diff mbox series

[v4,13/15] dt-bindings: crypto: ice: document the hwkm property

Message ID 20240127232436.2632187-14-quic_gaurkash@quicinc.com (mailing list archive)
State Not Applicable
Headers show
Series Hardware wrapped key support for qcom ice and ufs | expand

Commit Message

Gaurav Kashyap (QUIC) Jan. 27, 2024, 11:14 p.m. UTC
When Qualcomm's Inline Crypto Engine (ICE) contains Hardware
Key Manager (HWKM), and the 'HWKM' mode is enabled, it
supports wrapped keys. However, this also requires firmware
support in Trustzone to work correctly, which may not be available
on all chipsets. In the above scenario, ICE needs to support standard
keys even though HWKM is integrated from a hardware perspective.

Introducing this property so that Hardware wrapped key support
can be enabled/disabled from software based on chipset firmware,
and not just based on hardware version.

Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
---
 .../bindings/crypto/qcom,inline-crypto-engine.yaml     | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comments

Krzysztof Kozlowski Jan. 29, 2024, 8:18 a.m. UTC | #1
On 28/01/2024 00:14, Gaurav Kashyap wrote:
> When Qualcomm's Inline Crypto Engine (ICE) contains Hardware
> Key Manager (HWKM), and the 'HWKM' mode is enabled, it
> supports wrapped keys. However, this also requires firmware
> support in Trustzone to work correctly, which may not be available
> on all chipsets. In the above scenario, ICE needs to support standard
> keys even though HWKM is integrated from a hardware perspective.
> 
> Introducing this property so that Hardware wrapped key support
> can be enabled/disabled from software based on chipset firmware,
> and not just based on hardware version.
> 
> Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com>
> Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
> ---
>  .../bindings/crypto/qcom,inline-crypto-engine.yaml     | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
> index 09e43157cc71..6415d7be9b73 100644
> --- a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
> +++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
> @@ -25,6 +25,16 @@ properties:
>    clocks:
>      maxItems: 1
>  
> +  qcom,ice-use-hwkm:
> +    type: boolean
> +    description:
> +      Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE
> +      to support wrapped keys. Having this entry helps scenarios where
> +      the ICE hardware supports HWKM, but the Trustzone firmware does
> +      not have the full capability to use this HWKM and support wrapped

How does it help in this scenario? You enable this property, Trustzone
does not support it, so what happens?

Also, which SoCs have incomplete Trustzone support? I expect this to be
a quirk, thus limited to specific SoCs with issues.

Best regards,
Krzysztof
Konrad Dybcio Feb. 1, 2024, 7:13 p.m. UTC | #2
On 29.01.2024 09:18, Krzysztof Kozlowski wrote:
> On 28/01/2024 00:14, Gaurav Kashyap wrote:
>> When Qualcomm's Inline Crypto Engine (ICE) contains Hardware
>> Key Manager (HWKM), and the 'HWKM' mode is enabled, it
>> supports wrapped keys. However, this also requires firmware
>> support in Trustzone to work correctly, which may not be available
>> on all chipsets. In the above scenario, ICE needs to support standard
>> keys even though HWKM is integrated from a hardware perspective.
>>
>> Introducing this property so that Hardware wrapped key support
>> can be enabled/disabled from software based on chipset firmware,
>> and not just based on hardware version.
>>
>> Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com>
>> Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
>> ---
>>  .../bindings/crypto/qcom,inline-crypto-engine.yaml     | 10 ++++++++++
>>  1 file changed, 10 insertions(+)
>>
>> diff --git a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
>> index 09e43157cc71..6415d7be9b73 100644
>> --- a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
>> +++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
>> @@ -25,6 +25,16 @@ properties:
>>    clocks:
>>      maxItems: 1
>>  
>> +  qcom,ice-use-hwkm:
>> +    type: boolean
>> +    description:
>> +      Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE
>> +      to support wrapped keys. Having this entry helps scenarios where
>> +      the ICE hardware supports HWKM, but the Trustzone firmware does
>> +      not have the full capability to use this HWKM and support wrapped
> 
> How does it help in this scenario? You enable this property, Trustzone
> does not support it, so what happens?
> 
> Also, which SoCs have incomplete Trustzone support? I expect this to be
> a quirk, thus limited to specific SoCs with issues.

Can we simply evaluate the return value of the secure calls?

Konrad
Gaurav Kashyap (QUIC) June 18, 2024, 12:26 a.m. UTC | #3
Hello Konrad and Krzysztof

On 02/01/2024 11:14, Konrad Dybcio wrote
> On 29.01.2024 09:18, Krzysztof Kozlowski wrote:
> > On 28/01/2024 00:14, Gaurav Kashyap wrote:
> >> When Qualcomm's Inline Crypto Engine (ICE) contains Hardware Key
> >> Manager (HWKM), and the 'HWKM' mode is enabled, it supports wrapped
> >> keys. However, this also requires firmware support in Trustzone to
> >> work correctly, which may not be available on all chipsets. In the
> >> above scenario, ICE needs to support standard keys even though HWKM
> >> is integrated from a hardware perspective.
> >>
> >> Introducing this property so that Hardware wrapped key support can be
> >> enabled/disabled from software based on chipset firmware, and not
> >> just based on hardware version.
> >>
> >> Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com>
> >> Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
> >> ---
> >>  .../bindings/crypto/qcom,inline-crypto-engine.yaml     | 10 ++++++++++
> >>  1 file changed, 10 insertions(+)
> >>
> >> diff --git
> >> a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> engine.
> >> yaml
> >> b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> engine.
> >> yaml index 09e43157cc71..6415d7be9b73 100644
> >> ---
> >> a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> engine.
> >> yaml
> >> +++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-
> eng
> >> +++ ine.yaml
> >> @@ -25,6 +25,16 @@ properties:
> >>    clocks:
> >>      maxItems: 1
> >>
> >> +  qcom,ice-use-hwkm:
> >> +    type: boolean
> >> +    description:
> >> +      Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE
> >> +      to support wrapped keys. Having this entry helps scenarios where
> >> +      the ICE hardware supports HWKM, but the Trustzone firmware does
> >> +      not have the full capability to use this HWKM and support
> >> + wrapped
> >
> > How does it help in this scenario? You enable this property, Trustzone
> > does not support it, so what happens?
> >
> > Also, which SoCs have incomplete Trustzone support? I expect this to
> > be a quirk, thus limited to specific SoCs with issues.

Apologies for not addressing this earlier, we can perhaps continue this  discussion 
in the new patch thread. I will link to this there.

SM8450 and SM8350 QCOM ICE both support HWKM in their ICE hardware.
However, wrapped keys can not be enabled on those targets due to certain
missing trustzone support. If we solely rely on hardware version to decide
if ICE has to use wrapped keys for data encryption, then it becomes untestable
on those chipsets. 

So, we want another way to distinguish this scenario, and hence I chose a DT vendor property
to explicitly mention if we have to use the supported HWKM.
If there is another way, I am open to exploring that as well.

> 
> Can we simply evaluate the return value of the secure calls?
> 

This might not work as UFS crypto needs this information much earlier, and based
on that , it would need to register with the keyslot manager (and block crypto), 
on whether wrapped keys are supported.
https://lore.kernel.org/all/20231104211259.17448-2-ebiggers@kernel.org/
 
> Konrad
diff mbox series

Patch

diff --git a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
index 09e43157cc71..6415d7be9b73 100644
--- a/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
+++ b/Documentation/devicetree/bindings/crypto/qcom,inline-crypto-engine.yaml
@@ -25,6 +25,16 @@  properties:
   clocks:
     maxItems: 1
 
+  qcom,ice-use-hwkm:
+    type: boolean
+    description:
+      Use the supported Hardware Key Manager (HWKM) in Qualcomm ICE
+      to support wrapped keys. Having this entry helps scenarios where
+      the ICE hardware supports HWKM, but the Trustzone firmware does
+      not have the full capability to use this HWKM and support wrapped
+      keys. Not having this entry enabled would make ICE function in
+      non-HWKM mode supporting standard keys.
+
 required:
   - compatible
   - reg