| Message ID | 20220906065157.10662-1-pankaj.gupta@nxp.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | HW BOUND KEY as TRUSTED KEY | expand |
Hi, Am 2022-09-06 08:51, schrieb Pankaj Gupta: > Hardware Bound key(HBK), is never acessible as plain key outside of the > hardware boundary. Thus, it is un-usable, even if somehow fetched > from kernel memory. It ensures run-time security. > > This patchset adds generic support for classing the Hardware Bound Key, > based on: > > - Newly added flag-'is_hbk', added to the tfm. > > Consumer of the kernel crypto api, after allocating > the transformation, sets this flag based on the basis > of the type of key consumer has. > > - This helps to influence the core processing logic > for the encapsulated algorithm. > > - This flag is set by the consumer after allocating > the tfm and before calling the function crypto_xxx_setkey(). > > First implementation is based on CAAM. > > NXP built CAAM IP is the Cryptographic Acceleration and Assurance > Module. > This is contain by the i.MX and QorIQ SoCs by NXP. > > CAAM is a suitable backend (source) for kernel trusted keys. > This backend source can be used for run-time security as well > by generating the hardware bound key. > > Along with plain key, the CAAM generates black key. A black key is an > encrypted key, which can only be decrypted inside CAAM. Hence, CAAM's > black key can only be used by CAAM. Thus it is declared as a hardware > bound key. What is the difference to the current trusted keys with CAAM? When I tested the patch series back then, I wasn't able to import a sealed key on another board with the same SoC. -michael
On Tue, Sep 06, 2022 at 12:21:49PM +0530, Pankaj Gupta wrote: > Hardware Bound key(HBK), is never acessible as plain key outside of the ~~~~~~~~~ accesible. > hardware boundary. Thus, it is un-usable, even if somehow fetched > from kernel memory. It ensures run-time security. Why is it called "HBK" here and "hw" in the context of keyctl? > This patchset adds generic support for classing the Hardware Bound Key, > based on: > > - Newly added flag-'is_hbk', added to the tfm. > > Consumer of the kernel crypto api, after allocating > the transformation, sets this flag based on the basis > of the type of key consumer has. > > - This helps to influence the core processing logic > for the encapsulated algorithm. > > - This flag is set by the consumer after allocating > the tfm and before calling the function crypto_xxx_setkey(). > > First implementation is based on CAAM. CAAM is implementation of what exactly? I'm sorry but I don't know your definition of unusable. BR, Jarkko
> -----Original Message----- > From: Michael Walle <michael@walle.cc> > Sent: Tuesday, September 6, 2022 12:43 PM > To: Pankaj Gupta <pankaj.gupta@nxp.com> > Cc: jarkko@kernel.org; a.fatoum@pengutronix.de; Jason@zx2c4.com; > jejb@linux.ibm.com; zohar@linux.ibm.com; dhowells@redhat.com; > sumit.garg@linaro.org; david@sigma-star.at; john.ernberg@actia.se; > jmorris@namei.org; serge@hallyn.com; herbert@gondor.apana.org.au; > davem@davemloft.net; j.luebbe@pengutronix.de; ebiggers@kernel.org; > richard@nod.at; keyrings@vger.kernel.org; linux-crypto@vger.kernel.org; > linux-integrity@vger.kernel.org; linux-kernel@vger.kernel.org; linux- > security-module@vger.kernel.org; Sahil Malhotra > <sahil.malhotra@nxp.com>; Kshitiz Varshney <kshitiz.varshney@nxp.com>; > Horia Geanta <horia.geanta@nxp.com>; Varun Sethi <V.Sethi@nxp.com> > Subject: [EXT] Re: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY > > Caution: EXT Email > > Hi, > > Am 2022-09-06 08:51, schrieb Pankaj Gupta: > > Hardware Bound key(HBK), is never acessible as plain key outside of > > the hardware boundary. Thus, it is un-usable, even if somehow fetched > > from kernel memory. It ensures run-time security. > > > > This patchset adds generic support for classing the Hardware Bound > > Key, based on: > > > > - Newly added flag-'is_hbk', added to the tfm. > > > > Consumer of the kernel crypto api, after allocating > > the transformation, sets this flag based on the basis > > of the type of key consumer has. > > > > - This helps to influence the core processing logic > > for the encapsulated algorithm. > > > > - This flag is set by the consumer after allocating > > the tfm and before calling the function crypto_xxx_setkey(). > > > > First implementation is based on CAAM. > > > > NXP built CAAM IP is the Cryptographic Acceleration and Assurance > > Module. > > This is contain by the i.MX and QorIQ SoCs by NXP. > > > > CAAM is a suitable backend (source) for kernel trusted keys. > > This backend source can be used for run-time security as well by > > generating the hardware bound key. > > > > Along with plain key, the CAAM generates black key. A black key is an > > encrypted key, which can only be decrypted inside CAAM. Hence, CAAM's > > black key can only be used by CAAM. Thus it is declared as a hardware > > bound key. > > What is the difference to the current trusted keys with CAAM? > When I tested the patch series back then, I wasn't able to import a sealed > key on another board with the same SoC. > Currently, keys that are part of trusted key-ring, contains plain key. With this patch-set, these key will become Hw Bound Key, which is not a plain key anymore. After this patch-set, if somehow the HB-key is retrieved from the keyring, the retrieved key would be un-usable without hw. > -michael
> -----Original Message----- > From: Jarkko Sakkinen <jarkko@kernel.org> > Sent: Tuesday, September 6, 2022 2:28 PM > To: Pankaj Gupta <pankaj.gupta@nxp.com> > Cc: a.fatoum@pengutronix.de; Jason@zx2c4.com; jejb@linux.ibm.com; > zohar@linux.ibm.com; dhowells@redhat.com; sumit.garg@linaro.org; > david@sigma-star.at; michael@walle.cc; john.ernberg@actia.se; > jmorris@namei.org; serge@hallyn.com; herbert@gondor.apana.org.au; > davem@davemloft.net; j.luebbe@pengutronix.de; ebiggers@kernel.org; > richard@nod.at; keyrings@vger.kernel.org; linux-crypto@vger.kernel.org; > linux-integrity@vger.kernel.org; linux-kernel@vger.kernel.org; linux- > security-module@vger.kernel.org; Sahil Malhotra > <sahil.malhotra@nxp.com>; Kshitiz Varshney <kshitiz.varshney@nxp.com>; > Horia Geanta <horia.geanta@nxp.com>; Varun Sethi <V.Sethi@nxp.com> > Subject: [EXT] Re: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY > > Caution: EXT Email > > On Tue, Sep 06, 2022 at 12:21:49PM +0530, Pankaj Gupta wrote: > > Hardware Bound key(HBK), is never acessible as plain key outside of > > the > ~~~~~~~~~ > accesible. > > > hardware boundary. Thus, it is un-usable, even if somehow fetched from > > kernel memory. It ensures run-time security. > > Why is it called "HBK" here and "hw" in the context of keyctl? It is HBK, because the key is bounded to the Hardware. As: - Key is generated by hardware. - Key can only be used by hardware. - Stored as a blob by the hardware. > > > This patchset adds generic support for classing the Hardware Bound > > Key, based on: > > > > - Newly added flag-'is_hbk', added to the tfm. > > > > Consumer of the kernel crypto api, after allocating > > the transformation, sets this flag based on the basis > > of the type of key consumer has. > > > > - This helps to influence the core processing logic > > for the encapsulated algorithm. > > > > - This flag is set by the consumer after allocating > > the tfm and before calling the function crypto_xxx_setkey(). > > > > First implementation is based on CAAM. > > CAAM is implementation of what exactly? CAAM is the chip's cryptographic acceleration and offloading hardware and combines cryptographic and other mathematical functions to create a modular and scalable hardware acceleration and assurance engine. In context to this patchset, CAAM implements the following functions: - Generates HBK - Generates key-blob, from HBK, for security at rest. - Perform crypto operations, using HBK. > > I'm sorry but I don't know your definition of unusable. Even if somehow the key is retrieved from the keyring, the retrieved key would be an encrypted key. This encrypted key can only be decrypted by Hardware, which generated it. Hence, the retrieved key is unusable outside of the hardware. > > BR, Jarkko
Am 2022-09-07 09:22, schrieb Pankaj Gupta: >> -----Original Message----- >> From: Michael Walle <michael@walle.cc> >> Sent: Tuesday, September 6, 2022 12:43 PM >> To: Pankaj Gupta <pankaj.gupta@nxp.com> >> Cc: jarkko@kernel.org; a.fatoum@pengutronix.de; Jason@zx2c4.com; >> jejb@linux.ibm.com; zohar@linux.ibm.com; dhowells@redhat.com; >> sumit.garg@linaro.org; david@sigma-star.at; john.ernberg@actia.se; >> jmorris@namei.org; serge@hallyn.com; herbert@gondor.apana.org.au; >> davem@davemloft.net; j.luebbe@pengutronix.de; ebiggers@kernel.org; >> richard@nod.at; keyrings@vger.kernel.org; >> linux-crypto@vger.kernel.org; >> linux-integrity@vger.kernel.org; linux-kernel@vger.kernel.org; linux- >> security-module@vger.kernel.org; Sahil Malhotra >> <sahil.malhotra@nxp.com>; Kshitiz Varshney <kshitiz.varshney@nxp.com>; >> Horia Geanta <horia.geanta@nxp.com>; Varun Sethi <V.Sethi@nxp.com> >> Subject: [EXT] Re: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY >> >> Caution: EXT Email >> >> Hi, >> >> Am 2022-09-06 08:51, schrieb Pankaj Gupta: >> > Hardware Bound key(HBK), is never acessible as plain key outside of >> > the hardware boundary. Thus, it is un-usable, even if somehow fetched >> > from kernel memory. It ensures run-time security. >> > >> > This patchset adds generic support for classing the Hardware Bound >> > Key, based on: >> > >> > - Newly added flag-'is_hbk', added to the tfm. >> > >> > Consumer of the kernel crypto api, after allocating >> > the transformation, sets this flag based on the basis >> > of the type of key consumer has. >> > >> > - This helps to influence the core processing logic >> > for the encapsulated algorithm. >> > >> > - This flag is set by the consumer after allocating >> > the tfm and before calling the function crypto_xxx_setkey(). >> > >> > First implementation is based on CAAM. >> > >> > NXP built CAAM IP is the Cryptographic Acceleration and Assurance >> > Module. >> > This is contain by the i.MX and QorIQ SoCs by NXP. >> > >> > CAAM is a suitable backend (source) for kernel trusted keys. >> > This backend source can be used for run-time security as well by >> > generating the hardware bound key. >> > >> > Along with plain key, the CAAM generates black key. A black key is an >> > encrypted key, which can only be decrypted inside CAAM. Hence, CAAM's >> > black key can only be used by CAAM. Thus it is declared as a hardware >> > bound key. >> >> What is the difference to the current trusted keys with CAAM? >> When I tested the patch series back then, I wasn't able to import a >> sealed >> key on another board with the same SoC. >> > > Currently, keys that are part of trusted key-ring, contains plain key. > > With this patch-set, these key will become Hw Bound Key, which is not > a plain key anymore. > After this patch-set, if somehow the HB-key is retrieved from the > keyring, the retrieved key would be un-usable without hw. This doesn't answer my question why I couldn't import one key on another board with the same SoC. Ahmad (as you were the author of the original series), is this supposed to work or is the seal export already encrypted with the per SoC key? -michael
Hi Michael, > On 07.09.2022, at 09:29, Michael Walle <michael@walle.cc> wrote: > > Am 2022-09-07 09:22, schrieb Pankaj Gupta: >>> -----Original Message----- >>> From: Michael Walle <michael@walle.cc> >>> Sent: Tuesday, September 6, 2022 12:43 PM >>> To: Pankaj Gupta <pankaj.gupta@nxp.com> >>> Cc: jarkko@kernel.org; a.fatoum@pengutronix.de; Jason@zx2c4.com; >>> jejb@linux.ibm.com; zohar@linux.ibm.com; dhowells@redhat.com; >>> sumit.garg@linaro.org; david@sigma-star.at; john.ernberg@actia.se; >>> jmorris@namei.org; serge@hallyn.com; herbert@gondor.apana.org.au; >>> davem@davemloft.net; j.luebbe@pengutronix.de; ebiggers@kernel.org; >>> richard@nod.at; keyrings@vger.kernel.org; linux-crypto@vger.kernel.org; >>> linux-integrity@vger.kernel.org; linux-kernel@vger.kernel.org; linux- >>> security-module@vger.kernel.org; Sahil Malhotra >>> <sahil.malhotra@nxp.com>; Kshitiz Varshney <kshitiz.varshney@nxp.com>; >>> Horia Geanta <horia.geanta@nxp.com>; Varun Sethi <V.Sethi@nxp.com> >>> Subject: [EXT] Re: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY >>> Caution: EXT Email >>> Hi, >>> Am 2022-09-06 08:51, schrieb Pankaj Gupta: >>> > Hardware Bound key(HBK), is never acessible as plain key outside of >>> > the hardware boundary. Thus, it is un-usable, even if somehow fetched >>> > from kernel memory. It ensures run-time security. >>> > >>> > This patchset adds generic support for classing the Hardware Bound >>> > Key, based on: >>> > >>> > - Newly added flag-'is_hbk', added to the tfm. >>> > >>> > Consumer of the kernel crypto api, after allocating >>> > the transformation, sets this flag based on the basis >>> > of the type of key consumer has. >>> > >>> > - This helps to influence the core processing logic >>> > for the encapsulated algorithm. >>> > >>> > - This flag is set by the consumer after allocating >>> > the tfm and before calling the function crypto_xxx_setkey(). >>> > >>> > First implementation is based on CAAM. >>> > >>> > NXP built CAAM IP is the Cryptographic Acceleration and Assurance >>> > Module. >>> > This is contain by the i.MX and QorIQ SoCs by NXP. >>> > >>> > CAAM is a suitable backend (source) for kernel trusted keys. >>> > This backend source can be used for run-time security as well by >>> > generating the hardware bound key. >>> > >>> > Along with plain key, the CAAM generates black key. A black key is an >>> > encrypted key, which can only be decrypted inside CAAM. Hence, CAAM's >>> > black key can only be used by CAAM. Thus it is declared as a hardware >>> > bound key. >>> What is the difference to the current trusted keys with CAAM? >>> When I tested the patch series back then, I wasn't able to import a sealed >>> key on another board with the same SoC. >> Currently, keys that are part of trusted key-ring, contains plain key. >> With this patch-set, these key will become Hw Bound Key, which is not >> a plain key anymore. >> After this patch-set, if somehow the HB-key is retrieved from the >> keyring, the retrieved key would be un-usable without hw. > > This doesn't answer my question why I couldn't import one key on > another board with the same SoC. I don’t believe this is intended to work this way. Each key blob created by CAAM is bound to a specific device. Being able to decrypt the same blob on another SoC would open up some attack vectors: Think of a locked down device where I’m able to extract this key blob. Simply buying a board with the same Soc would allow me to decrypt this blob by copying it over to my board. Roughly speaking, CAAM key blobs are secure using a key derived from the device’s master key. This master key can be programmed via eFUSEs. So you’d have to burn the same master key on both SoCs and it should work. In any way, check the security reference manual for your SoC. It should explain this in more detail. - David
On Wed, 2022-09-07 at 07:22 +0000, Pankaj Gupta wrote: > Even if somehow the key is retrieved from the keyring, the retrieved key > would be an encrypted key. > This encrypted key can only be decrypted by Hardware, which generated it. > > Hence, the retrieved key is unusable outside of the hardware. NXP's CAAM unit (i.e. on i.MX6) supports several modes of sealed/encrypted keys. The (un)sealing process uses a key that is normally derived from a per-device key in eFUSES. One aspect of these modes is whether the plaintext key material is accessible to the kernel or not. Ahmad's patch set added support for a mode where the CAAM is used to seal plaintext known to the kernel to a "blob" (in CAAM terminology) on export to userspace and the reverse on import. This mode allows the kernel to use the plaintext for dm-crypt, to encrypt other keyrings and similar. The CAAM has another sealing mode, where it will not allow writing of the plaintext key to memory. Instead, it is kept in one of the CAAM-internal key registers. There, it can be used for cryptographic operations (i.e. AES). This way, the plaintext key is protected even from the kernel. The kernel could keep a copy of in sealed form, so it can reload the CAAM's key register when needed. Pankaj, is that the mode you intend to support with this series? Could you describe the high-level use-cases this would be need for, compared to the existing mode where plaintext keys are accessible to the kernel? In which cases would you use each mode? Regards, Jan
Hi David, Am 2022-09-07 09:46, schrieb David Gstir: >> On 07.09.2022, at 09:29, Michael Walle <michael@walle.cc> wrote: >> >> Am 2022-09-07 09:22, schrieb Pankaj Gupta: >>>> -----Original Message----- >>>> From: Michael Walle <michael@walle.cc> >>>> Sent: Tuesday, September 6, 2022 12:43 PM >>>> To: Pankaj Gupta <pankaj.gupta@nxp.com> >>>> Cc: jarkko@kernel.org; a.fatoum@pengutronix.de; Jason@zx2c4.com; >>>> jejb@linux.ibm.com; zohar@linux.ibm.com; dhowells@redhat.com; >>>> sumit.garg@linaro.org; david@sigma-star.at; john.ernberg@actia.se; >>>> jmorris@namei.org; serge@hallyn.com; herbert@gondor.apana.org.au; >>>> davem@davemloft.net; j.luebbe@pengutronix.de; ebiggers@kernel.org; >>>> richard@nod.at; keyrings@vger.kernel.org; >>>> linux-crypto@vger.kernel.org; >>>> linux-integrity@vger.kernel.org; linux-kernel@vger.kernel.org; >>>> linux- >>>> security-module@vger.kernel.org; Sahil Malhotra >>>> <sahil.malhotra@nxp.com>; Kshitiz Varshney >>>> <kshitiz.varshney@nxp.com>; >>>> Horia Geanta <horia.geanta@nxp.com>; Varun Sethi <V.Sethi@nxp.com> >>>> Subject: [EXT] Re: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY >>>> Caution: EXT Email >>>> Hi, >>>> Am 2022-09-06 08:51, schrieb Pankaj Gupta: >>>> > Hardware Bound key(HBK), is never acessible as plain key outside of >>>> > the hardware boundary. Thus, it is un-usable, even if somehow fetched >>>> > from kernel memory. It ensures run-time security. >>>> > >>>> > This patchset adds generic support for classing the Hardware Bound >>>> > Key, based on: >>>> > >>>> > - Newly added flag-'is_hbk', added to the tfm. >>>> > >>>> > Consumer of the kernel crypto api, after allocating >>>> > the transformation, sets this flag based on the basis >>>> > of the type of key consumer has. >>>> > >>>> > - This helps to influence the core processing logic >>>> > for the encapsulated algorithm. >>>> > >>>> > - This flag is set by the consumer after allocating >>>> > the tfm and before calling the function crypto_xxx_setkey(). >>>> > >>>> > First implementation is based on CAAM. >>>> > >>>> > NXP built CAAM IP is the Cryptographic Acceleration and Assurance >>>> > Module. >>>> > This is contain by the i.MX and QorIQ SoCs by NXP. >>>> > >>>> > CAAM is a suitable backend (source) for kernel trusted keys. >>>> > This backend source can be used for run-time security as well by >>>> > generating the hardware bound key. >>>> > >>>> > Along with plain key, the CAAM generates black key. A black key is an >>>> > encrypted key, which can only be decrypted inside CAAM. Hence, CAAM's >>>> > black key can only be used by CAAM. Thus it is declared as a hardware >>>> > bound key. >>>> What is the difference to the current trusted keys with CAAM? >>>> When I tested the patch series back then, I wasn't able to import a >>>> sealed >>>> key on another board with the same SoC. >>> Currently, keys that are part of trusted key-ring, contains plain >>> key. >>> With this patch-set, these key will become Hw Bound Key, which is not >>> a plain key anymore. >>> After this patch-set, if somehow the HB-key is retrieved from the >>> keyring, the retrieved key would be un-usable without hw. >> >> This doesn't answer my question why I couldn't import one key on >> another board with the same SoC. > > I don’t believe this is intended to work this way. Each key blob > created by CAAM is bound > to a specific device. Being able to decrypt the same blob on another > SoC would > open up some attack vectors: Think of a locked down device where I’m > able to > extract this key blob. Simply buying a board with the same Soc would > allow me to > decrypt this blob by copying it over to my board. I agree, thus my first question here was, what this series is adding, if the key is already "bound" to the hardware. That is what I don't understand. -michael > Roughly speaking, CAAM key blobs are secure using a key derived from > the device’s master > key. This master key can be programmed via eFUSEs. So you’d have to > burn the same master > key on both SoCs and it should work. > > In any way, check the security reference manual for your SoC. It > should explain this in more detail.
> -----Original Message----- > From: Michael Walle <michael@walle.cc> > Sent: Wednesday, September 7, 2022 1:42 PM > To: David Gstir <david@sigma-star.at> > Cc: Pankaj Gupta <pankaj.gupta@nxp.com>; Ahmad Fatoum > <a.fatoum@pengutronix.de>; Jarkko Sakkinen <jarkko@kernel.org>; > Jason@zx2c4.com; James Bottomley <jejb@linux.ibm.com>; Mimi Zohar > <zohar@linux.ibm.com>; David Howells <dhowells@redhat.com>; Sumit > Garg <sumit.garg@linaro.org>; john.ernberg@actia.se; James Morris > <jmorris@namei.org>; Serge E. Hallyn <serge@hallyn.com>; Herbert Xu > <herbert@gondor.apana.org.au>; David S. Miller <davem@davemloft.net>; > Jan Luebbe <j.luebbe@pengutronix.de>; Eric Biggers <ebiggers@kernel.org>; > Richard Weinberger <richard@nod.at>; keyrings@vger.kernel.org; linux- > crypto@vger.kernel.org; linux-integrity@vger.kernel.org; linux- > kernel@vger.kernel.org; linux-security-module@vger.kernel.org; Sahil > Malhotra <sahil.malhotra@nxp.com>; Kshitiz Varshney > <kshitiz.varshney@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; > Varun Sethi <V.Sethi@nxp.com> > Subject: Re: [EXT] [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY > > Caution: EXT Email > > Hi David, > > Am 2022-09-07 09:46, schrieb David Gstir: > >> On 07.09.2022, at 09:29, Michael Walle <michael@walle.cc> wrote: > >> > >> Am 2022-09-07 09:22, schrieb Pankaj Gupta: > >>>> -----Original Message----- > >>>> From: Michael Walle <michael@walle.cc> > >>>> Sent: Tuesday, September 6, 2022 12:43 PM > >>>> To: Pankaj Gupta <pankaj.gupta@nxp.com> > >>>> Cc: jarkko@kernel.org; a.fatoum@pengutronix.de; Jason@zx2c4.com; > >>>> jejb@linux.ibm.com; zohar@linux.ibm.com; dhowells@redhat.com; > >>>> sumit.garg@linaro.org; david@sigma-star.at; john.ernberg@actia.se; > >>>> jmorris@namei.org; serge@hallyn.com; herbert@gondor.apana.org.au; > >>>> davem@davemloft.net; j.luebbe@pengutronix.de; > ebiggers@kernel.org; > >>>> richard@nod.at; keyrings@vger.kernel.org; > >>>> linux-crypto@vger.kernel.org; linux-integrity@vger.kernel.org; > >>>> linux-kernel@vger.kernel.org; > >>>> linux- > >>>> security-module@vger.kernel.org; Sahil Malhotra > >>>> <sahil.malhotra@nxp.com>; Kshitiz Varshney > >>>> <kshitiz.varshney@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; > >>>> Varun Sethi <V.Sethi@nxp.com> > >>>> Subject: [EXT] Re: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED > KEY > >>>> Caution: EXT Email > >>>> Hi, > >>>> Am 2022-09-06 08:51, schrieb Pankaj Gupta: > >>>> > Hardware Bound key(HBK), is never acessible as plain key outside > >>>> > of the hardware boundary. Thus, it is un-usable, even if somehow > >>>> > fetched from kernel memory. It ensures run-time security. > >>>> > > >>>> > This patchset adds generic support for classing the Hardware > >>>> > Bound Key, based on: > >>>> > > >>>> > - Newly added flag-'is_hbk', added to the tfm. > >>>> > > >>>> > Consumer of the kernel crypto api, after allocating > >>>> > the transformation, sets this flag based on the basis > >>>> > of the type of key consumer has. > >>>> > > >>>> > - This helps to influence the core processing logic > >>>> > for the encapsulated algorithm. > >>>> > > >>>> > - This flag is set by the consumer after allocating > >>>> > the tfm and before calling the function crypto_xxx_setkey(). > >>>> > > >>>> > First implementation is based on CAAM. > >>>> > > >>>> > NXP built CAAM IP is the Cryptographic Acceleration and Assurance > >>>> > Module. > >>>> > This is contain by the i.MX and QorIQ SoCs by NXP. > >>>> > > >>>> > CAAM is a suitable backend (source) for kernel trusted keys. > >>>> > This backend source can be used for run-time security as well by > >>>> > generating the hardware bound key. > >>>> > > >>>> > Along with plain key, the CAAM generates black key. A black key > >>>> > is an encrypted key, which can only be decrypted inside CAAM. > >>>> > Hence, CAAM's black key can only be used by CAAM. Thus it is > >>>> > declared as a hardware bound key. > >>>> What is the difference to the current trusted keys with CAAM? > >>>> When I tested the patch series back then, I wasn't able to import a > >>>> sealed key on another board with the same SoC. > >>> Currently, keys that are part of trusted key-ring, contains plain > >>> key. > >>> With this patch-set, these key will become Hw Bound Key, which is > >>> not a plain key anymore. > >>> After this patch-set, if somehow the HB-key is retrieved from the > >>> keyring, the retrieved key would be un-usable without hw. > >> > >> This doesn't answer my question why I couldn't import one key on > >> another board with the same SoC. > > > > I don’t believe this is intended to work this way. Each key blob > > created by CAAM is bound to a specific device. Being able to decrypt > > the same blob on another SoC would open up some attack vectors: Think > > of a locked down device where I’m able to extract this key blob. > > Simply buying a board with the same Soc would allow me to decrypt this > > blob by copying it over to my board. > > I agree, thus my first question here was, what this series is adding, if the key > is already "bound" to the hardware. That is what I don't understand. > > -michael Just one correction in above statement. "Key-Blob" is bound to the hardware, not the plain key that is added to the job-ring, after de-blobification. Security at rest is ensured here. But not at the runtime. This patch-set goes a step further and ensures runtime security as well. > > > Roughly speaking, CAAM key blobs are secure using a key derived from > > the device’s master key. This master key can be programmed via eFUSEs. > > So you’d have to burn the same master key on both SoCs and it should > > work. > > > > In any way, check the security reference manual for your SoC. It > > should explain this in more detail.
> -----Original Message----- > From: Jan Lübbe <jlu@pengutronix.de> > Sent: Wednesday, September 7, 2022 1:41 PM > To: Pankaj Gupta <pankaj.gupta@nxp.com>; Jarkko Sakkinen > <jarkko@kernel.org> > Cc: a.fatoum@pengutronix.de; Jason@zx2c4.com; jejb@linux.ibm.com; > zohar@linux.ibm.com; dhowells@redhat.com; sumit.garg@linaro.org; > david@sigma-star.at; michael@walle.cc; john.ernberg@actia.se; > jmorris@namei.org; serge@hallyn.com; herbert@gondor.apana.org.au; > davem@davemloft.net; j.luebbe@pengutronix.de; ebiggers@kernel.org; > richard@nod.at; keyrings@vger.kernel.org; linux-crypto@vger.kernel.org; > linux-integrity@vger.kernel.org; linux-kernel@vger.kernel.org; linux- > security-module@vger.kernel.org; Sahil Malhotra > <sahil.malhotra@nxp.com>; Kshitiz Varshney <kshitiz.varshney@nxp.com>; > Horia Geanta <horia.geanta@nxp.com>; Varun Sethi <V.Sethi@nxp.com> > Subject: Re: [EXT] Re: [RFC PATCH HBK: 0/8] HW BOUND KEY as TRUSTED KEY > > Caution: EXT Email > > On Wed, 2022-09-07 at 07:22 +0000, Pankaj Gupta wrote: > > Even if somehow the key is retrieved from the keyring, the retrieved > > key would be an encrypted key. > > This encrypted key can only be decrypted by Hardware, which generated it. > > > > Hence, the retrieved key is unusable outside of the hardware. > > NXP's CAAM unit (i.e. on i.MX6) supports several modes of sealed/encrypted > keys. > The (un)sealing process uses a key that is normally derived from a per-device > key in eFUSES. One aspect of these modes is whether the plaintext key > material is accessible to the kernel or not. > > Ahmad's patch set added support for a mode where the CAAM is used to > seal plaintext known to the kernel to a "blob" (in CAAM terminology) on > export to userspace and the reverse on import. This mode allows the kernel > to use the plaintext for dm-crypt, to encrypt other keyrings and similar. > > The CAAM has another sealing mode, where it will not allow writing of the > plaintext key to memory. Instead, it is kept in one of the CAAM-internal key > registers. There, it can be used for cryptographic operations (i.e. AES). This > way, the plaintext key is protected even from the kernel. The kernel could > keep a copy of in sealed form, so it can reload the CAAM's key register when > needed. > > > Pankaj, is that the mode you intend to support with this series? Yes, this is what is called as "black key", in CAAM terminology. Black key is nothing but a HBK key. This is what I am trying to achieve with this patch-set. > > Could you describe the high-level use-cases this would be need for, > compared to the existing mode where plaintext keys are accessible to the > kernel? In which cases would you use each mode? > High-level Use-case is to ensure runtime security. By runtime security, I mean, key that is added to keyring after blob-decapsulation, - if get stolen, then being plain key, security can be compromised. - After this patch-set, if key get stolen, then being HBK(encrypted by H/W), will not be of any use without HW. Security is not compromised. > Regards, > Jan > -- > Pengutronix e.K. | | > Industrial Linux Solutions | > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww. > pengutronix.de%2F&data=05%7C01%7Cpankaj.gupta%40nxp.com%7Cb > 1335df185404e02df1108da90a8886c%7C686ea1d3bc2b4c6fa92cd99c5c301635 > %7C0%7C0%7C637981350763081319%7CUnknown%7CTWFpbGZsb3d8eyJWIj > oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3 > 000%7C%7C%7C&sdata=aNxEETFYLc74F%2BOq9IK3p63tniVfczpgslG3LYe > ZzAo%3D&reserved=0 | > Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |