[email protected]> > Signed-off-by: David Oberhollenzer <[email protected]> > Signed-off-by: David Gstir <[email protected]> > --- > drivers/crypto/mxs-dcp.c | 104 ++++++++++++++++++++++++++++++++++----- > include/soc/fsl/dcp.h | 17 +++++++ > 2 files changed, 110 insertions(+), 11 deletions(-) > create mode 100644 include/soc/fsl/dcp.h
Acked-by: Herbert Xu <[email protected]> -- Email: Herbert Xu <[email protected]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
