target/linux/layerscape/patches-5.4/810-keys-0002-encrypted_keys-Adds-support-for-secure-key-type-as-m.patch

   1 From a8b1717089d6d215a48bb2816dff4a02376f3d16 Mon Sep 17 00:00:00 2001
   2 From: Udit Agarwal <udit.agarwal@nxp.com>
   3 Date: Wed, 4 Jul 2018 11:24:49 +0530
   4 Subject: [PATCH] encrypted_keys: Adds support for secure key-type as master
   5  key.
   6
   7 Encrypted keys can use secure key-type as master key along with
   8 trusted/user keys.
   9
  10 Secure key as master key uses, secure key type payload derieved
  11 using CAAM hardware.
  12
  13 Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
  14 Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
  15 ---
  16  MAINTAINERS                                     |  1 +
  17  security/keys/encrypted-keys/Makefile           |  2 ++
  18  security/keys/encrypted-keys/encrypted.c        | 13 +++++++--
  19  security/keys/encrypted-keys/encrypted.h        | 13 +++++++++
  20  security/keys/encrypted-keys/masterkey_secure.c | 37 +++++++++++++++++++++++++
  21  5 files changed, 64 insertions(+), 2 deletions(-)
  22  create mode 100644 security/keys/encrypted-keys/masterkey_secure.c
  23
  24 --- a/MAINTAINERS
  25 +++ b/MAINTAINERS
  26 @@ -9083,6 +9083,7 @@ F:        include/keys/secure-type.h
  27  F:     security/keys/secure_key.c
  28  F:     security/keys/securekey_desc.c
  29  F:     security/keys/securekey_desc.h
  30 +F:     security/keys/encrypted-keys/masterkey_secure.c
  31
  32  KEYS/KEYRINGS:
  33  M:     David Howells <dhowells@redhat.com>
  34 --- a/security/keys/encrypted-keys/Makefile
  35 +++ b/security/keys/encrypted-keys/Makefile
  36 @@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypte
  37
  38  encrypted-keys-y := encrypted.o ecryptfs_format.o
  39  masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
  40 +masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
  41  masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
  42 +masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
  43  encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
  44 --- a/security/keys/encrypted-keys/encrypted.c
  45 +++ b/security/keys/encrypted-keys/encrypted.c
  46 @@ -36,6 +36,7 @@
  47  #include "ecryptfs_format.h"
  48
  49  static const char KEY_TRUSTED_PREFIX[] = "trusted:";
  50 +static const char KEY_SECURE_PREFIX[] = "secure:";
  51  static const char KEY_USER_PREFIX[] = "user:";
  52  static const char hash_alg[] = "sha256";
  53  static const char hmac_alg[] = "hmac(sha256)";
  54 @@ -47,6 +48,7 @@ static unsigned int ivsize;
  55  static int blksize;
  56
  57  #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
  58 +#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
  59  #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
  60  #define KEY_ECRYPTFS_DESC_LEN 16
  61  #define HASH_SIZE SHA256_DIGEST_SIZE
  62 @@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const cha
  63  /*
  64   * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
  65   *
  66 - * key-type:= "trusted:" | "user:"
  67 + * key-type:= "trusted:" | "user:" | "secure:"
  68   * desc:= master-key description
  69   *
  70   * Verify that 'key-type' is valid and that 'desc' exists. On key update,
  71 @@ -140,6 +142,8 @@ static int valid_master_desc(const char
  72
  73         if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
  74                 prefix_len = KEY_TRUSTED_PREFIX_LEN;
  75 +       else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
  76 +               prefix_len = KEY_SECURE_PREFIX_LEN;
  77         else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
  78                 prefix_len = KEY_USER_PREFIX_LEN;
  79         else
  80 @@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u
  81
  82  enum derived_key_type { ENC_KEY, AUTH_KEY };
  83
  84 -/* Derive authentication/encryption key from trusted key */
  85 +/* Derive authentication/encryption key from trusted/secure key */
  86  static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
  87                            const u8 *master_key, size_t master_keylen)
  88  {
  89 @@ -429,6 +433,11 @@ static struct key *request_master_key(st
  90                 mkey = request_trusted_key(epayload->master_desc +
  91                                            KEY_TRUSTED_PREFIX_LEN,
  92                                            master_key, master_keylen);
  93 +       } else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
  94 +                           KEY_SECURE_PREFIX_LEN)) {
  95 +               mkey = request_secure_key(epayload->master_desc +
  96 +                                         KEY_SECURE_PREFIX_LEN,
  97 +                                         master_key, master_keylen);
  98         } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
  99                             KEY_USER_PREFIX_LEN)) {
 100                 mkey = request_user_key(epayload->master_desc +
 101 --- a/security/keys/encrypted-keys/encrypted.h
 102 +++ b/security/keys/encrypted-keys/encrypted.h
 103 @@ -16,6 +16,19 @@ static inline struct key *request_truste
 104  }
 105  #endif
 106
 107 +#if defined(CONFIG_SECURE_KEYS)
 108 +extern struct key *request_secure_key(const char *secure_desc,
 109 +                                     const u8 **master_key,
 110 +                                     size_t *master_keylen);
 111 +#else
 112 +static inline struct key *request_secure_key(const char *secure_desc,
 113 +                                            const u8 **master_key,
 114 +                                            size_t *master_keylen)
 115 +{
 116 +       return ERR_PTR(-EOPNOTSUPP);
 117 +}
 118 +#endif
 119 +
 120  #if ENCRYPTED_DEBUG
 121  static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
 122  {
 123 --- /dev/null
 124 +++ b/security/keys/encrypted-keys/masterkey_secure.c
 125 @@ -0,0 +1,37 @@
 126 +// SPDX-License-Identifier: GPL-2.0
 127 +/*
 128 + * Copyright (C) 2018 NXP.
 129 + *
 130 + */
 131 +
 132 +#include <linux/uaccess.h>
 133 +#include <linux/module.h>
 134 +#include <linux/err.h>
 135 +#include <keys/secure-type.h>
 136 +#include <keys/encrypted-type.h>
 137 +#include "encrypted.h"
 138 +
 139 +/*
 140 + * request_secure_key - request the secure key
 141 + *
 142 + * Secure keys and their blobs are derived from CAAM hardware.
 143 + * Userspace manages secure  key-type data, but key data is not
 144 + * visible in plain form. It is presented as blobs.
 145 + */
 146 +struct key *request_secure_key(const char *secure_desc,
 147 +                               const u8 **master_key, size_t *master_keylen)
 148 +{
 149 +       struct secure_key_payload *spayload;
 150 +       struct key *skey;
 151 +
 152 +       skey = request_key(&key_type_secure, secure_desc, NULL);
 153 +       if (IS_ERR(skey))
 154 +               goto error;
 155 +
 156 +       down_read(&skey->sem);
 157 +       spayload = skey->payload.data[0];
 158 +       *master_key = spayload->key;
 159 +       *master_keylen = spayload->key_len;
 160 +error:
 161 +       return skey;
 162 +}