1. Patchew
  2. linux
  3. View series

[PATCH 0/3] trusted-keys: Add support for protected keys using CAAM

meenakshi.aggarwal@nxp.com posted 3 patches 4 months ago 
.../security/keys/trusted-encrypted.rst       |  87 +++++++++++-
drivers/crypto/caam/blob_gen.c                |  86 +++++++++---
drivers/crypto/caam/caamalg.c                 | 128 ++++++++++++++++--
drivers/crypto/caam/caamalg_desc.c            |  87 +++++++++++-
drivers/crypto/caam/caamalg_desc.h            |  13 +-
drivers/crypto/caam/desc.h                    |   9 +-
drivers/crypto/caam/desc_constr.h             |   8 +-
include/soc/fsl/caam-blob.h                   |  26 ++++
security/keys/trusted-keys/trusted_caam.c     | 108 +++++++++++++++
9 files changed, 518 insertions(+), 34 deletions(-)
[PATCH 0/3] trusted-keys: Add support for protected keys using CAAM
Posted by meenakshi.aggarwal@nxp.com 4 months ago 
From: Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>

Overview:
This patch set adds:
- Support for creating and loading protected keys via `keyctl` interface.
- Documentation updates to describe protected key usage and options.
- CAAM-specific implementation for protected key encryption algorithms.

User can create protected/encrypted key using keyctl interface:

KEYNAME=dm_trust_key_hw
KEY="$(keyctl add trusted $KEYNAME 'new 32 pk key_enc_algo=1' @s)"
keyctl pipe $KEY >~/$KEYNAME.blob
keyctl list @s

dm-crypt can load the protected key buffer from the keyring and use it to
initialize encrypted volumes, ensuring that key material is never exposed in plaintext.

The Protected key buffer is passed to the CAAM driver via the kernel crypto API.
CAAM driver will decapsulate the protected key buffer and perform cipher operation.

Protected Keys are identified by a header structure:

struct caam_pkey_info {
	u8  is_pkey;
	u8  key_enc_algo;
	u16 plain_key_sz;
	u8 key_buf[];
};

This information is populated based on the parameters provided during key creation such as 'new 32 pk key_enc_algo=1'

Internal Workflow:
::

 +------------------------+     +-------------------------------+
 |   Seal Function        |     | paes_skcipher_setkey()        |
 | - Constructs key buffer|---->| - Parses header and key_buf[] |
 | - Adds header metadata |     | - Initializes cipher context  |
 +------------------------+     +-------------------------------+

I welcome feedback and suggestions from the community.

Thank you for your time and consideration.

Best regards,
Meenakshi Aggarwal 

Meenakshi Aggarwal (3):
  Doc: trusted-keys as protected keys
  KEYS: trusted: caam based protected key
  crypto:caam: Add support of paes algorithm

 .../security/keys/trusted-encrypted.rst       |  87 +++++++++++-
 drivers/crypto/caam/blob_gen.c                |  86 +++++++++---
 drivers/crypto/caam/caamalg.c                 | 128 ++++++++++++++++--
 drivers/crypto/caam/caamalg_desc.c            |  87 +++++++++++-
 drivers/crypto/caam/caamalg_desc.h            |  13 +-
 drivers/crypto/caam/desc.h                    |   9 +-
 drivers/crypto/caam/desc_constr.h             |   8 +-
 include/soc/fsl/caam-blob.h                   |  26 ++++
 security/keys/trusted-keys/trusted_caam.c     | 108 +++++++++++++++
 9 files changed, 518 insertions(+), 34 deletions(-)

-- 
2.25.1
Re: [PATCH 0/3] trusted-keys: Add support for protected keys using CAAM
Posted by Herbert Xu 3 months, 3 weeks ago 
On Mon, Oct 06, 2025 at 09:17:50AM +0200, meenakshi.aggarwal@nxp.com wrote:
> From: Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>
> 
> Overview:
> This patch set adds:
> - Support for creating and loading protected keys via `keyctl` interface.
> - Documentation updates to describe protected key usage and options.
> - CAAM-specific implementation for protected key encryption algorithms.
> 
> User can create protected/encrypted key using keyctl interface:
> 
> KEYNAME=dm_trust_key_hw
> KEY="$(keyctl add trusted $KEYNAME 'new 32 pk key_enc_algo=1' @s)"
> keyctl pipe $KEY >~/$KEYNAME.blob
> keyctl list @s
> 
> dm-crypt can load the protected key buffer from the keyring and use it to
> initialize encrypted volumes, ensuring that key material is never exposed in plaintext.
> 
> The Protected key buffer is passed to the CAAM driver via the kernel crypto API.
> CAAM driver will decapsulate the protected key buffer and perform cipher operation.
> 
> Protected Keys are identified by a header structure:
> 
> struct caam_pkey_info {
> 	u8  is_pkey;
> 	u8  key_enc_algo;
> 	u16 plain_key_sz;
> 	u8 key_buf[];
> };
> 
> This information is populated based on the parameters provided during key creation such as 'new 32 pk key_enc_algo=1'
> 
> Internal Workflow:
> ::
> 
>  +------------------------+     +-------------------------------+
>  |   Seal Function        |     | paes_skcipher_setkey()        |
>  | - Constructs key buffer|---->| - Parses header and key_buf[] |
>  | - Adds header metadata |     | - Initializes cipher context  |
>  +------------------------+     +-------------------------------+
> 
> I welcome feedback and suggestions from the community.
> 
> Thank you for your time and consideration.
> 
> Best regards,
> Meenakshi Aggarwal 
> 
> Meenakshi Aggarwal (3):
>   Doc: trusted-keys as protected keys
>   KEYS: trusted: caam based protected key
>   crypto:caam: Add support of paes algorithm
> 
>  .../security/keys/trusted-encrypted.rst       |  87 +++++++++++-
>  drivers/crypto/caam/blob_gen.c                |  86 +++++++++---
>  drivers/crypto/caam/caamalg.c                 | 128 ++++++++++++++++--
>  drivers/crypto/caam/caamalg_desc.c            |  87 +++++++++++-
>  drivers/crypto/caam/caamalg_desc.h            |  13 +-
>  drivers/crypto/caam/desc.h                    |   9 +-
>  drivers/crypto/caam/desc_constr.h             |   8 +-
>  include/soc/fsl/caam-blob.h                   |  26 ++++
>  security/keys/trusted-keys/trusted_caam.c     | 108 +++++++++++++++
>  9 files changed, 518 insertions(+), 34 deletions(-)
> 
> -- 
> 2.25.1

All applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: [PATCH 0/3] trusted-keys: Add support for protected keys using CAAM
Posted by Horia Geanta 3 months, 3 weeks ago 
On Mon, 2025-10-06 at 09:17 +0200, meenakshi.aggarwal@nxp.com wrote:
> From: Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>
> 
> Overview:
> This patch set adds:
> - Support for creating and loading protected keys via `keyctl`
> interface.
> - Documentation updates to describe protected key usage and options.
> - CAAM-specific implementation for protected key encryption
> algorithms.
> 
> User can create protected/encrypted key using keyctl interface:
> 
> KEYNAME=dm_trust_key_hw
> KEY="$(keyctl add trusted $KEYNAME 'new 32 pk key_enc_algo=1' @s)"
> keyctl pipe $KEY >~/$KEYNAME.blob
> keyctl list @s
> 
> dm-crypt can load the protected key buffer from the keyring and use
> it to
> initialize encrypted volumes, ensuring that key material is never
> exposed in plaintext.
> 
> The Protected key buffer is passed to the CAAM driver via the kernel
> crypto API.
> CAAM driver will decapsulate the protected key buffer and perform
> cipher operation.
> 
AFAICS, the algorithms implemented in caam driver are still marked with
CRYPTO_ALG_ALLOCATES_MEMORY.

Thus, I am wondering if currently dm-crypt is really a use case for
"protected keys" having CAAM as backend.

Thanks,
Horia

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.