| Message ID | 20240906-wrapped-keys-v6-16-d59e61bc0cb4@linaro.org (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | Mike Snitzer |
| Headers | show |
| Series | Hardware wrapped key support for QCom ICE and UFS core | expand |
On 6.09.2024 8:07 PM, Bartosz Golaszewski wrote: > From: Gaurav Kashyap <quic_gaurkash@quicinc.com> > > Add a new UFS core callback for deriving software secrets from hardware > wrapped keys and implement it in QCom UFS. > > Tested-by: Neil Armstrong <neil.armstrong@linaro.org> > Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> > Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> > --- > drivers/ufs/host/ufs-qcom.c | 15 +++++++++++++++ > include/ufs/ufshcd.h | 1 + > 2 files changed, 16 insertions(+) > > diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c > index 366fd62a951f..77fb5e66e4be 100644 > --- a/drivers/ufs/host/ufs-qcom.c > +++ b/drivers/ufs/host/ufs-qcom.c > @@ -182,9 +182,23 @@ static int ufs_qcom_ice_program_key(struct ufs_hba *hba, > return qcom_ice_evict_key(host->ice, slot); > } > > +/* > + * Derive a software secret from a hardware wrapped key. The key is unwrapped in > + * hardware from trustzone and a software key/secret is then derived from it. > + */ > +static int ufs_qcom_ice_derive_sw_secret(struct ufs_hba *hba, const u8 wkey[], > + unsigned int wkey_size, > + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) > +{ > + struct ufs_qcom_host *host = ufshcd_get_variant(hba); > + > + return qcom_ice_derive_sw_secret(host->ice, wkey, wkey_size, sw_secret); > +} There's platforms with multiple UFS hosts (e.g. 8280 has one with the intention to be used for an onboard flash and one for a UFS card (they're like microSD except they're UFS and not MMC).. We need to handle that somehow too. My uneducated guess would be that the encryption infra is there for the primary host only and that it would be the one assumed by SCM calls. I thiiiink it should be enough not to add a `qcom,ice` property in the DT for the secondary slot, but please somebody else take another look here Konrad
diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c index 366fd62a951f..77fb5e66e4be 100644 --- a/drivers/ufs/host/ufs-qcom.c +++ b/drivers/ufs/host/ufs-qcom.c @@ -182,9 +182,23 @@ static int ufs_qcom_ice_program_key(struct ufs_hba *hba, return qcom_ice_evict_key(host->ice, slot); } +/* + * Derive a software secret from a hardware wrapped key. The key is unwrapped in + * hardware from trustzone and a software key/secret is then derived from it. + */ +static int ufs_qcom_ice_derive_sw_secret(struct ufs_hba *hba, const u8 wkey[], + unsigned int wkey_size, + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) +{ + struct ufs_qcom_host *host = ufshcd_get_variant(hba); + + return qcom_ice_derive_sw_secret(host->ice, wkey, wkey_size, sw_secret); +} + #else #define ufs_qcom_ice_program_key NULL +#define ufs_qcom_ice_derive_sw_secret NULL static inline void ufs_qcom_ice_enable(struct ufs_qcom_host *host) { @@ -1815,6 +1829,7 @@ static const struct ufs_hba_variant_ops ufs_hba_qcom_vops = { .device_reset = ufs_qcom_device_reset, .config_scaling_param = ufs_qcom_config_scaling_param, .program_key = ufs_qcom_ice_program_key, + .derive_sw_secret = ufs_qcom_ice_derive_sw_secret, .reinit_notify = ufs_qcom_reinit_notify, .mcq_config_resource = ufs_qcom_mcq_config_resource, .get_hba_mac = ufs_qcom_get_hba_mac, diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index c11dd3baf53c..b8b1763df022 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -323,6 +323,7 @@ struct ufs_pwr_mode_info { * @device_reset: called to issue a reset pulse on the UFS device * @config_scaling_param: called to configure clock scaling parameters * @program_key: program or evict an inline encryption key + * @derive_sw_secret: derive sw secret from a wrapped key * @fill_crypto_prdt: initialize crypto-related fields in the PRDT * @event_notify: called to notify important events * @reinit_notify: called to notify reinit of UFSHCD during max gear switch