Message ID | 20211206225725.77512-6-quic_gaurkash@quicinc.com (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
Series | Add wrapped key support for Qualcomm ICE | expand |
On Mon, Dec 06, 2021 at 02:57:20PM -0800, Gaurav Kashyap wrote: > Adds support in ufshcd-core for wrapped keys. > 1. Change program key vop to support wrapped key sizes by > using blk_crypto_key directly instead of using ufs_crypto_cfg > which is not suitable for wrapped keys. > 2. Add derive_sw_secret vop and derive_sw_secret crypto_profile op. > > Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> > --- > drivers/scsi/ufs/ufshcd-crypto.c | 52 +++++++++++++++++++++++++------- > drivers/scsi/ufs/ufshcd.h | 9 +++++- > 2 files changed, 49 insertions(+), 12 deletions(-) There will be a build error if the patch series is applied just up to here, since this patch changes the prototype of ufs_hba_variant_ops::program_key but doesn't update ufs_qcom which implements it. Every intermediate step needs to be buildable, and that's more important than keeping changes to different drivers separate. So I recommend having one patch that does the program_key change, in both ufshcd-crypto.c and ufs-qcom-ice.c. Adding derive_sw_secret should be a separate patch, and maybe should be combined with the other new methods. > diff --git a/drivers/scsi/ufs/ufshcd-crypto.c b/drivers/scsi/ufs/ufshcd-crypto.c > index 0ed82741f981..9d68621a0eb4 100644 > --- a/drivers/scsi/ufs/ufshcd-crypto.c > +++ b/drivers/scsi/ufs/ufshcd-crypto.c > @@ -18,16 +18,23 @@ static const struct ufs_crypto_alg_entry { > }; > > static int ufshcd_program_key(struct ufs_hba *hba, > + const struct blk_crypto_key *key, > const union ufs_crypto_cfg_entry *cfg, int slot) > { > int i; > u32 slot_offset = hba->crypto_cfg_register + slot * sizeof(*cfg); > int err = 0; > + bool evict = false; > > ufshcd_hold(hba, false); > > if (hba->vops && hba->vops->program_key) { > - err = hba->vops->program_key(hba, cfg, slot); > + if (!(cfg->config_enable & UFS_CRYPTO_CONFIGURATION_ENABLE)) > + evict = true; > + err = hba->vops->program_key(hba, key, slot, > + cfg->data_unit_size, > + cfg->crypto_cap_idx, > + evict); > goto out; > } This is a little weird because here we've already gone through the trouble of creating a 'union ufs_crypto_cfg_entry', only to throw it away in the ->program_key case and just use the original blk_crypto_key instead. I think that this should be refactored a bit to make it so that a 'ufs_crypto_cfg_entry' is only be initialized if program_key is not implemented. Also, note that 'struct blk_crypto_key' includes the data unit size. So there's no need to pass the data unit size as a separate argument to program_key. > +static int ufshcd_crypto_derive_sw_secret(struct blk_crypto_profile *profile, > + const u8 *wrapped_key, > + unsigned int wrapped_key_size, > + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) > +{ > + struct ufs_hba *hba = > + container_of(profile, struct ufs_hba, crypto_profile); > + > + if (hba->vops && hba->vops->derive_secret) > + return hba->vops->derive_secret(hba, wrapped_key, > + wrapped_key_size, sw_secret); There's a weird double space here. > @@ -190,7 +215,12 @@ int ufshcd_hba_init_crypto_capabilities(struct ufs_hba *hba) > hba->crypto_profile.ll_ops = ufshcd_crypto_ops; > /* UFS only supports 8 bytes for any DUN */ > hba->crypto_profile.max_dun_bytes_supported = 8; > - hba->crypto_profile.key_types_supported = BLK_CRYPTO_KEY_TYPE_STANDARD; > + if (hba->hw_wrapped_keys_supported) > + hba->crypto_profile.key_types_supported = > + BLK_CRYPTO_KEY_TYPE_HW_WRAPPED; > + else > + hba->crypto_profile.key_types_supported = > + BLK_CRYPTO_KEY_TYPE_STANDARD; "hw_wrapped_keys_supported" is confusing because it doesn't just mean that wrapped keys are supported, but also that standard keys are *not* supported. "use_hw_wrapped_keys" would be clearer. However, given that wrapped keys aren't specified by the UFS standard, I think this better belongs as a bit in hba->quirks, like UFSHCD_QUIRK_USES_WRAPPED_CRYPTO_KEYS. > + int (*derive_secret)(struct ufs_hba *hba, const u8 *wrapped_key, > + unsigned int wrapped_key_size, > + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]); This probably should be called derive_sw_secret, not just derive_secret. - Eric
diff --git a/drivers/scsi/ufs/ufshcd-crypto.c b/drivers/scsi/ufs/ufshcd-crypto.c index 0ed82741f981..9d68621a0eb4 100644 --- a/drivers/scsi/ufs/ufshcd-crypto.c +++ b/drivers/scsi/ufs/ufshcd-crypto.c @@ -18,16 +18,23 @@ static const struct ufs_crypto_alg_entry { }; static int ufshcd_program_key(struct ufs_hba *hba, + const struct blk_crypto_key *key, const union ufs_crypto_cfg_entry *cfg, int slot) { int i; u32 slot_offset = hba->crypto_cfg_register + slot * sizeof(*cfg); int err = 0; + bool evict = false; ufshcd_hold(hba, false); if (hba->vops && hba->vops->program_key) { - err = hba->vops->program_key(hba, cfg, slot); + if (!(cfg->config_enable & UFS_CRYPTO_CONFIGURATION_ENABLE)) + evict = true; + err = hba->vops->program_key(hba, key, slot, + cfg->data_unit_size, + cfg->crypto_cap_idx, + evict); goto out; } @@ -80,16 +87,18 @@ static int ufshcd_crypto_keyslot_program(struct blk_crypto_profile *profile, cfg.crypto_cap_idx = cap_idx; cfg.config_enable = UFS_CRYPTO_CONFIGURATION_ENABLE; - if (ccap_array[cap_idx].algorithm_id == UFS_CRYPTO_ALG_AES_XTS) { - /* In XTS mode, the blk_crypto_key's size is already doubled */ - memcpy(cfg.crypto_key, key->raw, key->size/2); - memcpy(cfg.crypto_key + UFS_CRYPTO_KEY_MAX_SIZE/2, - key->raw + key->size/2, key->size/2); - } else { - memcpy(cfg.crypto_key, key->raw, key->size); + if (key->crypto_cfg.key_type != BLK_CRYPTO_KEY_TYPE_HW_WRAPPED) { + if (ccap_array[cap_idx].algorithm_id == UFS_CRYPTO_ALG_AES_XTS) { + /* In XTS mode, the blk_crypto_key's size is already doubled */ + memcpy(cfg.crypto_key, key->raw, key->size/2); + memcpy(cfg.crypto_key + UFS_CRYPTO_KEY_MAX_SIZE/2, + key->raw + key->size/2, key->size/2); + } else { + memcpy(cfg.crypto_key, key->raw, key->size); + } } - err = ufshcd_program_key(hba, &cfg, slot); + err = ufshcd_program_key(hba, key, &cfg, slot); memzero_explicit(&cfg, sizeof(cfg)); return err; @@ -103,7 +112,7 @@ static int ufshcd_clear_keyslot(struct ufs_hba *hba, int slot) */ union ufs_crypto_cfg_entry cfg = {}; - return ufshcd_program_key(hba, &cfg, slot); + return ufshcd_program_key(hba, NULL, &cfg, slot); } static int ufshcd_crypto_keyslot_evict(struct blk_crypto_profile *profile, @@ -126,9 +135,25 @@ bool ufshcd_crypto_enable(struct ufs_hba *hba) return true; } +static int ufshcd_crypto_derive_sw_secret(struct blk_crypto_profile *profile, + const u8 *wrapped_key, + unsigned int wrapped_key_size, + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) +{ + struct ufs_hba *hba = + container_of(profile, struct ufs_hba, crypto_profile); + + if (hba->vops && hba->vops->derive_secret) + return hba->vops->derive_secret(hba, wrapped_key, + wrapped_key_size, sw_secret); + + return -EOPNOTSUPP; +} + static const struct blk_crypto_ll_ops ufshcd_crypto_ops = { .keyslot_program = ufshcd_crypto_keyslot_program, .keyslot_evict = ufshcd_crypto_keyslot_evict, + .derive_sw_secret = ufshcd_crypto_derive_sw_secret, }; static enum blk_crypto_mode_num @@ -190,7 +215,12 @@ int ufshcd_hba_init_crypto_capabilities(struct ufs_hba *hba) hba->crypto_profile.ll_ops = ufshcd_crypto_ops; /* UFS only supports 8 bytes for any DUN */ hba->crypto_profile.max_dun_bytes_supported = 8; - hba->crypto_profile.key_types_supported = BLK_CRYPTO_KEY_TYPE_STANDARD; + if (hba->hw_wrapped_keys_supported) + hba->crypto_profile.key_types_supported = + BLK_CRYPTO_KEY_TYPE_HW_WRAPPED; + else + hba->crypto_profile.key_types_supported = + BLK_CRYPTO_KEY_TYPE_STANDARD; hba->crypto_profile.dev = hba->dev; /* diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h index df5439b12208..095c2d660aa7 100644 --- a/drivers/scsi/ufs/ufshcd.h +++ b/drivers/scsi/ufs/ufshcd.h @@ -320,6 +320,7 @@ struct ufs_pwr_mode_info { * @device_reset: called to issue a reset pulse on the UFS device * @program_key: program or evict an inline encryption key * @event_notify: called to notify important events + * @derive_secret: derive sw secret from wrapped inline encryption key */ struct ufs_hba_variant_ops { const char *name; @@ -353,9 +354,14 @@ struct ufs_hba_variant_ops { struct devfreq_dev_profile *profile, void *data); int (*program_key)(struct ufs_hba *hba, - const union ufs_crypto_cfg_entry *cfg, int slot); + const struct blk_crypto_key *crypto_key, + int slot, u8 data_unit_size, int capid, + bool evict); void (*event_notify)(struct ufs_hba *hba, enum ufs_event_type evt, void *data); + int (*derive_secret)(struct ufs_hba *hba, const u8 *wrapped_key, + unsigned int wrapped_key_size, + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]); }; /* clock gating state */ @@ -906,6 +912,7 @@ struct ufs_hba { union ufs_crypto_cap_entry *crypto_cap_array; u32 crypto_cfg_register; struct blk_crypto_profile crypto_profile; + bool hw_wrapped_keys_supported; #endif #ifdef CONFIG_DEBUG_FS struct dentry *debugfs_root;
Adds support in ufshcd-core for wrapped keys. 1. Change program key vop to support wrapped key sizes by using blk_crypto_key directly instead of using ufs_crypto_cfg which is not suitable for wrapped keys. 2. Add derive_sw_secret vop and derive_sw_secret crypto_profile op. Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com> --- drivers/scsi/ufs/ufshcd-crypto.c | 52 +++++++++++++++++++++++++------- drivers/scsi/ufs/ufshcd.h | 9 +++++- 2 files changed, 49 insertions(+), 12 deletions(-)