diff mbox series

[RFC,2/4] fpga: Add new properties to support user-key encrypted bitstream loading

Message ID 20210504102227.15475-3-nava.manne@xilinx.com (mailing list archive)
State New
Headers show
Series Fpga: adds support to load the user-key encrypted FPGA Image loading | expand

Commit Message

Nava kishore Manne May 4, 2021, 10:22 a.m. UTC
This patch Adds ‘encrypted-key-name’ and
‘encrypted-user-key-fpga-config’ properties
to support user-key encrypted bitstream loading
use case.

Signed-off-by: Nava kishore Manne <nava.manne@xilinx.com>
---
 Documentation/devicetree/bindings/fpga/fpga-region.txt | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Rob Herring (Arm) May 13, 2021, 2:31 a.m. UTC | #1
On Tue, May 04, 2021 at 03:52:25PM +0530, Nava kishore Manne wrote:
> This patch Adds ‘encrypted-key-name’ and
> ‘encrypted-user-key-fpga-config’ properties
> to support user-key encrypted bitstream loading
> use case.
> 
> Signed-off-by: Nava kishore Manne <nava.manne@xilinx.com>
> ---
>  Documentation/devicetree/bindings/fpga/fpga-region.txt | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/Documentation/devicetree/bindings/fpga/fpga-region.txt b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> index d787d57491a1..957dc6cbcd9e 100644
> --- a/Documentation/devicetree/bindings/fpga/fpga-region.txt
> +++ b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> @@ -177,6 +177,9 @@ Optional properties:
>  	it indicates that the FPGA has already been programmed with this image.
>  	If this property is in an overlay targeting a FPGA region, it is a
>  	request to program the FPGA with that image.
> +- encrypted-key-name : should contain the name of an encrypted key file located
> +	on the firmware search path. It will be used to decrypt the FPGA image
> +	file.
>  - fpga-bridges : should contain a list of phandles to FPGA Bridges that must be
>  	controlled during FPGA programming along with the parent FPGA bridge.
>  	This property is optional if the FPGA Manager handles the bridges.
> @@ -187,6 +190,8 @@ Optional properties:
>  - external-fpga-config : boolean, set if the FPGA has already been configured
>  	prior to OS boot up.
>  - encrypted-fpga-config : boolean, set if the bitstream is encrypted
> +- encrypted-user-key-fpga-config : boolean, set if the bitstream is encrypted
> +	with user key.

What's the relationship with encrypted-fpga-config? Both present or 
mutually exclusive? Couldn't this be implied by encrypted-key-name being 
present?

>  - region-unfreeze-timeout-us : The maximum time in microseconds to wait for
>  	bridges to successfully become enabled after the region has been
>  	programmed.
> -- 
> 2.17.1
>
Nava kishore Manne May 13, 2021, 10:54 a.m. UTC | #2
Hi Rob,

	Please find my response inline.

> -----Original Message-----
> From: Rob Herring <robh@kernel.org>
> Sent: Thursday, May 13, 2021 8:01 AM
> To: Nava kishore Manne <navam@xilinx.com>
> Cc: mdf@kernel.org; trix@redhat.com; Michal Simek <michals@xilinx.com>;
> arnd@arndb.de; Rajan Vaja <RAJANV@xilinx.com>;
> gregkh@linuxfoundation.org; linus.walleij@linaro.org; Amit Sunil Dhamne
> <amitsuni@xlnx.xilinx.com>; Tejas Patel <tejasp@xlnx.xilinx.com>;
> zou_wei@huawei.com; Manish Narani <MNARANI@xilinx.com>; Sai Krishna
> Potthuri <lakshmis@xilinx.com>; Jiaying Liang <jliang@xilinx.com>; linux-
> fpga@vger.kernel.org; devicetree@vger.kernel.org; linux-
> kernel@vger.kernel.org; linux-arm-kernel@lists.infradead.org; git
> <git@xilinx.com>; chinnikishore369@gmail.com
> Subject: Re: [RFC PATCH 2/4] fpga: Add new properties to support user-key
> encrypted bitstream loading
> 
> On Tue, May 04, 2021 at 03:52:25PM +0530, Nava kishore Manne wrote:
> > This patch Adds ‘encrypted-key-name’ and
> > ‘encrypted-user-key-fpga-config’ properties to support user-key
> > encrypted bitstream loading use case.
> >
> > Signed-off-by: Nava kishore Manne <nava.manne@xilinx.com>
> > ---
> >  Documentation/devicetree/bindings/fpga/fpga-region.txt | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > index d787d57491a1..957dc6cbcd9e 100644
> > --- a/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > +++ b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > @@ -177,6 +177,9 @@ Optional properties:
> >  	it indicates that the FPGA has already been programmed with this
> image.
> >  	If this property is in an overlay targeting a FPGA region, it is a
> >  	request to program the FPGA with that image.
> > +- encrypted-key-name : should contain the name of an encrypted key file
> located
> > +	on the firmware search path. It will be used to decrypt the FPGA
> image
> > +	file.
> >  - fpga-bridges : should contain a list of phandles to FPGA Bridges that must
> be
> >  	controlled during FPGA programming along with the parent FPGA
> bridge.
> >  	This property is optional if the FPGA Manager handles the bridges.
> > @@ -187,6 +190,8 @@ Optional properties:
> >  - external-fpga-config : boolean, set if the FPGA has already been
> configured
> >  	prior to OS boot up.
> >  - encrypted-fpga-config : boolean, set if the bitstream is encrypted
> > +- encrypted-user-key-fpga-config : boolean, set if the bitstream is
> encrypted
> > +	with user key.
> 
> What's the relationship with encrypted-fpga-config? Both present or
> mutually exclusive? Couldn't this be implied by encrypted-key-name being
> present?
> 

In Encryption we have two kinds of use case one is Encrypted Bitstream loading with Device-key and
Other one is Encrypted Bitstream loading with User-key. encrypted-fpga-config and encrypted-user-key-fpga-config 
are mutually exclusive. To differentiate both the use cases I have added this new flag and Aes Key file(encrypted-key-name)
is needed only for encrypted-user-key-fpga-config use cases.

Regards,
Navakishore.
Rob Herring (Arm) May 13, 2021, 2:34 p.m. UTC | #3
On Thu, May 13, 2021 at 5:55 AM Nava kishore Manne <navam@xilinx.com> wrote:
>
> Hi Rob,
>
>         Please find my response inline.
>
> > -----Original Message-----
> > From: Rob Herring <robh@kernel.org>
> > Sent: Thursday, May 13, 2021 8:01 AM
> > To: Nava kishore Manne <navam@xilinx.com>
> > Cc: mdf@kernel.org; trix@redhat.com; Michal Simek <michals@xilinx.com>;
> > arnd@arndb.de; Rajan Vaja <RAJANV@xilinx.com>;
> > gregkh@linuxfoundation.org; linus.walleij@linaro.org; Amit Sunil Dhamne
> > <amitsuni@xlnx.xilinx.com>; Tejas Patel <tejasp@xlnx.xilinx.com>;
> > zou_wei@huawei.com; Manish Narani <MNARANI@xilinx.com>; Sai Krishna
> > Potthuri <lakshmis@xilinx.com>; Jiaying Liang <jliang@xilinx.com>; linux-
> > fpga@vger.kernel.org; devicetree@vger.kernel.org; linux-
> > kernel@vger.kernel.org; linux-arm-kernel@lists.infradead.org; git
> > <git@xilinx.com>; chinnikishore369@gmail.com
> > Subject: Re: [RFC PATCH 2/4] fpga: Add new properties to support user-key
> > encrypted bitstream loading
> >
> > On Tue, May 04, 2021 at 03:52:25PM +0530, Nava kishore Manne wrote:
> > > This patch Adds ‘encrypted-key-name’ and
> > > ‘encrypted-user-key-fpga-config’ properties to support user-key
> > > encrypted bitstream loading use case.
> > >
> > > Signed-off-by: Nava kishore Manne <nava.manne@xilinx.com>
> > > ---
> > >  Documentation/devicetree/bindings/fpga/fpga-region.txt | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > >
> > > diff --git a/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > index d787d57491a1..957dc6cbcd9e 100644
> > > --- a/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > +++ b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > @@ -177,6 +177,9 @@ Optional properties:
> > >     it indicates that the FPGA has already been programmed with this
> > image.
> > >     If this property is in an overlay targeting a FPGA region, it is a
> > >     request to program the FPGA with that image.
> > > +- encrypted-key-name : should contain the name of an encrypted key file
> > located
> > > +   on the firmware search path. It will be used to decrypt the FPGA
> > image
> > > +   file.
> > >  - fpga-bridges : should contain a list of phandles to FPGA Bridges that must
> > be
> > >     controlled during FPGA programming along with the parent FPGA
> > bridge.
> > >     This property is optional if the FPGA Manager handles the bridges.
> > > @@ -187,6 +190,8 @@ Optional properties:
> > >  - external-fpga-config : boolean, set if the FPGA has already been
> > configured
> > >     prior to OS boot up.
> > >  - encrypted-fpga-config : boolean, set if the bitstream is encrypted
> > > +- encrypted-user-key-fpga-config : boolean, set if the bitstream is
> > encrypted
> > > +   with user key.
> >
> > What's the relationship with encrypted-fpga-config? Both present or
> > mutually exclusive? Couldn't this be implied by encrypted-key-name being
> > present?
> >
>
> In Encryption we have two kinds of use case one is Encrypted Bitstream loading with Device-key and
> Other one is Encrypted Bitstream loading with User-key. encrypted-fpga-config and encrypted-user-key-fpga-config
> are mutually exclusive. To differentiate both the use cases I have added this new flag and Aes Key file(encrypted-key-name)
> is needed only for encrypted-user-key-fpga-config use cases.

If encrypted-key-name is required for a user key, then why do you need
encrypted-user-key-fpga-config also?

IOW, why have 3 properties (that's 9 possible combinations) for 2 modes?

Rob
Nava kishore Manne May 27, 2021, 10:50 a.m. UTC | #4
Hi Rob,

	Please find my response inline.

> -----Original Message-----
> From: Rob Herring <robh@kernel.org>
> Sent: Thursday, May 13, 2021 8:05 PM
> To: Nava kishore Manne <navam@xilinx.com>
> Cc: mdf@kernel.org; trix@redhat.com; Michal Simek <michals@xilinx.com>;
> arnd@arndb.de; Rajan Vaja <RAJANV@xilinx.com>;
> gregkh@linuxfoundation.org; linus.walleij@linaro.org; Amit Sunil Dhamne
> <amitsuni@xlnx.xilinx.com>; Tejas Patel <tejasp@xlnx.xilinx.com>;
> zou_wei@huawei.com; Manish Narani <MNARANI@xilinx.com>; Sai Krishna
> Potthuri <lakshmis@xilinx.com>; Jiaying Liang <jliang@xilinx.com>; linux-
> fpga@vger.kernel.org; devicetree@vger.kernel.org; linux-
> kernel@vger.kernel.org; linux-arm-kernel@lists.infradead.org; git
> <git@xilinx.com>; chinnikishore369@gmail.com
> Subject: Re: [RFC PATCH 2/4] fpga: Add new properties to support user-key
> encrypted bitstream loading
> 
> On Thu, May 13, 2021 at 5:55 AM Nava kishore Manne <navam@xilinx.com>
> wrote:
> >
> > Hi Rob,
> >
> >         Please find my response inline.
> >
> > > -----Original Message-----
> > > From: Rob Herring <robh@kernel.org>
> > > Sent: Thursday, May 13, 2021 8:01 AM
> > > To: Nava kishore Manne <navam@xilinx.com>
> > > Cc: mdf@kernel.org; trix@redhat.com; Michal Simek
> > > <michals@xilinx.com>; arnd@arndb.de; Rajan Vaja
> <RAJANV@xilinx.com>;
> > > gregkh@linuxfoundation.org; linus.walleij@linaro.org; Amit Sunil
> > > Dhamne <amitsuni@xlnx.xilinx.com>; Tejas Patel
> > > <tejasp@xlnx.xilinx.com>; zou_wei@huawei.com; Manish Narani
> > > <MNARANI@xilinx.com>; Sai Krishna Potthuri <lakshmis@xilinx.com>;
> > > Jiaying Liang <jliang@xilinx.com>; linux- fpga@vger.kernel.org;
> > > devicetree@vger.kernel.org; linux- kernel@vger.kernel.org;
> > > linux-arm-kernel@lists.infradead.org; git <git@xilinx.com>;
> > > chinnikishore369@gmail.com
> > > Subject: Re: [RFC PATCH 2/4] fpga: Add new properties to support
> > > user-key encrypted bitstream loading
> > >
> > > On Tue, May 04, 2021 at 03:52:25PM +0530, Nava kishore Manne wrote:
> > > > This patch Adds ‘encrypted-key-name’ and
> > > > ‘encrypted-user-key-fpga-config’ properties to support user-key
> > > > encrypted bitstream loading use case.
> > > >
> > > > Signed-off-by: Nava kishore Manne <nava.manne@xilinx.com>
> > > > ---
> > > >  Documentation/devicetree/bindings/fpga/fpga-region.txt | 5 +++++
> > > >  1 file changed, 5 insertions(+)
> > > >
> > > > diff --git
> > > > a/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > > b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > > index d787d57491a1..957dc6cbcd9e 100644
> > > > --- a/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > > +++ b/Documentation/devicetree/bindings/fpga/fpga-region.txt
> > > > @@ -177,6 +177,9 @@ Optional properties:
> > > >     it indicates that the FPGA has already been programmed with
> > > > this
> > > image.
> > > >     If this property is in an overlay targeting a FPGA region, it is a
> > > >     request to program the FPGA with that image.
> > > > +- encrypted-key-name : should contain the name of an encrypted
> > > > +key file
> > > located
> > > > +   on the firmware search path. It will be used to decrypt the
> > > > + FPGA
> > > image
> > > > +   file.
> > > >  - fpga-bridges : should contain a list of phandles to FPGA
> > > > Bridges that must
> > > be
> > > >     controlled during FPGA programming along with the parent FPGA
> > > bridge.
> > > >     This property is optional if the FPGA Manager handles the bridges.
> > > > @@ -187,6 +190,8 @@ Optional properties:
> > > >  - external-fpga-config : boolean, set if the FPGA has already
> > > > been
> > > configured
> > > >     prior to OS boot up.
> > > >  - encrypted-fpga-config : boolean, set if the bitstream is
> > > > encrypted
> > > > +- encrypted-user-key-fpga-config : boolean, set if the bitstream
> > > > +is
> > > encrypted
> > > > +   with user key.
> > >
> > > What's the relationship with encrypted-fpga-config? Both present or
> > > mutually exclusive? Couldn't this be implied by encrypted-key-name
> > > being present?
> > >
> >
> > In Encryption we have two kinds of use case one is Encrypted Bitstream
> > loading with Device-key and Other one is Encrypted Bitstream loading
> > with User-key. encrypted-fpga-config and
> > encrypted-user-key-fpga-config are mutually exclusive. To differentiate
> both the use cases I have added this new flag and Aes Key file(encrypted-key-
> name) is needed only for encrypted-user-key-fpga-config use cases.
> 
> If encrypted-key-name is required for a user key, then why do you need
> encrypted-user-key-fpga-config also?
> 
> IOW, why have 3 properties (that's 9 possible combinations) for 2 modes?
> 

Agree, we can use encrypted-key-name for user-key use cases instead of having both encrypted-key-name and encrypted-user-key-fpga-config flags.
Will fix this issue in v2.

Regards,
Navakishore.
diff mbox series

Patch

diff --git a/Documentation/devicetree/bindings/fpga/fpga-region.txt b/Documentation/devicetree/bindings/fpga/fpga-region.txt
index d787d57491a1..957dc6cbcd9e 100644
--- a/Documentation/devicetree/bindings/fpga/fpga-region.txt
+++ b/Documentation/devicetree/bindings/fpga/fpga-region.txt
@@ -177,6 +177,9 @@  Optional properties:
 	it indicates that the FPGA has already been programmed with this image.
 	If this property is in an overlay targeting a FPGA region, it is a
 	request to program the FPGA with that image.
+- encrypted-key-name : should contain the name of an encrypted key file located
+	on the firmware search path. It will be used to decrypt the FPGA image
+	file.
 - fpga-bridges : should contain a list of phandles to FPGA Bridges that must be
 	controlled during FPGA programming along with the parent FPGA bridge.
 	This property is optional if the FPGA Manager handles the bridges.
@@ -187,6 +190,8 @@  Optional properties:
 - external-fpga-config : boolean, set if the FPGA has already been configured
 	prior to OS boot up.
 - encrypted-fpga-config : boolean, set if the bitstream is encrypted
+- encrypted-user-key-fpga-config : boolean, set if the bitstream is encrypted
+	with user key.
 - region-unfreeze-timeout-us : The maximum time in microseconds to wait for
 	bridges to successfully become enabled after the region has been
 	programmed.