[PATCH v2 1/3] crypto: mxs-dcp: Add support for hardware provided keys

-by: David Oberhollenzer Signed-off-by: David Gstir --- drivers/crypto/mxs-dcp.c | 107 +++ include/soc/fsl/dcp.h| 19 +++ 2 files changed, 115 insertions(+), 11 deletions(-) create mode 100644 include/soc/fsl/dcp.h diff --git a/drivers/crypto/mxs-dcp.c b

[PATCH v2 0/3] DCP as trusted keys backend

key. A new `blob_key` and `nonce` are generated randomly, when sealing/exporting the DCP blob. This patchset was tested with dm-crypt on an i.MX6ULL board. [0] https://lore.kernel.org/keyrings/20220513145705.2080323-1-a.fat...@pengutronix.de/ David Gstir (3): crypto: mxs-dcp: Add support for hardw

[PATCH v2 2/3] KEYS: trusted: Introduce support for NXP DCP-based trusted keys

ure they can burn their own unique key into the OTP fuse and set the use_otp_key module parameter. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../admin-guide/ker

[PATCH v2 3/3] doc: trusted-encrypted: add DCP as new trust source

Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../security/keys/trusted-encrypted.rst | 85 +++ 1 file changed, 85 insertions(+) diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index

Re: [PATCH v2 1/3] crypto: mxs-dcp: Add support for hardware provided keys

Hi Jarkko, thanks for the review! > On 12.09.2023, at 19:32, Jarkko Sakkinen wrote: > > On Tue Sep 12, 2023 at 2:11 PM EEST, David Gstir wrote: [...] >> - /* Payload contains the key. */ >> - desc->control0 |= MXS_DCP_CONTROL0_PAYLOAD_KEY; >> + if (key_referen

[PATCH v3 3/3] doc: trusted-encrypted: add DCP as new trust source

Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../security/keys/trusted-encrypted.rst | 85 +++ 1 file changed, 85 insertions(+) diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index

[PATCH v3 1/3] crypto: mxs-dcp: Add support for hardware provided keys

-by: David Oberhollenzer Signed-off-by: David Gstir --- drivers/crypto/mxs-dcp.c | 104 ++- include/soc/fsl/dcp.h| 17 +++ 2 files changed, 110 insertions(+), 11 deletions(-) create mode 100644 include/soc/fsl/dcp.h diff --git a/drivers/crypto/mxs-dcp.c b

[PATCH v3 0/3] DCP as trusted keys backend

d. [0] https://lore.kernel.org/keyrings/20220513145705.2080323-1-a.fat...@pengutronix.de/ David Gstir (3): crypto: mxs-dcp: Add support for hardware provided keys KEYS: trusted: Introduce support for NXP DCP-based trusted keys doc: trusted-encrypted: add DCP as new trust source .../admin

[PATCH v3 2/3] KEYS: trusted: Introduce support for NXP DCP-based trusted keys

ure they can burn their own unique key into the OTP fuse and set the use_otp_key module parameter. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../admin-guide/ker

Re: [PATCH v3 1/3] crypto: mxs-dcp: Add support for hardware provided keys

Jarkko, > On 25.09.2023, at 17:22, Jarkko Sakkinen wrote: > > On Mon Sep 18, 2023 at 5:18 PM EEST, David Gstir wrote: >> DCP is capable to performing AES with hardware-bound keys. >> These keys are not stored in main memory and are therefore not directly >> accessi

Re: [PATCH v3 2/3] KEYS: trusted: Introduce support for NXP DCP-based trusted keys

Jarkko, > On 25.09.2023, at 17:34, Jarkko Sakkinen wrote: > > On Mon Sep 18, 2023 at 5:18 PM EEST, David Gstir wrote: >> DCP (Data Co-Processor) is the little brother of NXP's CAAM IP. >> >> Beside of accelerated crypto operations, it also offers support for &g

[PATCH v4 0/5] DCP as trusted keys backend

UE device key. A new `blob_key` and `nonce` are generated randomly, when sealing/exporting the DCP blob. This patchset was tested with dm-crypt on an i.MX6ULL board. [0] https://lore.kernel.org/keyrings/20220513145705.2080323-1-a.fat...@pengutronix.de/ David Gstir (5): crypto: mxs-dcp: Ad

[PATCH v4 1/5] crypto: mxs-dcp: Add support for hardware-bound keys

-by: David Gstir --- drivers/crypto/mxs-dcp.c | 104 ++- include/soc/fsl/dcp.h| 17 +++ 2 files changed, 110 insertions(+), 11 deletions(-) create mode 100644 include/soc/fsl/dcp.h diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c index

[PATCH v4 2/5] KEYS: trusted: Introduce NXP DCP-backed trusted keys

Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- include/keys/trusted_dcp.h| 11 + security/keys/trusted-keys/Kconfig| 9 +- security/keys/trusted-keys/Makefile | 2 + security/keys/trusted-keys/trusted_core.c | 6 +- security/keys

[PATCH v4 3/5] MAINTAINERS: add entry for DCP-based trusted keys

This covers trusted keys backed by NXP's DCP (Data Co-Processor) chip found in smaller i.MX SoCs. Signed-off-by: David Gstir --- MAINTAINERS | 9 + 1 file changed, 9 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 90f13281d297..988d01226131 100644 --- a/MAINTAINERS +++ b

[PATCH v4 4/5] docs: document DCP-backed trusted keys kernel params

Document the kernel parameters trusted.dcp_use_otp_key and trusted.dcp_skip_zk_test for DCP-backed trusted keys. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir

[PATCH v4 5/5] docs: trusted-encrypted: add DCP as new trust source

Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../security/keys/trusted-encrypted.rst | 85 +++ 1 file changed, 85 insertions(+) diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index

Re: [PATCH v5 0/6] DCP as trusted keys backend

Hi, > On 15.12.2023, at 12:06, David Gstir wrote: > > This is a revival of the previous patch set submitted by Richard Weinberger: > https://lore.kernel.org/linux-integrity/20210614201620.30451-1-rich...@nod.at/ > > v4 is here: > https://lore.kernel.org/keyrings/2023

[PATCH v5 0/6] DCP as trusted keys backend

MX6ULL board. [0] https://lore.kernel.org/keyrings/20220513145705.2080323-1-a.fat...@pengutronix.de/ David Gstir (6): crypto: mxs-dcp: Add support for hardware-bound keys KEYS: trusted: improve scalability of trust source config KEYS: trusted: Introduce NXP DCP-backed trusted keys MAINTAINER

[PATCH v5 4/6] MAINTAINERS: add entry for DCP-based trusted keys

This covers trusted keys backed by NXP's DCP (Data Co-Processor) chip found in smaller i.MX SoCs. Signed-off-by: David Gstir --- MAINTAINERS | 9 + 1 file changed, 9 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 90f13281d297..988d01226131 100644 --- a/MAINTAINERS +++ b

[PATCH v5 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- include/keys/trusted_dcp.h| 11 + security/keys/trusted-keys/Kconfig| 8 + security/keys/trusted-keys/Makefile | 2 + security/keys/trusted-keys/trusted_core.c | 6 +- security/keys/trusted

[PATCH v5 1/6] crypto: mxs-dcp: Add support for hardware-bound keys

-by: David Gstir Acked-by: Herbert Xu --- drivers/crypto/mxs-dcp.c | 104 ++- include/soc/fsl/dcp.h| 17 +++ 2 files changed, 110 insertions(+), 11 deletions(-) create mode 100644 include/soc/fsl/dcp.h diff --git a/drivers/crypto/mxs-dcp.c b/drivers

[PATCH v5 2/6] KEYS: trusted: improve scalability of trust source config

Checking if at least one valid trust source is selected does not scale and becomes hard to read. This improves this in preparation for the DCP trust source. Signed-off-by: David Gstir --- security/keys/trusted-keys/Kconfig | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff

[PATCH v5 6/6] docs: trusted-encrypted: add DCP as new trust source

Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../security/keys/trusted-encrypted.rst | 85 +++ 1 file changed, 85 insertions(+) diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index

[PATCH v5 5/6] docs: document DCP-backed trusted keys kernel params

Document the kernel parameters trusted.dcp_use_otp_key and trusted.dcp_skip_zk_test for DCP-backed trusted keys. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir

Re: [EXT] [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new trust source

Hi Jarkko, > On 30.04.2024, at 13:48, Kshitiz Varshney wrote: > > Hi David, > >> -Original Message----- >> From: David Gstir >> Sent: Monday, April 29, 2024 5:05 PM >> To: Kshitiz Varshney >> >> Did you get around to

Re: [EXT] [PATCH v8 6/6] docs: trusted-encrypted: add DCP as new trust source

Hi Kshitiz, > On 09.04.2024, at 11:48, Kshitiz Varshney wrote: > > Hi Jarkko, > > >> -Original Message- >> From: Jarkko Sakkinen >> Sent: Wednesday, April 3, 2024 9:18 PM >> To: David Gstir ; Mimi Zohar ; >> James Bottomley ; Herb

Re: [PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

Hi Jarkko, > On 07.03.2024, at 20:30, Jarkko Sakkinen wrote: [...] >> + >> +static int trusted_dcp_init(void) >> +{ >> + int ret; >> + >> + if (use_otp_key) >> + pr_info("Using DCP OTP key\n"); >> + >> + ret = test_for_zero_key(); >> + if (ret) { >> + pr_err("Test for zero'ed keys failed:

[PATCH v6 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- include/keys/trusted_dcp.h| 11 + security/keys/trusted-keys/Kconfig| 8 + security/keys/trusted-keys/Makefile | 2 + security/keys/trusted-keys/trusted_core.c | 6 +- security/keys/trusted

[PATCH v6 5/6] docs: document DCP-backed trusted keys kernel params

Document the kernel parameters trusted.dcp_use_otp_key and trusted.dcp_skip_zk_test for DCP-backed trusted keys. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir

[PATCH v6 4/6] MAINTAINERS: add entry for DCP-based trusted keys

This covers trusted keys backed by NXP's DCP (Data Co-Processor) chip found in smaller i.MX SoCs. Signed-off-by: David Gstir Acked-by: Jarkko Sakkinen --- MAINTAINERS | 9 + 1 file changed, 9 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 976a5cea1577..ca7f42ca9338 100644

Re: [PATCH v5 4/6] MAINTAINERS: add entry for DCP-based trusted keys

Jarkko, > On 04.03.2024, at 23:48, Jarkko Sakkinen wrote: > > On Fri Dec 15, 2023 at 1:06 PM EET, David Gstir wrote: >> This covers trusted keys backed by NXP's DCP (Data Co-Processor) chip >> found in smaller i.MX SoCs. >> >> Signed-off-by: David

[PATCH v5 0/6] DCP as trusted keys backend

2080323-1-a.fat...@pengutronix.de/ David Gstir (6): crypto: mxs-dcp: Add support for hardware-bound keys KEYS: trusted: improve scalability of trust source config KEYS: trusted: Introduce NXP DCP-backed trusted keys MAINTAINERS: add entry for DCP-based trusted keys docs: document DCP-backed trus

[PATCH v6 1/6] crypto: mxs-dcp: Add support for hardware-bound keys

will give userspace full access to use keys. In scenarios with untrustworthy userspace, this will enable en-/decryption oracles. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir

[PATCH v6 2/6] KEYS: trusted: improve scalability of trust source config

HAVE_TRUSTED_KEYS which is set to true by each trust source once its enabled and adapt the check for having at least one active trust source to use this option. Whenever a new trust source is added, it now needs to select HAVE_TRUSTED_KEYS. Signed-off-by: David Gstir --- security/keys/trusted-keys/Kconfig

[PATCH v6 6/6] docs: trusted-encrypted: add DCP as new trust source

Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../security/keys/trusted-encrypted.rst | 85 +++ 1 file changed, 85 insertions(+) diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index

Re: [PATCH v7 6/6] docs: trusted-encrypted: add DCP as new trust source

Jarkko, > On 27.03.2024, at 16:40, Jarkko Sakkinen wrote: > > On Wed Mar 27, 2024 at 10:24 AM EET, David Gstir wrote: >> Update the documentation for trusted and encrypted KEYS with DCP as new >> trust source: >> >> - Describe security properties of DCP tru

[PATCH v8 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir Reviewed-by: Jarkko Sakkinen --- include/keys/trusted_dcp.h| 11 + security/keys/trusted-keys/Kconfig| 8 + security/keys/trusted-keys/Makefile | 2 + security/keys/trusted-keys/trusted_core.c

[PATCH v8 2/6] KEYS: trusted: improve scalability of trust source config

-by: David Gstir Tested-by: Jarkko Sakkinen # for TRUSTED_KEYS_TPM Reviewed-by: Jarkko Sakkinen --- security/keys/trusted-keys/Kconfig | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig index

[PATCH v8 0/6] DCP as trusted keys backend

QUE device key. A new `blob_key` and `nonce` are generated randomly, when sealing/exporting the DCP blob. This patchset was tested with dm-crypt on an i.MX6ULL board. [0] https://lore.kernel.org/keyrings/20220513145705.2080323-1-a.fat...@pengutronix.de/ David Gstir (6): crypto: mxs-dcp: Add support fo

[PATCH v8 1/6] crypto: mxs-dcp: Add support for hardware-bound keys

will give userspace full access to use keys. In scenarios with untrustworthy userspace, this will enable en-/decryption oracles. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir

[PATCH v8 6/6] docs: trusted-encrypted: add DCP as new trust source

Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../security/keys/trusted-encrypted.rst | 53 +++ security/keys/trusted-keys/trusted_dcp.c | 19 +++ 2 files changed, 72 insertions(+) diff --git a/Documentation/security/keys/trusted-encrypted.rst b

[PATCH v8 5/6] docs: document DCP-backed trusted keys kernel params

Document the kernel parameters trusted.dcp_use_otp_key and trusted.dcp_skip_zk_test for DCP-backed trusted keys. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir Reviewed

[PATCH v8 4/6] MAINTAINERS: add entry for DCP-based trusted keys

This covers trusted keys backed by NXP's DCP (Data Co-Processor) chip found in smaller i.MX SoCs. Signed-off-by: David Gstir Acked-by: Jarkko Sakkinen --- MAINTAINERS | 9 + 1 file changed, 9 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 976a5cea1577..ca7f42ca9338 100644

[PATCH v7 5/6] docs: document DCP-backed trusted keys kernel params

Document the kernel parameters trusted.dcp_use_otp_key and trusted.dcp_skip_zk_test for DCP-backed trusted keys. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir

[PATCH v7 1/6] crypto: mxs-dcp: Add support for hardware-bound keys

will give userspace full access to use keys. In scenarios with untrustworthy userspace, this will enable en-/decryption oracles. Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir

[PATCH v7 0/6] DCP as trusted keys backend

ernel.org/keyrings/20220513145705.2080323-1-a.fat...@pengutronix.de/ David Gstir (6): crypto: mxs-dcp: Add support for hardware-bound keys KEYS: trusted: improve scalability of trust source config KEYS: trusted: Introduce NXP DCP-backed trusted keys MAINTAINERS: add entry for DCP-based t

[PATCH v7 6/6] docs: trusted-encrypted: add DCP as new trust source

Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir --- .../security/keys/trusted-encrypted.rst | 85 +++ 1 file changed, 85 insertions(+) diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst index

[PATCH v7 2/6] KEYS: trusted: improve scalability of trust source config

-by: David Gstir --- security/keys/trusted-keys/Kconfig | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig index dbfdd8536468..553dc117f385 100644 --- a/security/keys/trusted-keys/Kconfig +++ b

[PATCH v7 4/6] MAINTAINERS: add entry for DCP-based trusted keys

This covers trusted keys backed by NXP's DCP (Data Co-Processor) chip found in smaller i.MX SoCs. Signed-off-by: David Gstir Acked-by: Jarkko Sakkinen --- MAINTAINERS | 9 + 1 file changed, 9 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 976a5cea1577..ca7f42ca9338 100644

[PATCH v7 3/6] KEYS: trusted: Introduce NXP DCP-backed trusted keys

Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir Reviewed-by: Jarkko Sakkinen --- include/keys/trusted_dcp.h| 11 + security/keys/trusted-keys/Kconfig| 8 + security/keys/trusted-keys/Makefile | 2 + security/keys/trusted-keys/trusted_core.c