Re: [PATCH v2 1/1] dm-inlinecrypt: add support for hardware-wrapped keys

Sat, 16 May 2026 05:18:20 -0700 

On 5/16/26 1:50 PM, Linlin Zhang wrote:

Add support for hardware-wrapped encryption keys to the
dm-inlinecrypt target.

Introduce a new parameter <is_wrappedkey> to indicate whether
the provided key is a raw key or a hardware-wrapped key. Based
on this flag, the appropriate blk-crypto key type is selected
when initializing the key.

This allows dm-inlinecrypt to work with hardware that requires
keys to be wrapped and managed by the underlying inline
encryption engine.

Update the target argument parsing accordingly and pass the
key type to blk_crypto_init_key(). Documentation is also
updated to reflect the new parameter and usage.

Signed-off-by: Linlin Zhang <[email protected]>
---
  .../device-mapper/dm-inlinecrypt.rst          | 10 ++-
  drivers/md/dm-inlinecrypt.c                   | 71 +++++++++++--------
  2 files changed, 50 insertions(+), 31 deletions(-)

diff --git a/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst 
b/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst
index c71e600efb76..3a4ce2c5f228 100644
--- a/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst
+++ b/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst
@@ -10,7 +10,7 @@ https://docs.kernel.org/block/inline-encryption.html
Parameters:: - <cipher> <key> <iv_offset> <device path> \ 
+             <cipher> <key> <is_wrappedkey> <iv_offset> <device path> \
              <offset> [<#opt_params> <opt_params>]


Please use optional parameter.
Adding mandatory field will introduce unnecessary incompatibility with dm-crypt 
mappings.
(The idea was that you can simply switch "crypt" to "inlinecrypt" for raw keys.)

I would probably just add "hw-wrapped" or "keytype=raw|hw-wrapped" optional 
argument
(with raw as default, so no need so specify it).

IOW the mapping will look like this (1 is number of optional parameters):

   <cipher> <key> <iv_offset> <device path> <offset> 1 hw-wrapped
or
   <cipher> <key> <iv_offset> <device path> <offset> 1 keytype=hw-wrapped

The second option will allow to add new key type much easier.

Please check how other targets implement it, some dm-crypt examples
https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt

Thanks,
Milan

Reply via email to