From nobody Mon Feb 9 14:02:31 2026 Received: from DB3PR0202CU003.outbound.protection.outlook.com (mail-northeuropeazon11010068.outbound.protection.outlook.com [52.101.84.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C97C1B4224; Mon, 6 Oct 2025 07:18:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.84.68 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759735109; cv=fail; b=uSZRnX2MV1OrUFrxgX8FMZIqzshm6lmatEa6Wp2ux5gCD+KGisd0E7lraoWo08iCESuTrlGVbDEFTXVmUGrEK1xBcMjelBYVcuOIipmN9Px4doMGE+oy+EUJeX8/ON52Xguszc0XvB3Gg7lm6iXwNACyejll7S+n9dQEC5G4Lhw= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759735109; c=relaxed/simple; bh=C/jcOZQ8yPUSbmecyI60KXdRGhmuJzBBV9Xrh4bnm6A=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: Content-Type:MIME-Version; b=FDIiocJ9DKfMFjNlziqJlcvXef0FFvBPdschlvKIOLhJ0fnrdiQsdwt5wzy0qRY3WkdqgN5Qd56VqmPc/Wr//YQoRvWVAJrolJZqFD2BnN0v9Ks0yp1hd3uiBtomy/db6OQZ4R5DvYQ2eXeEMabT8wLA80Uz2cLSNnvX0esArGw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=ZxlQmvQU; arc=fail smtp.client-ip=52.101.84.68 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="ZxlQmvQU" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JXH4gb8qIrK72kSUMd2LKPxjVrIYsVz43wfGNsWgGcishu9/fkid71AIfAPIUX6+exkTT08yu7byXfmdPfMRMeAMRKFCeAt5i0ZXzeiIgy3wdgzzTtvwP37TPi7VfbbeIGCwV/qSuHpihyorLhzPb+oKtGrbnkY9CvAaJd5RP4Tz4p5vWrh2/8II2mhJl1cNa7++x0MdAMnBNTjpGdcvUIq4gG18d3Ju4NNrInhUABLuP+rL/t8LNpKmu8Wyz2uQ/JAoFry4N1wJIbMYWKtP9Kf7ZJ6A8Ne4EpK7zjww8B2vd57AYcw3Yt40KY5it0vEJONQQyhAcopFbEMWdPU0Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dORGpEx8ysRSLG9nL6rvz3jgf7Vvh3bcIOvMVMrcOf0=; b=RpJkyd4z3TH/8hLqx9QRHhjAlFUQ2LBtlMMrAhev+kZKIYF+0quUKzfv2jqy0SbRZ+EVxNNQasUzSVFLU5h9MoRm/86yJbjxzGgklWU5x0DCUsxsQ+tqUxZ5p7bSkBjeMMNiCFAz1QrbWgb/S1m7smg5h6uugqozR6S44/DWu+5y4SkOEmXwtUy5FNRM/KcBEK4lBLBBZQXFi7VatwUd2uGYwkzzZHgWunO11/rrgwU3yZS59e7fXiAUUuC5+yHsC2cFb3c/tJpMyvQX3ctOc0Yn/3q+YLL3QzJMMKpa44aS7mJpuu8G8q1eCS3cLAYfRgdCEa9qs11Fyovtsqnl1g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dORGpEx8ysRSLG9nL6rvz3jgf7Vvh3bcIOvMVMrcOf0=; b=ZxlQmvQUo77YZimSeP+Vv3Q+N7Y+kSuDKF2PLjrITw3p5pHnz93wb3fjANBIEY961YgYoGTHGOzZe6qRGK6I5oCgjZZMKGitN0DL3MFJTfAlwpxg2SpEqHQxrlr6T/Yn3VJVBefqCNMpvRe7PQ8nLDGk3E4sOPcE1UizDWeQOQZmjkepx1N88Gk9Egs8fekT6hCL0l6J0WAjBABJSfWYVW38MGQ2mrW4fiqLG4Pzt57xO0Rqwctbm3Drrlm4dY0lkudduVmwU/Esfoa3NPd16IRGN2X+o9DhPkHh3VL3xl1+EbOBgb9OQ6aTfkcEa6QAJLcqbWhtb+SlhpgBICW2oQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PAXPR04MB8301.eurprd04.prod.outlook.com (2603:10a6:102:1c5::16) by PA4PR04MB7949.eurprd04.prod.outlook.com (2603:10a6:102:cc::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9203.9; Mon, 6 Oct 2025 07:18:20 +0000 Received: from PAXPR04MB8301.eurprd04.prod.outlook.com ([fe80::85de:cf79:69cf:4833]) by PAXPR04MB8301.eurprd04.prod.outlook.com ([fe80::85de:cf79:69cf:4833%4]) with mapi id 15.20.9182.017; Mon, 6 Oct 2025 07:18:20 +0000 From: meenakshi.aggarwal@nxp.com To: horia.geanta@nxp.com, V.sethi@nxp.com, pankaj.gupta@nxp.com, gaurav.jain@nxp.com, herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Meenakshi Aggarwal Subject: [PATCH 1/3] Doc: trusted-keys as protected keys Date: Mon, 6 Oct 2025 09:17:51 +0200 Message-Id: <20251006071753.3073538-2-meenakshi.aggarwal@nxp.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com> References: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: AS4P192CA0003.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:5da::13) To PAXPR04MB8301.eurprd04.prod.outlook.com (2603:10a6:102:1c5::16) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR04MB8301:EE_|PA4PR04MB7949:EE_ X-MS-Office365-Filtering-Correlation-Id: d6b79e2d-2a9e-4c4d-aa3e-08de04a88765 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|376014|52116014|366016|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?z60BUy9sdTA5iaG6V/9d6PEyZ7Ebfo0thaJQswX1D33kbOlPV6cNpQFPbYHn?= =?us-ascii?Q?PwT8Mztda16nF+dupR+T4II2KfveFRLZZBuvJnw9Azyuginkt6TxO3SaXORC?= =?us-ascii?Q?IvJZ7dAZcdhUekKp/BUIdpWa9+IIVza5rA1Lu6sD1tDWjr+/67pnts1sbAdA?= =?us-ascii?Q?ZJFDOrcHqLd2KT43a1WnyXFz4upbPsyF5SuIe4dY8scWxrXN+4lKTrIieCPk?= =?us-ascii?Q?C+/mqaFh2piT4IuawIhiX9hVW2c0xPpZOz0lMT4qNX1pSH98ZabIAusrb8jE?= =?us-ascii?Q?K+ZQrLOPorHzTdM4fKBT76bMVbtG0uoZGp55bRS30gxlkx5IUHcnsX/FnjYi?= =?us-ascii?Q?77poAhNQGkN0YUwkqwQ8nBKBZ+q0ePPT1T+65UMbxgM4jVdxyEXArzxhSDE1?= =?us-ascii?Q?3ROHiw4I2SvHqM4Z5diOTheRGyoNkX1a7lmcztVn9qkC6SoZLaPbu/VnDMgQ?= =?us-ascii?Q?s7+Z8dpZM72WcsjmWIxZ+3rlpR6WiIIu8UZs/NXtcLUGVMtBbmnF298rFa4l?= =?us-ascii?Q?a+A7eGa1Agg1Q5Lbwi71WKOHIFCIA9eH3ZoE7yIv+PCoh4VfUSQ5UkjO4rCY?= =?us-ascii?Q?uKbdqs1RWfOQNFAV4F2A28e8a5EQKpbKlXkdNphxS72iLJrkxoeeP4dpl2bO?= =?us-ascii?Q?Qq9r/DYZHuKT4pK6a/cy19q+jZU5yEQkEi2Jbe+VCNChi6yu6FFVxo3ILR11?= =?us-ascii?Q?P2binebufT+2qzHLQmv9XpDHewwHBbFQ7EcLA++1NzGZ5vuwUvRRAEecBIty?= =?us-ascii?Q?PcwQlFWZKZTvVmEngdWvgXBdFQHMaXzH5Qrq5p9QEVV3qGQb6z5MiY23SpWO?= =?us-ascii?Q?j0n5Vrdr3a/UXpXT3scoOg+okBID2n7AEcICZVyJ6PZr1UHOZasr3x6SQFBg?= =?us-ascii?Q?nwgkhKzPlsKW1HYqyyZXYqobPQQSz5zLtE8uwWZTQ1yZNMUNUunSf5xEkT+b?= =?us-ascii?Q?47qSi96HGbrCJAZ9D2Nk/nOXSQ6lFD4XG2Q9/h3NTOAvIYSUGAc5vuUY72zD?= =?us-ascii?Q?nqz9uxqpfSyH5D0poxXOiKLhh5I7RRV263aqjJ/eIbQl5J421yjp5JiRId/c?= =?us-ascii?Q?bt1GiNueeT8v1wRtDRFMdTTUAuu/eWUjJWvEnJrPi5k2rdsECnzSWrV9uRrM?= =?us-ascii?Q?VCc3d6Vhl7M9H/xvBZgMJuAi2D6YrRaWGrHNsuy/tRiuL8vEtxdFp2J5rDPQ?= =?us-ascii?Q?AarE0NWJE2Ozu4DNMECma4kdfyJFd+20d/Cckdm6UwQR/1hRSS0PpBbqwd0R?= =?us-ascii?Q?zQf3Gp+mHh7Mh4mPY0NYHu/Sn8XA4SB/sL1bxzCN4ju2tq2goLPgvd7nG9yK?= =?us-ascii?Q?r3f9mnDuwYbW+8n/0RcbNGwWYX56XNdesvFuBI9TXUtiGUuzXANqzrncXVYi?= =?us-ascii?Q?DazkTzuC8O8vFIdkOh6iQy7mQCMl0EjFAGS/HIdSwo/4dC1T1bmk8RAo2nks?= =?us-ascii?Q?oaiwkeTNFF347JgXhdQ04sn5n3g1afHQoWc5CqyPwnrXuWUX0jxeo+JAaZfi?= =?us-ascii?Q?f3ViCoRJlXS7oJcqwfB15IyvkCCfhSA5snYG?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR04MB8301.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(376014)(52116014)(366016)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?g72lNrQPemB8/FFglRfKROei1LMOemeQRA6odXy5oA4+ae5XkJ0T830GEGs8?= =?us-ascii?Q?F2BWCixQ9kjC5XpruWSZeV8GPirdVGZhpzLhNZ9/koLnYbfNYzxGLrFiePI6?= =?us-ascii?Q?35QdtYYUyIPJ3MaeaZJrKPPmhLEORmjRsEs3b4MnwodDwvzfQX0+CH2CVMvC?= =?us-ascii?Q?amOUzIk4Kn63mupVtzM/qjgh36XpK9Dol60wEJTqnPFyckglY3i3X5pk4Vsq?= =?us-ascii?Q?w/EQHt8/2TGlqKUxKLVxJUKfqZSBpP1n4DbPkN3n3WaftmXwlWENc2idjA/x?= =?us-ascii?Q?rxDxN5p17ESycQbEjTS+4l/rQJrB8yQDjV2r1dDv7S3FQxK4aekE1tmNcSrC?= =?us-ascii?Q?39ONsozEcedHWOaXqf3f0QsyxMSVUJ7JJST8jyR+ZFVKQi9BqvxcAkD1gUex?= =?us-ascii?Q?fyBssWnNQLHn5qSeMYi/woEi2XYUqxo85NoJIXnpBQFh0PmF9BE+Xurr2wRM?= =?us-ascii?Q?Aj6pOzpRnpCmKtxADnI51b4j2A5ODBf6a0x+qQ6jYkAD89hFo8+49Y/aZQ8x?= =?us-ascii?Q?+AiIR03nIsUI/JTdelPzhfnrV2EYnyxUhLvPGjnqksEK/5xof53SUb+KeHmI?= =?us-ascii?Q?0xqLAjaWiz1w1S2Oi7kLdaL4aS3RgfcofEhhxU6cRSgi/calPVFhzSoPpxBT?= =?us-ascii?Q?KYNTg4Zen8aYwU5x11AJPihvVEwkKjWKl0JztpzOLTCMZa6cZBFJNlmMbuGg?= =?us-ascii?Q?gZMy9CGOJEXgQ6S8zCpBceEmL/iL/LhwO32wCwS0m+acHDkVGilXi173zJuI?= =?us-ascii?Q?xwycb2cNfh1SMEgdtvJ4+ElPwNA+g8HgX9OkP6ssJOxodQ3xNDbqygqWFyZU?= =?us-ascii?Q?3+CeiFrRg3kGP9FBiJ0biTngh8x1KFxpCMhIBsEkT8HXxveyf62NotCC9p4l?= =?us-ascii?Q?tW8yschoeLzeS5IeTvYvwTtI7Ls7VMzhXXfd6TNFm4WWqqN8B25Yr9Y443D/?= =?us-ascii?Q?AvR0gJcFjbxzbWpt6WhPppO1hGr5GI76Un0Axzl7W0dbJqBSAj2qmfjqcLdM?= =?us-ascii?Q?tkED09DkQ6vrOCWlR5PY+CCBd0E0JSi7C91nYzSanhsGC3y8TKUZzmLzzV2n?= =?us-ascii?Q?GQHuWsAUmFT0WCzR09ZZZD/Q4lOfJy3O07dhwDLygtszPyBMozr492SRJShl?= =?us-ascii?Q?AbXU5PPt7ryAu1qpCzfeG8racJs5dj/Cal+22whto+B6+lt9fXfTxnWr9grx?= =?us-ascii?Q?g0cFssQTpjvr2gTbUPnEUumzOwRMDeAoVh0RbAiAbUsZJM+F3rZ01xV6YJij?= =?us-ascii?Q?szMewdxStSwcS20vEbY5LaGx6Le0VeXicfxAk1/FM9aXvJK1LQt0dY0r1dJO?= =?us-ascii?Q?aCHO7y3Aq4SwL0RPeXLE8JuvTHiNGb2mmp6KqLO5kuMCbwYLYCS9jJrT1Q49?= =?us-ascii?Q?SYd2xs/XHMgW4Ygv3mqmgxpQW/h1Z+vpVea5ZtLWo+5g03pEas7eWbTcH0KK?= =?us-ascii?Q?0vI0xzYp+jDvou7Yut2fG6l4YdUJZV3gXdu8XadZw/EcEovqux6IIr5EhG1Q?= =?us-ascii?Q?FoPjyxbE1PNzrqDA2yPAqQw5Jnf8mVvsfQnw9ALplThpYRhOKl3rb27QuZGc?= =?us-ascii?Q?+Y8x8kEdcjsOO9fbCSHUEPe+JUVktyWXVTdnljdOlVyFLc2skG/8oOSrCVbB?= =?us-ascii?Q?4A=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: d6b79e2d-2a9e-4c4d-aa3e-08de04a88765 X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB8301.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2025 07:18:20.7812 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mm26SRpvauZqnzY964HOcwtqQTvnwyMrlleWntW4MGfrfhVZ43iu9G1Ma1z3yqL4QdSsn7T6XfSiXBeD2m6OjCO2OVhU188/cs9zI2iAWgA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR04MB7949 Content-Type: text/plain; charset="utf-8" From: Meenakshi Aggarwal Add a section in trusted key document describing the protected-keys. - Detailing need for protected keys. - Detailing the usage for protected keys. Signed-off-by: Pankaj Gupta Signed-off-by: Meenakshi Aggarwal --- .../security/keys/trusted-encrypted.rst | 87 ++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentat= ion/security/keys/trusted-encrypted.rst index f4d7e162d5e4..2bcaaa7d119b 100644 --- a/Documentation/security/keys/trusted-encrypted.rst +++ b/Documentation/security/keys/trusted-encrypted.rst @@ -10,6 +10,36 @@ of a Trust Source for greater security, while Encrypted = Keys can be used on any system. All user level blobs, are displayed and loaded in hex ASCII for convenience, and are integrity verified. =20 +Trusted Keys as Protected key +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D +It is the secure way of keeping the keys in the kernel key-ring as Trusted= -Key, +such that: +- Key-blob, an encrypted key-data, created to be stored, loaded and seen by + userspace. +- Key-data, the plain-key text in the system memory, to be used by + kernel space only. + +Though key-data is not accessible to the user-space in plain-text, but it = is in +plain-text in system memory, when used in kernel space. Even though kernel= -space +attracts small surface attack, but with compromised kernel or side-channel +attack accessing the system memory can lead to a chance of the key getting +compromised/leaked. + +In order to protect the key in kernel space, the concept of "protected-key= s" is +introduced which will act as an added layer of protection. The key-data of= the +protected keys is encrypted with Key-Encryption-Key(KEK), and decrypted in= side +the trust source boundary. The plain-key text never available out-side in = the +system memory. Thus, any crypto operation that is to be executed using the +protected key, can only be done by the trust source, which generated the +key blob. + +Hence, if the protected-key is leaked or compromised, it is of no use to t= he +hacker. + +Trusted keys as protected keys, with trust source having the capability of +generating: + +- Key-Blob, to be loaded, stored and seen by user-space. =20 Trust Source =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D @@ -252,7 +282,7 @@ in bytes. Trusted Keys can be 32 - 128 bytes (256 - 102= 4 bits). Trusted Keys usage: CAAM ------------------------ =20 -Usage:: +Trusted Keys Usage:: =20 keyctl add trusted name "new keylen" ring keyctl add trusted name "load hex_blob" ring @@ -262,6 +292,21 @@ Usage:: CAAM-specific format. The key length for new keys is always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). =20 +Trusted Keys as Protected Keys Usage:: + + keyctl add trusted name "new keylen pk [options]" ring + keyctl add trusted name "load hex_blob [options]" ring + keyctl print keyid + + where, 'pk' is used to direct trust source to generate protected key. + + options: + key_enc_algo =3D For CAAM, supported enc algo are ECB(2), CCM(= 1). + +"keyctl print" returns an ASCII hex copy of the sealed key, which is in a +CAAM-specific format. The key length for new keys is always in bytes. +Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). + Trusted Keys usage: DCP ----------------------- =20 @@ -343,6 +388,46 @@ Load a trusted key from the saved blob:: f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c2= 2b e4a8aea2b607ec96931e6f4d4fe563ba =20 +Create and save a trusted key as protected key named "kmk" of length 32 by= tes. + +:: + + $ keyctl add trusted kmk "new 32 pk key_enc_algo=3D1" @u + 440502848 + + $ keyctl show + Session Keyring + -3 --alswrv 500 500 keyring: _ses + 97833714 --alswrv 500 -1 \_ keyring: _uid.500 + 440502848 --alswrv 500 500 \_ trusted: kmk + + $ keyctl print 440502848 + 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e9= 15 + 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb= 0b + 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c837= 22 + a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026f= ec + d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d= 5d + dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5e= f0 + f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c2= 2b + e4a8aea2b607ec96931e6f4d4fe563ba + + $ keyctl pipe 440502848 > kmk.blob + +Load a trusted key from the saved blob:: + + $ keyctl add trusted kmk "load `cat kmk.blob` key_enc_algo=3D1" @u + 268728824 + + $ keyctl print 268728824 + 0101000000000000000001005d01b7e3f4a6be5709930f3b70a743cbb42e0cc95e18e9= 15 + 3f60da455bbf1144ad12e4f92b452f966929f6105fd29ca28e4d4d5a031d068478bacb= 0b + 27351119f822911b0a11ba3d3498ba6a32e50dac7f32894dd890eb9ad578e4e292c837= 22 + a52e56a097e6a68b3f56f7a52ece0cdccba1eb62cad7d817f6dc58898b3ac15f36026f= ec + d568bd4a706cb60bb37be6d8f1240661199d640b66fb0fe3b079f97f450b9ef9c22c6d= 5d + dd379f0facd1cd020281dfa3c70ba21a3fa6fc2471dc6d13ecf8298b946f65345faa5e= f0 + f1f8fff03ad0acb083725535636addb08d73dedb9832da198081e5deae84bfaf0409c2= 2b + e4a8aea2b607ec96931e6f4d4fe563ba + Reseal (TPM specific) a trusted key under new PCR values:: =20 $ keyctl update 268728824 "update pcrinfo=3D`cat pcr.blob`" --=20 2.25.1 From nobody Mon Feb 9 14:02:31 2026 Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazon11011061.outbound.protection.outlook.com [52.101.70.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCFA125742C; Mon, 6 Oct 2025 07:18:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.70.61 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759735113; cv=fail; b=WoEXxpN4G9Om9B/Qih+RkSbubDyojhR5o9PmbByJp6cxma4yW92i4gRLCLM9ipDsUHFk0ZaPEPu5RWaH4bb3NtRkGFITKZOIlrNhj9LhLV2ofK8guHEBKihT2kP3p0jxjNnL855cJd6HushfB7p/2BhJ1LQrtdKnK68FBuXuo5A= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759735113; c=relaxed/simple; bh=QHNBaQ4Fl2/pgR8ZDjJtRsVUvz5wp0Te6J3tRiGBR8c=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: Content-Type:MIME-Version; b=FWxD79+c8CYvH/DA2wGT3E89XdxdYm8S0K+ge2r9PlwE3EZhHkbyshgUji9lqC9+fT7ZJHCs6INxzFPueKhk9X7sM8dOHXhcayKFpzaHRBpOR8rD3e8seU6Q86WLBBdkbd1Wnm/9aR97fWFnLj2QxRcxsiblj4PdZeQfHB+HI+0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=oKZ2pRba; arc=fail smtp.client-ip=52.101.70.61 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="oKZ2pRba" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aAo7HnN9n2rQcnVJWn6P6OlNgdESzL3I2khu1QPyrHqGzvp8cIkodsCoxT48xGNpvznoKidJd8JTx9lvJtpqk+dt9cADNAhcUw6L95TvyTU+EjLTkUcS/hOHwNj80X+j/K9SntHMvONkIZ/5/9h4ms31skbm4osb1i0hqNLIMpaIWRYi8zCtithDkzSOGY68jfGPuFRyqAoEUJMDq9y0YduxJVaZLnrFu9bDPbQtObbffe7xBgw9uv+6q+9LQwIeduv9V5LJRidU/41h8sscQeiRMy47z/5ijhiZ3e1DYeKbm46HOI7diUYSd0SjLI2vK/z3ulIKje13XgYgCdI/Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gdRs5uQWVRLEuWZTZ2F1G7Rf0afj9MNEMXndcZr6OHA=; b=Co41YiGBwNTNph7D3QEu5rEATyAgXY27q6WG1GkbN9BYfU8lSeO1y9ZZhX8pgCZjPYrhGqocgIYWKUR0U45FGL3bVWv1MZQWJaNyHg5LcP+W1LcwA6EKZC3Ss59zNoBqwW8ft26Li1PBCuU4yTu4S997L81aWn/EtqzcnELPiWlhOBUgM9ao/HLatyhxcU9rfAkx62cVwNc3xve8jOVqCPqMe+uu32Nj8kzvwbwcV7kLfRq0B/WRrjvwh/45nOhSvbc+G6tmuvgCXky5p3ZlefSRPXQhBtGQeJ/nucJLbEmyGq4F2ihJTrqw7Qk32qbp2Dzq0drLqOlMjxAwoov+4g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gdRs5uQWVRLEuWZTZ2F1G7Rf0afj9MNEMXndcZr6OHA=; b=oKZ2pRba+WM7yPCHKWksBAZKLoUMbrOFaP5CkM8Lpekz/dDMtwCZmUoas86t0jMDmUFm0DQEYkC/aLj+twsWrZdinqARoFZcP70EFRNbINpFhpXsBMaHGiNoeoO78/8pxir0n+UqEKJOxtx4X1U/vjJM5LMSxyxHivbsRGt4ilKBHNHtyoeTKLgG2CkQpvFiLRJSiop/QkhzV1YBbXtqnLV4DDzcH2YzZXF1E3QagZz1h1J7FwE9jioMFV+ai4hMssdWNjOipS1KIK1ZI4KCyaNCaSBVYV+2IwGnlDLiQiQ0fwHZ18WUWrF+FOvFMtfPujC1D8b+Xf0/GJRn5wF31Q== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PAXPR04MB8301.eurprd04.prod.outlook.com (2603:10a6:102:1c5::16) by DU4PR04MB10864.eurprd04.prod.outlook.com (2603:10a6:10:589::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9182.20; Mon, 6 Oct 2025 07:18:22 +0000 Received: from PAXPR04MB8301.eurprd04.prod.outlook.com ([fe80::85de:cf79:69cf:4833]) by PAXPR04MB8301.eurprd04.prod.outlook.com ([fe80::85de:cf79:69cf:4833%4]) with mapi id 15.20.9182.017; Mon, 6 Oct 2025 07:18:22 +0000 From: meenakshi.aggarwal@nxp.com To: horia.geanta@nxp.com, V.sethi@nxp.com, pankaj.gupta@nxp.com, gaurav.jain@nxp.com, herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Meenakshi Aggarwal Subject: [PATCH 2/3] KEYS: trusted: caam based protected key Date: Mon, 6 Oct 2025 09:17:52 +0200 Message-Id: <20251006071753.3073538-3-meenakshi.aggarwal@nxp.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com> References: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: AS4P192CA0003.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:5da::13) To PAXPR04MB8301.eurprd04.prod.outlook.com (2603:10a6:102:1c5::16) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR04MB8301:EE_|DU4PR04MB10864:EE_ X-MS-Office365-Filtering-Correlation-Id: 009ffddb-91a0-4ccb-32b7-08de04a8888c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|19092799006|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?sjNq6qC6EaWn6dtHxOMfVocb312rzaP/r96QgFWCx/8SoKCL/iBvxwHUL4CI?= =?us-ascii?Q?bJJF3ezcFMZSum238Jc4vaO4NK4WN56Mqu0VSUqdVEkcdG3HAswPVb/WM9t9?= =?us-ascii?Q?dQI3KXH299JW0Zm9RqnpIV7YguY/tlHTQULDuHH9A/O2PcMFla8MNup4H3gH?= =?us-ascii?Q?U3sfLS/B/u4+I2zahnngighnV7CVbNhEHKrcKcihZsSjfPZsY5apr5yY4Wht?= =?us-ascii?Q?g8B5tYSz2rtMx3sjMr48spFVF0IOle3wVgkGMvNPkwr2rI9uU6ZRkLVmXqOh?= =?us-ascii?Q?RWHfxkPwJe+uwIT0tz/PNa4aPhOsBiIpgYL1uHHi4+PHfn0mX6nznXGxr0/R?= =?us-ascii?Q?XmhX5xLhV0n6AOF/eLw2ICJtrTXGco6dXJSkNovDPja2vG5nm+GaczrGfXc+?= =?us-ascii?Q?ySgIEyYK9sKja3i+VGaay8SXmw0A61ZDYMkyzHZI+OntFOGghkmA0ntmAkWm?= =?us-ascii?Q?/JnngOADqOZ+l64ZnGCzYmALXovY/Y3t4db4hQY7QSQk8ahE80CHk+Of87/Z?= =?us-ascii?Q?edrcG409cHoyg2bYEQ3jnNQu/hRydDyj4J05TA+o09xhrehUGs+/p497Kr0y?= =?us-ascii?Q?WEQHDigbjTpApf6ircjwN51AEjNudJHCpNgvA7hZ9yQ3CBvNp97HjWtG/0hk?= =?us-ascii?Q?xj6HzUvEzXpJVuBhykG5Fr3DAhvhMsI8jBMDXs5Z6qCHY0xWPU5f3CLukxP4?= =?us-ascii?Q?Z1AcgsETjLIlsdohR6WsgGVRl0KPYIIiQhCDKYhbe+dbHSyPBR/RO6JrOXMV?= =?us-ascii?Q?q/LiyqcDH5SHQkvarh4MVCLTj0j93QsyuVNPWlzq/W+x8xY/ubv9c5MuzUMA?= =?us-ascii?Q?0FJ3S4MTVe57GCas3Zpb3OMaGp8Z6vNWvKZPzQWyEERNwsNkSZhWpPwkfB2A?= =?us-ascii?Q?UFpyBpXjzpd9SxJ26MZ0WJ1qAiQbi3UgQXWj7pdmVvA1DcJ/WIrvxvPTFxpZ?= =?us-ascii?Q?4NpLNwixli8SKKiH7NWEXkqeMLUl50MH2gAGwmk9dr04pym+J62r+vowmu/U?= =?us-ascii?Q?inF97ZrFv0eUWVzHY7Hc0IIhpD85drhv8qfnVb8+BeOOh9JI8fFK6dP7usJY?= =?us-ascii?Q?lFDcQk2q4oMy4uMypr0frkltHkpWPfb7ePRc7S+OMltVv2IkpFTebDheeHvM?= =?us-ascii?Q?vFL6cJmWeLfgRyXve/8Wgzrh3QB0FDBHLeZu2N22Iq4mPpzhHkSxuRXGUOj4?= =?us-ascii?Q?ot0NarduEFtQ1WAIDqW5zw1GWiBEp6NC2xXQveR/ge6E8jSEttQStflOuDfA?= =?us-ascii?Q?vjEqRjv+adVL1fAFXvvyouvHSmkiiOWZI4j2sz0cr7Wn44lByyS+9Bkr6tyc?= =?us-ascii?Q?pjpYjZR8hcdq9fdHl0L0KAxXvU/7cv4omenTfBgeTwDZQNx3nVZBq914zuLX?= =?us-ascii?Q?r6ynmyFuRh7bhesZsEANLiuBR9PqvMgzFYS6MgGUTcbLXKsrtSmuzV21orFH?= =?us-ascii?Q?4TL/RlQmSYSpbn9VpmT5jHr1BcCeDNx6ZqWq2GNZwan+SdMrmG1rTI0/aqxg?= =?us-ascii?Q?LJnnQez/0VIKfaAvbgPbCu+HnEfY5ijWXmM5?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR04MB8301.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(19092799006)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?sacFwuvKBN5YvIs/QoAjd2mIGBhaMJMCNhNtRfIlnfHCeEdWplR8dq8HyWaw?= =?us-ascii?Q?YTzyfE9XEuKNT4S08DO+VstF8zZJJOpQF5AXaW0FPoDXUwneTx4jVYx72VZh?= =?us-ascii?Q?GTrvswsLXwmBOahnro4xA32NRvpuEQKNnHFpasBglixi2XBWDdNeCoOImGOd?= =?us-ascii?Q?nGSwc8Zy6hBkrV0YfAL65juQ82jNhqigNQWIkm7lBcYenKKTlwcQx4jN6S8N?= =?us-ascii?Q?JXgw0ZbMur8ULHKKt5gSJj5ESqylBPVWS6tj2xtX3EyPoVujhtZrpvNleItU?= =?us-ascii?Q?3WOGuKfn25XzRiJ7OaAGf8VUK0jmRtfEDiqjM/CF7aAPeWZeqPbMJxmE/2Tn?= =?us-ascii?Q?wjxpTssU9yQCtiuB992hMgqk3mVrTekbHj6BJXgYuSCdJ4VQLPDiHgwRxUN1?= =?us-ascii?Q?gkcOp4amwQ0Npqobd/FnauOyevX1QtiHEW7JL6LNG7Ugv8ZkqbWfKMadqk9h?= =?us-ascii?Q?4A8tKSLnw3SpZ0z69j4ft8spPSz140OWhtNBIjnoirFl7xvwkciH2YPVAENU?= =?us-ascii?Q?A32rXzngSDdbpkMgROmyg8qfLbItMa5n8UA8OaIOfP3/dF9p9vl2w6FTJmug?= =?us-ascii?Q?07uRIlYqY35yEuhO/OMXoRdhZm8wAnSeK6rRGsQOYKS/gFGpai0O4D3MYOkI?= =?us-ascii?Q?09McqMoClTWFXL7EGpz6zy8Gf/q1V9htiL52K5MBHwKnj2i2CKbtFjYvVs88?= =?us-ascii?Q?zWO5KZSDskeY+iBhPXS2IA8JohIu0y9Olh6uQgEmBfnUvun4jUmZezg9vKaV?= =?us-ascii?Q?uEPxR3WuOl4qrXNZ6TR/QddEMqXyPqD784c+kb91Zgk7I/VZqxVZejINJ5SG?= =?us-ascii?Q?zPbW/GKt0OP6LnEw6WdhTpWMJsjG3Cxnyh/q/0DILXzYigzBDf4UdnuetPbl?= =?us-ascii?Q?N7cjVcqEvD8JX3q0/Fn9r2mfQq6rQ7Jdu2ioTWmyZ2DVjO9IR6BU9Nn6uRO1?= =?us-ascii?Q?RJNybftXHcX0TCCz9T4/qpilGag2J6Td4h71KE6pDz2qkZ5ggkq4RQ5xZsWS?= =?us-ascii?Q?Yhu28lfOEN4c0OTVMKq3jxPNBbKVHO79km/Hi7dStG/vOzfCoJf77xExBTZx?= =?us-ascii?Q?ihix8uShLAFY+qcCP4TX1WkN7kxvguybBDppt/W5r9w39kYikANeLn3BGY9v?= =?us-ascii?Q?5NHHmJlOgYtem+7uQ66iuSz7fV7izYXpmWnPDNKBtKB/JBg3VdZl8qZ1YmvI?= =?us-ascii?Q?OK1B/rjGgwpuV0wDGy39XKDxBhNio5o/iVha46VSlUSc+MzmIGILmizCpccJ?= =?us-ascii?Q?3Wm4tbCRJm3TPPSjJ2ap/gLVFOcDiJ1VqReZ06GM5sthhTOMFSAfuYYlI2oh?= =?us-ascii?Q?AlzwR3wA3bL5j98Qbd4gHeJmfP8Zuhx0sQTdBET1kxqorUH4w1NcX7vjBjm8?= =?us-ascii?Q?rx+IXDy3S1m96u5ZwvBCHadULXLUHzQslhYHlq73YG0Pxdxoom0zGE3ceMYb?= =?us-ascii?Q?U7OUCtB4/uDCWdPzykcU2rAf0UFbKCf3kMskwIPnjoYRzCV3I+4ZhbO2TJDc?= =?us-ascii?Q?2yccKdfOLTLJ1WZ9RG2N/s3Px6+SFMdtYuzhfpmy9SwfmMekLsK7gFHA03Zh?= =?us-ascii?Q?+iKg9/hXFIGxKDBCOSDGjNyCQ9sqnVd9I3anA+v3Op0OBiHvoU97RARDg2GF?= =?us-ascii?Q?/A=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 009ffddb-91a0-4ccb-32b7-08de04a8888c X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB8301.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2025 07:18:22.7120 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 8dWbnuzGYOlTxAb1ppBQb/Shgh7GYAHkyAMtm24CoFHoxaECp1KGulqmerMHFhu96yvtXS+OwzimG73b8eIO0QlvMFbUfQzCLPFieTrRaeM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4PR04MB10864 Content-Type: text/plain; charset="utf-8" From: Meenakshi Aggarwal - CAAM supports two types of protected keys: -- Plain key encrypted with ECB -- Plain key encrypted with CCM Due to robustness, default encryption used for protected key is CCM. - Generate protected key blob and add it to trusted key payload. This is done as part of sealing operation, which is triggered when below two operations are requested: -- new key generation -- load key, Signed-off-by: Pankaj Gupta Signed-off-by: Meenakshi Aggarwal --- drivers/crypto/caam/blob_gen.c | 86 +++++++++++++---- drivers/crypto/caam/desc.h | 9 +- include/soc/fsl/caam-blob.h | 26 ++++++ security/keys/trusted-keys/trusted_caam.c | 108 ++++++++++++++++++++++ 4 files changed, 212 insertions(+), 17 deletions(-) diff --git a/drivers/crypto/caam/blob_gen.c b/drivers/crypto/caam/blob_gen.c index 079a22cc9f02..c18dbac56493 100644 --- a/drivers/crypto/caam/blob_gen.c +++ b/drivers/crypto/caam/blob_gen.c @@ -2,13 +2,14 @@ /* * Copyright (C) 2015 Pengutronix, Steffen Trumtrar * Copyright (C) 2021 Pengutronix, Ahmad Fatoum - * Copyright 2024 NXP + * Copyright 2024-2025 NXP */ =20 #define pr_fmt(fmt) "caam blob_gen: " fmt =20 #include #include +#include #include =20 #include "compat.h" @@ -60,18 +61,27 @@ static void caam_blob_job_done(struct device *dev, u32 = *desc, u32 err, void *con complete(&res->completion); } =20 +static u32 check_caam_state(struct device *jrdev) +{ + const struct caam_drv_private *ctrlpriv; + + ctrlpriv =3D dev_get_drvdata(jrdev->parent); + return FIELD_GET(CSTA_MOO, rd_reg32(&ctrlpriv->jr[0]->perfmon.status)); +} + int caam_process_blob(struct caam_blob_priv *priv, struct caam_blob_info *info, bool encap) { - const struct caam_drv_private *ctrlpriv; struct caam_blob_job_result testres; struct device *jrdev =3D &priv->jrdev; dma_addr_t dma_in, dma_out; int op =3D OP_PCLID_BLOB; + int hwbk_caam_ovhd =3D 0; size_t output_len; u32 *desc; u32 moo; int ret; + int len; =20 if (info->key_mod_len > CAAM_BLOB_KEYMOD_LENGTH) return -EINVAL; @@ -82,14 +92,29 @@ int caam_process_blob(struct caam_blob_priv *priv, } else { op |=3D OP_TYPE_DECAP_PROTOCOL; output_len =3D info->input_len - CAAM_BLOB_OVERHEAD; + info->output_len =3D output_len; + } + + if (encap && info->pkey_info.is_pkey) { + op |=3D OP_PCL_BLOB_BLACK; + if (info->pkey_info.key_enc_algo =3D=3D CAAM_ENC_ALGO_CCM) { + op |=3D OP_PCL_BLOB_EKT; + hwbk_caam_ovhd =3D CAAM_CCM_OVERHEAD; + } + if ((info->input_len + hwbk_caam_ovhd) > MAX_KEY_SIZE) + return -EINVAL; + + len =3D info->input_len + hwbk_caam_ovhd; + } else { + len =3D info->input_len; } =20 desc =3D kzalloc(CAAM_BLOB_DESC_BYTES_MAX, GFP_KERNEL); if (!desc) return -ENOMEM; =20 - dma_in =3D dma_map_single(jrdev, info->input, info->input_len, - DMA_TO_DEVICE); + dma_in =3D dma_map_single(jrdev, info->input, len, + encap ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE); if (dma_mapping_error(jrdev, dma_in)) { dev_err(jrdev, "unable to map input DMA buffer\n"); ret =3D -ENOMEM; @@ -104,8 +129,7 @@ int caam_process_blob(struct caam_blob_priv *priv, goto out_unmap_in; } =20 - ctrlpriv =3D dev_get_drvdata(jrdev->parent); - moo =3D FIELD_GET(CSTA_MOO, rd_reg32(&ctrlpriv->jr[0]->perfmon.status)); + moo =3D check_caam_state(jrdev); if (moo !=3D CSTA_MOO_SECURE && moo !=3D CSTA_MOO_TRUSTED) dev_warn(jrdev, "using insecure test key, enable HAB to use unique device key!\n"); @@ -117,18 +141,48 @@ int caam_process_blob(struct caam_blob_priv *priv, * Class 1 Context DWords 0+1+2+3. The random BK is stored in the * Class 1 Key Register. Operation Mode is set to AES-CCM. */ - init_job_desc(desc, 0); + + if (encap && info->pkey_info.is_pkey) { + /*!1. key command used to load class 1 key register + * from input plain key. + */ + append_key(desc, dma_in, info->input_len, + CLASS_1 | KEY_DEST_CLASS_REG); + /*!2. Fifostore to store protected key from class 1 key register. */ + if (info->pkey_info.key_enc_algo =3D=3D CAAM_ENC_ALGO_CCM) { + append_fifo_store(desc, dma_in, info->input_len, + LDST_CLASS_1_CCB | + FIFOST_TYPE_KEY_CCM_JKEK); + } else { + append_fifo_store(desc, dma_in, info->input_len, + LDST_CLASS_1_CCB | + FIFOST_TYPE_KEY_KEK); + } + /* + * JUMP_OFFSET specifies the offset of the JUMP target from + * the JUMP command's address in the descriptor buffer. + */ + append_jump(desc, JUMP_COND_NOP | BIT(0) << JUMP_OFFSET_SHIFT); + } + + /*!3. Load class 2 key with key modifier. */ append_key_as_imm(desc, info->key_mod, info->key_mod_len, - info->key_mod_len, CLASS_2 | KEY_DEST_CLASS_REG); - append_seq_in_ptr_intlen(desc, dma_in, info->input_len, 0); - append_seq_out_ptr_intlen(desc, dma_out, output_len, 0); + info->key_mod_len, CLASS_2 | KEY_DEST_CLASS_REG); + + /*!4. SEQ IN PTR Command. */ + append_seq_in_ptr(desc, dma_in, info->input_len, 0); + + /*!5. SEQ OUT PTR Command. */ + append_seq_out_ptr(desc, dma_out, output_len, 0); + + /*!6. Blob encapsulation/decapsulation PROTOCOL Command. */ append_operation(desc, op); =20 - print_hex_dump_debug("data@"__stringify(__LINE__)": ", + print_hex_dump_debug("data@" __stringify(__LINE__)": ", DUMP_PREFIX_ADDRESS, 16, 1, info->input, - info->input_len, false); - print_hex_dump_debug("jobdesc@"__stringify(__LINE__)": ", + len, false); + print_hex_dump_debug("jobdesc@" __stringify(__LINE__)": ", DUMP_PREFIX_ADDRESS, 16, 1, desc, desc_bytes(desc), false); =20 @@ -139,7 +193,7 @@ int caam_process_blob(struct caam_blob_priv *priv, if (ret =3D=3D -EINPROGRESS) { wait_for_completion(&testres.completion); ret =3D testres.err; - print_hex_dump_debug("output@"__stringify(__LINE__)": ", + print_hex_dump_debug("output@" __stringify(__LINE__)": ", DUMP_PREFIX_ADDRESS, 16, 1, info->output, output_len, false); } @@ -149,10 +203,10 @@ int caam_process_blob(struct caam_blob_priv *priv, =20 dma_unmap_single(jrdev, dma_out, output_len, DMA_FROM_DEVICE); out_unmap_in: - dma_unmap_single(jrdev, dma_in, info->input_len, DMA_TO_DEVICE); + dma_unmap_single(jrdev, dma_in, len, + encap ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE); out_free: kfree(desc); - return ret; } EXPORT_SYMBOL(caam_process_blob); diff --git a/drivers/crypto/caam/desc.h b/drivers/crypto/caam/desc.h index e13470901586..c28e94fcb8c7 100644 --- a/drivers/crypto/caam/desc.h +++ b/drivers/crypto/caam/desc.h @@ -4,7 +4,7 @@ * Definitions to support CAAM descriptor instruction generation * * Copyright 2008-2011 Freescale Semiconductor, Inc. - * Copyright 2018 NXP + * Copyright 2018, 2025 NXP */ =20 #ifndef DESC_H @@ -162,6 +162,7 @@ * Enhanced Encryption of Key */ #define KEY_EKT 0x00100000 +#define KEY_EKT_OFFSET 20 =20 /* * Encrypted with Trusted Key @@ -403,6 +404,7 @@ #define FIFOST_TYPE_PKHA_N (0x08 << FIFOST_TYPE_SHIFT) #define FIFOST_TYPE_PKHA_A (0x0c << FIFOST_TYPE_SHIFT) #define FIFOST_TYPE_PKHA_B (0x0d << FIFOST_TYPE_SHIFT) +#define FIFOST_TYPE_KEY_CCM_JKEK (0x14 << FIFOST_TYPE_SHIFT) #define FIFOST_TYPE_AF_SBOX_JKEK (0x20 << FIFOST_TYPE_SHIFT) #define FIFOST_TYPE_AF_SBOX_TKEK (0x21 << FIFOST_TYPE_SHIFT) #define FIFOST_TYPE_PKHA_E_JKEK (0x22 << FIFOST_TYPE_SHIFT) @@ -1001,6 +1003,11 @@ #define OP_PCL_TLS12_AES_256_CBC_SHA384 0xff63 #define OP_PCL_TLS12_AES_256_CBC_SHA512 0xff65 =20 +/* Blob protocol protinfo bits */ + +#define OP_PCL_BLOB_BLACK 0x0004 +#define OP_PCL_BLOB_EKT 0x0100 + /* For DTLS - OP_PCLID_DTLS */ =20 #define OP_PCL_DTLS_AES_128_CBC_SHA 0x002f diff --git a/include/soc/fsl/caam-blob.h b/include/soc/fsl/caam-blob.h index 937cac52f36d..922f7ec3e231 100644 --- a/include/soc/fsl/caam-blob.h +++ b/include/soc/fsl/caam-blob.h @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0-only */ /* * Copyright (C) 2020 Pengutronix, Ahmad Fatoum + * Copyright 2024-2025 NXP */ =20 #ifndef __CAAM_BLOB_GEN @@ -12,11 +13,34 @@ #define CAAM_BLOB_KEYMOD_LENGTH 16 #define CAAM_BLOB_OVERHEAD (32 + 16) #define CAAM_BLOB_MAX_LEN 4096 +#define CAAM_ENC_ALGO_CCM 0x1 +#define CAAM_ENC_ALGO_ECB 0x2 +#define CAAM_NONCE_SIZE 6 +#define CAAM_ICV_SIZE 6 +#define CAAM_CCM_OVERHEAD (CAAM_NONCE_SIZE + CAAM_ICV_SIZE) =20 struct caam_blob_priv; =20 +/** + * struct caam_pkey_info - information for CAAM protected key + * @is_pkey: flag to identify, if the key is protected. + * @key_enc_algo: identifies the algorithm, ccm or ecb + * @plain_key_sz: size of plain key. + * @key_buf: contains key data + */ +struct caam_pkey_info { + u8 is_pkey; + u8 key_enc_algo; + u16 plain_key_sz; + u8 key_buf[]; +} __packed; + +/* sizeof struct caam_pkey_info */ +#define CAAM_PKEY_HEADER 4 + /** * struct caam_blob_info - information for CAAM blobbing + * @pkey_info: pointer to keep protected key information * @input: pointer to input buffer (must be DMAable) * @input_len: length of @input buffer in bytes. * @output: pointer to output buffer (must be DMAable) @@ -26,6 +50,8 @@ struct caam_blob_priv; * May not exceed %CAAM_BLOB_KEYMOD_LENGTH */ struct caam_blob_info { + struct caam_pkey_info pkey_info; + void *input; size_t input_len; =20 diff --git a/security/keys/trusted-keys/trusted_caam.c b/security/keys/trus= ted-keys/trusted_caam.c index e3415c520c0a..090099d1b04d 100644 --- a/security/keys/trusted-keys/trusted_caam.c +++ b/security/keys/trusted-keys/trusted_caam.c @@ -1,12 +1,14 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (C) 2021 Pengutronix, Ahmad Fatoum + * Copyright 2025 NXP */ =20 #include #include #include #include +#include #include =20 static struct caam_blob_priv *blobifier; @@ -16,6 +18,77 @@ static struct caam_blob_priv *blobifier; static_assert(MAX_KEY_SIZE + CAAM_BLOB_OVERHEAD <=3D CAAM_BLOB_MAX_LEN); static_assert(MAX_BLOB_SIZE <=3D CAAM_BLOB_MAX_LEN); =20 +enum { + opt_err, + opt_key_enc_algo, +}; + +static const match_table_t key_tokens =3D { + {opt_key_enc_algo, "key_enc_algo=3D%s"}, + {opt_err, NULL} +}; + +#ifdef CAAM_DEBUG +static inline void dump_options(struct caam_pkey_info pkey_info) +{ + pr_info("key encryption algo %d\n", pkey_info.key_enc_algo); +} +#else +static inline void dump_options(struct caam_pkey_info pkey_info) +{ +} +#endif + +static int get_pkey_options(char *c, + struct caam_pkey_info *pkey_info) +{ + substring_t args[MAX_OPT_ARGS]; + unsigned long token_mask =3D 0; + u16 key_enc_algo; + char *p =3D c; + int token; + int res; + + if (!c) + return 0; + + while ((p =3D strsep(&c, " \t"))) { + if (*p =3D=3D '\0' || *p =3D=3D ' ' || *p =3D=3D '\t') + continue; + token =3D match_token(p, key_tokens, args); + if (test_and_set_bit(token, &token_mask)) + return -EINVAL; + + switch (token) { + case opt_key_enc_algo: + res =3D kstrtou16(args[0].from, 16, &key_enc_algo); + if (res < 0) + return -EINVAL; + pkey_info->key_enc_algo =3D key_enc_algo; + break; + default: + return -EINVAL; + } + } + return 0; +} + +static bool is_key_pkey(char **datablob) +{ + char *c =3D NULL; + + do { + /* Second argument onwards, + * determine if tied to HW + */ + c =3D strsep(datablob, " \t"); + if (c && (strcmp(c, "pk") =3D=3D 0)) + return true; + } while (c); + + return false; +} + static int trusted_caam_seal(struct trusted_key_payload *p, char *datablob) { int ret; @@ -25,11 +98,30 @@ static int trusted_caam_seal(struct trusted_key_payload= *p, char *datablob) .key_mod =3D KEYMOD, .key_mod_len =3D sizeof(KEYMOD) - 1, }; =20 + /* + * If it is to be treated as protected key, + * read next arguments too. + */ + if (is_key_pkey(&datablob)) { + info.pkey_info.plain_key_sz =3D p->key_len; + info.pkey_info.is_pkey =3D 1; + ret =3D get_pkey_options(datablob, &info.pkey_info); + if (ret < 0) + return 0; + dump_options(info.pkey_info); + } + ret =3D caam_encap_blob(blobifier, &info); if (ret) return ret; =20 p->blob_len =3D info.output_len; + if (info.pkey_info.is_pkey) { + p->key_len =3D p->blob_len + sizeof(struct caam_pkey_info); + memcpy(p->key, &info.pkey_info, sizeof(struct caam_pkey_info)); + memcpy(p->key + sizeof(struct caam_pkey_info), p->blob, p->blob_len); + } + return 0; } =20 @@ -42,11 +134,27 @@ static int trusted_caam_unseal(struct trusted_key_payl= oad *p, char *datablob) .key_mod =3D KEYMOD, .key_mod_len =3D sizeof(KEYMOD) - 1, }; =20 + if (is_key_pkey(&datablob)) { + info.pkey_info.plain_key_sz =3D p->blob_len - CAAM_BLOB_OVERHEAD; + info.pkey_info.is_pkey =3D 1; + ret =3D get_pkey_options(datablob, &info.pkey_info); + if (ret < 0) + return 0; + dump_options(info.pkey_info); + + p->key_len =3D p->blob_len + sizeof(struct caam_pkey_info); + memcpy(p->key, &info.pkey_info, sizeof(struct caam_pkey_info)); + memcpy(p->key + sizeof(struct caam_pkey_info), p->blob, p->blob_len); + + return 0; + } + ret =3D caam_decap_blob(blobifier, &info); if (ret) return ret; =20 p->key_len =3D info.output_len; + return 0; } =20 --=20 2.25.1 From nobody Mon Feb 9 14:02:31 2026 Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazon11011061.outbound.protection.outlook.com [52.101.70.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BAF9D25785F; Mon, 6 Oct 2025 07:18:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.70.61 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759735116; cv=fail; b=RvkpoTlmhkQVUY5p5uqGpFZ9Z9oKe2WMB6RFH7Wzq1vRoV2Cq3vaFBaErZ+uBHTloZ2BqV2cMR4WFPzO+FMng1UHe8Dw4m+R3Watfoa2YiphfmWkn8wIgLgoJdVNbXnPyjbihex5je98vuMmSN3c+nz7SPKgL4Hy8qnl9/IWKZw= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759735116; c=relaxed/simple; bh=Kg86Vqdl6kYrb39+BwDsvzpRGjWiGz8krIfTH3vMKlI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: Content-Type:MIME-Version; b=o3VXoPBEESjubqqP0yLVTXUFmMX5hOwM6KeTEQcZ3I7SovFghYIU+c7LJ9JyTXw+MMNkqpRp4+iYM+Y3msApnNLfmme+Hls5RF6VYZeYAGh4ChZ/fX+IjuiE0vFWWLgRrw0vVWioZhSFn3E8cT2jwjNw3vtHy3M2ULUG1HlYcXc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=fYLVcrkA; arc=fail smtp.client-ip=52.101.70.61 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="fYLVcrkA" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=jVKQ3N06llyex3fJDSCUQASn6jOrO0e1cbz5oMAgincoMhmahcUqlAeQ880QDB0bLnpqBHnvLJtruUZgq7hEZSRktWayvm0OC/TiPCiwHiSgSaORVMgKDO0q1CdJ+XgznsZZh5SG3oYb9S7VNiHgLUNP+iBKLIgcosS7BNwrUTQnBGF8XkZVTq7l5Bk8qqyCTiGPm3liL/D5c811gFbzEyTUARy54ZU6jEaSqI5D6F+zG0WogxFVYV7UF6rv+K/UhujOeJoQNGpDZDG1BemWU3imGH0KOCYnoIUoGWqVSRUOXhgtrhTRUx5raA2uYfzVujO5CFhSL2rXq+pgw6RFMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rKLvF/MUxyLh4qUG3DduGoLVBvzYyOYQB3xUltHHHQc=; b=GOygnv7g8Bowhzq9N76RIiJ8b2v1Elffjy0m4N0FmMlhnVjhY18U6mL2CrF7ipY+sPzxKxRl6RG5pjpJWti90Zo7l0lZGowKbT3/n5Dh2k/UxSgXU7WByMIf4BksZ7knrJE/Q5jL38VIHbFZwGpE0nN5viBxdldHr+bMOkBoUyvADsT4LFeLNDYgusiLiYus8yzWGi/0RI9LNFgOk4lf6SVh4jGyO+vFtTGJqMcA4zntwfFz6VOdnTBTJfGm0+yVRCjZFBDr58lPhLnIlo4APOoRDKHi0Q1ElGjUYfpBEIaAJnIjSWqSMzqPXkpdVs/5WGTQ3vHlEqJRxHSBCVOIOA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rKLvF/MUxyLh4qUG3DduGoLVBvzYyOYQB3xUltHHHQc=; b=fYLVcrkAjIUZyy6KbtZb5ksMfm1osdj7kAw5AK7TiQp2vqAt9nShiqSbCWQDQUNJT8v6pUS69/uwV4qcAVSmW2ZeMbpv3jE/YW8Ae5EYBykXLrkoFU5rQZuXFKx6p+wLkpSRBNaQu3ZRLqlEv+w89P2xXzTA1kJ+IwbSRYBVDfz/bypddkNaq53UdbdqXcHqf4cEHgbqzKHWFwZEl2s7jqTCrf/LWX5irftgT0XTmHLjdN6+JpxI8y8mUrBnOyyYzntZaKbIhlgJscNVT+xtd5CizXnoUnpWH0RQoJo0bACL3mpoogb+po/w6VPst6WVfwGeYeR5UreZibp4Ap2a8w== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PAXPR04MB8301.eurprd04.prod.outlook.com (2603:10a6:102:1c5::16) by DU4PR04MB10864.eurprd04.prod.outlook.com (2603:10a6:10:589::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9182.20; Mon, 6 Oct 2025 07:18:24 +0000 Received: from PAXPR04MB8301.eurprd04.prod.outlook.com ([fe80::85de:cf79:69cf:4833]) by PAXPR04MB8301.eurprd04.prod.outlook.com ([fe80::85de:cf79:69cf:4833%4]) with mapi id 15.20.9182.017; Mon, 6 Oct 2025 07:18:24 +0000 From: meenakshi.aggarwal@nxp.com To: horia.geanta@nxp.com, V.sethi@nxp.com, pankaj.gupta@nxp.com, gaurav.jain@nxp.com, herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Meenakshi Aggarwal Subject: [PATCH 3/3] crypto:caam: Add support of paes algorithm Date: Mon, 6 Oct 2025 09:17:53 +0200 Message-Id: <20251006071753.3073538-4-meenakshi.aggarwal@nxp.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com> References: <20251006071753.3073538-1-meenakshi.aggarwal@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: AS4P192CA0003.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:5da::13) To PAXPR04MB8301.eurprd04.prod.outlook.com (2603:10a6:102:1c5::16) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR04MB8301:EE_|DU4PR04MB10864:EE_ X-MS-Office365-Filtering-Correlation-Id: 995ad126-f817-4ce7-5055-08de04a88975 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|19092799006|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?6VmLz2d5w+eAkuLQ50HNKtiNik524CIy31n49HEbozRdU9K4Br5sMekYbJcv?= =?us-ascii?Q?DY6DzrLtkJs7IB9Fxn9aHJPZmqop8b9zdOCDbDQw2eZhe5Eh2JOb/m8rMXnz?= =?us-ascii?Q?1vmqZ62ZJ946qs62yQeKPY8IK+y/mZaEK6cedk4i6VzgY3mWxVm+iqA1SFtN?= =?us-ascii?Q?ZowkOkYK8FN1MX30jz8HEpth1FRR1LmlvqxL6GxAEBph5tTNUGnfplvH9HlM?= =?us-ascii?Q?FjBwKVcq2TD5DUqQioBtR0vbqy2gOkxmFMrmCgCx+2le2bi5zfsaz33zUVtN?= =?us-ascii?Q?QH59rvlmm9bN2dOE2550eOVeTYOnQqH195LKOZPBoD9bVV28Nm9AhKdNeoI3?= =?us-ascii?Q?1Mz+0gotUl9GLMIq6xKiyUkDbI6gD0Voe1yiT1cGOdvlY0V4EMx0mhf9D1dt?= =?us-ascii?Q?ShJaoikd2rvF9kjOGqGrtJGQR8fBcWvkLnhCK4PRhL7oPAeRauQ+w03jiDSP?= =?us-ascii?Q?o76x1fPvcnP83hbncXaY/392EDy55jycEGm9qVUDkrAAKvCHeN1UC4rjZXT3?= =?us-ascii?Q?K1QDUUWWDBckXkSnnI2NFeHz6GO8/EDGSzrYMTI72lupQIu1GcN/Q6Nlh2j/?= =?us-ascii?Q?Ew5i0Ic1nRwJUnOupCmBDBGQ38P8oNT1ct6BK79B89OaO6ZG6lvjaGLhyrad?= =?us-ascii?Q?FNAcFGZkim0b9S3HsJEjCV2zIhfFl/R3rSFrceuop+uS3zqZYV+bv/LfC+EY?= =?us-ascii?Q?CN2C3ZKo3AN2sWIY3dK2yzXAYOkoR1u1ji9m5oXwec8QQVhV5eiPD2f6RDRx?= =?us-ascii?Q?Gxo1ALPSDr1BiOwDgksN/0hS1NVJiAWnsXlgKTlIiiKJ9pWmH4gXbeF5Lag5?= =?us-ascii?Q?jltAdkcJy61574sxEKmX1wVgWxq48GBna3pDSmZuvVKBKJeQE8+Yq/7S/tjH?= =?us-ascii?Q?yiVNCykl2tb9SIi5kice3nG7+wmw/IMovgh0kdsdXJspwciUXjKv4zJGQh22?= =?us-ascii?Q?O222q4WM++xveiKy5U2xSjMj5Sx15ohcy7cwIjLyZFFgQu09gaj307Ny9NQf?= =?us-ascii?Q?ExUFiAyo8Kvz+J3K+B/Xbev5Z0KTPvD5l6M9VFuN8mEpSaO+4VbJ48PgWn93?= =?us-ascii?Q?zWt75AQtmGpFzjlwA/DWKVkSWnhylTkv6TCfazhIxjshjtiTUVrQOUXtvLaN?= =?us-ascii?Q?cW9AznC2d+bZEArlYLrrQsc/BmbNilpczO7OkxdW4iPLE5ThusZBXXMmgSUm?= =?us-ascii?Q?PsOFqXaIkvIHbEjv+3AqFdartrM9NgOO9+OkkMAShk/zkTejlxq+xbrz2Q4z?= =?us-ascii?Q?a/5TMDEe9HKY7U82DPkmvfl0dnqZGJiqOXyBxdcQjNXue5LkmCMrOaa0qsNG?= =?us-ascii?Q?ISJ0PnEj+OaplQYPMuqO/DuSxkaldgEID5QLPhcLXQBKaaCeoxSbzfFHvR3t?= =?us-ascii?Q?c7oK3jk/l/IbcImW7Baoyzj7/16gysUo33uwJLnsRH4Xhk8+nQxo/jtnG5LB?= =?us-ascii?Q?lOyvSi5WJ5qZtBOhP1Kz1L7dlPI/G3CcUwJ3wYYoSf3HKvchSdzmWXVfWR3n?= =?us-ascii?Q?jwufohHrA8qdM87dZX1bvjkjJBEGwmarGwKu?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR04MB8301.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(19092799006)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Q6aW1Aikbg3vXd1OFuXJ6lBPfdg7qT+ccp7F0fDtsQ6mKnTa/XTRLfiby+zT?= =?us-ascii?Q?13PwgNUEwexlafwx7CM8+TBri9DlWipJEB+c4fYiQGpWj0/PIBmFwcLj+B5w?= =?us-ascii?Q?X8uwQjlmsVm84g9LZQOE219fz3QwlzJ5ePfSGbJAW++ZuG6XB08UhbJteIqJ?= =?us-ascii?Q?tAqfhKYXVCSPpRuacJnzQbVxRLpVl9XrvErsRFpOYBQFWknVPdpnrnIWTrcl?= =?us-ascii?Q?24iwM/aC7RoIuGiGUVw2gtMoYxFuY0+GJyZ4+P5OcQEFyjSUq7CC7f6Nmf6k?= =?us-ascii?Q?IJOmx1lhLh6Y4Y9N8gnbz4rOchF9W1y/Qbrt6THorA2aX2AsNHgGmvIsr7L6?= =?us-ascii?Q?K1p46EvpSf/memMKdQ+GnjmAqjEdqx4zGtNKY6kDjsW1M+XtBcuVcrNXfETs?= =?us-ascii?Q?xUwoVcGJ3viX/dQ91fwGzB/JpobaU9uLeLN7QA16guiMEeEK1AagMMJK5GPv?= =?us-ascii?Q?6MXilWdzOGgbLdSGJRGCFQBxGQEBQjObQAExd0cOIxC7AHILAi9ZD1TUxvZ1?= =?us-ascii?Q?p7JZUDUL+bN5uo5Mrcs0j1QXyt/YcmFPVIoHXPSWlgRMMkuxRpCCfEXiq1vQ?= =?us-ascii?Q?32+LLfaV/l0ANYjg2NU6/3HQBD0DV+4DAgQFPTCTWmWA7K7DZRQckW826N/H?= =?us-ascii?Q?bLf+kZjVz4n9ZjJIioW6PIHsiSSy7muI+BD2cgs1SOiyxuwdiTYfZqqsZCIo?= =?us-ascii?Q?S9kexztlKlakcWmLECRWmpe3DY0v5a0P5bBmoXw25BxTN6l6D5g676hVuum4?= =?us-ascii?Q?aVM695fzGARFK4uyP2Tww42BSkIusuN1iXhrfNnjWVnKW91nkvi/zGAymcDt?= =?us-ascii?Q?h8hMotrPBoRjJy4whOze4ivpOxymwmx3/kq6LE89joDYbatvTv/48Tv0bH8Z?= =?us-ascii?Q?ddDf2Ed3PzQ3BQ2H1f9C/aj3Bpx1qhjhcvs4Zx23mkrdgzKNl4CazOExgG0O?= =?us-ascii?Q?raUW7v+Xlagd0ybsw6VU8KuOluFvWLt7dYmIclen35TNh91Dt0UofyZ/lIcQ?= =?us-ascii?Q?jAyoFSGOz1gbad3yesRF7DKQxxNoHtAcw55j31id9LoIA1OvfYPeHz00H5qv?= =?us-ascii?Q?ArZSXG+URWcy1nF2mkeRGSgdrU+3j6lhCMC8tLoadbpJy7ucDfyp0h6oMSsW?= =?us-ascii?Q?mZSHnkCACs0KkNBdZGRYJ7kdS6F1fQv4QLVV9n4e5JNKfJS3lTIgxpb8EtMw?= =?us-ascii?Q?9bpuJFU+ox2+byXdQNrJ1dJJ2FPnko/yzwDs+ePZdAjxBRnq8ROb7Fm8ErbS?= =?us-ascii?Q?4dBLNsHLIxEgm9x6+1tI0XazzoDZCpgESdEmG9mgjWkv+D9/ZX65GLi/WLM/?= =?us-ascii?Q?XPaNqeoqWRlrQpSiYgkap3zLiQsUbxTAG7Lm1eEXHevdHXy2urxnkrhbNImQ?= =?us-ascii?Q?ii1N4rd97XNfXBcjc9VBdWwplBO+ejNtS+aAudJof21cvQX0U1cf6YyGG1y6?= =?us-ascii?Q?d6iyA91C+QwC/J13OFT2dWzfeNaVmf+76Rm5pwpNAS7jhuJWBVGiOuJL2boT?= =?us-ascii?Q?8y7K05r9REMMeVP08HKLZi23V7HNN0Kn/UH9RDvb4fUf1o/dmKS/TzOvB61Q?= =?us-ascii?Q?szwm+/bJqwMJkHtXMjAq0NOBLUd2pvZQxsuNvCf8PXWrYrVcZ044lLBvnZuu?= =?us-ascii?Q?yg=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 995ad126-f817-4ce7-5055-08de04a88975 X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB8301.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2025 07:18:24.1836 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xinverPyyLYFIHExeD8SY4gOt3kU2dNxj4U3l8/39Kkz7RXCOpryKy/qHeisG211O7VVll35E1BCG4lJ1puapelIrLexj7UtAtJN5/fKeU8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4PR04MB10864 Content-Type: text/plain; charset="utf-8" From: Meenakshi Aggarwal PAES algorithm uses protected key for encryption/decryption operations. Signed-off-by: Gaurav Jain Signed-off-by: Meenakshi Aggarwal --- drivers/crypto/caam/caamalg.c | 128 ++++++++++++++++++++++++++--- drivers/crypto/caam/caamalg_desc.c | 87 +++++++++++++++++++- drivers/crypto/caam/caamalg_desc.h | 13 ++- drivers/crypto/caam/desc_constr.h | 8 +- 4 files changed, 220 insertions(+), 16 deletions(-) diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c index 2cfb1b8d8c7c..32a6e6e15ee2 100644 --- a/drivers/crypto/caam/caamalg.c +++ b/drivers/crypto/caam/caamalg.c @@ -3,7 +3,7 @@ * caam - Freescale FSL CAAM support for crypto API * * Copyright 2008-2011 Freescale Semiconductor, Inc. - * Copyright 2016-2019, 2023 NXP + * Copyright 2016-2019, 2023, 2025 NXP * * Based on talitos crypto API driver. * @@ -61,13 +61,16 @@ #include #include #include +#include #include #include #include #include #include +#include #include #include +#include =20 /* * crypto alg @@ -119,12 +122,15 @@ struct caam_ctx { dma_addr_t sh_desc_enc_dma; dma_addr_t sh_desc_dec_dma; dma_addr_t key_dma; + u8 protected_key[CAAM_MAX_KEY_SIZE]; + dma_addr_t protected_key_dma; enum dma_data_direction dir; struct device *jrdev; struct alginfo adata; struct alginfo cdata; unsigned int authsize; bool xts_key_fallback; + bool is_blob; struct crypto_skcipher *fallback; }; =20 @@ -751,9 +757,14 @@ static int skcipher_setkey(struct crypto_skcipher *skc= ipher, const u8 *key, print_hex_dump_debug("key in @"__stringify(__LINE__)": ", DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1); =20 + /* Here keylen is actual key length */ ctx->cdata.keylen =3D keylen; ctx->cdata.key_virt =3D key; ctx->cdata.key_inline =3D true; + /* Here protected key len is plain key length */ + ctx->cdata.plain_keylen =3D keylen; + ctx->cdata.key_cmd_opt =3D 0; + =20 /* skcipher_encrypt shared descriptor */ desc =3D ctx->sh_desc_enc; @@ -772,6 +783,62 @@ static int skcipher_setkey(struct crypto_skcipher *skc= ipher, const u8 *key, return 0; } =20 +static int paes_skcipher_setkey(struct crypto_skcipher *skcipher, + const u8 *key, + unsigned int keylen) +{ + struct caam_pkey_info *pkey_info =3D (struct caam_pkey_info *)key; + struct caam_ctx *ctx =3D crypto_skcipher_ctx_dma(skcipher); + struct device *jrdev =3D ctx->jrdev; + int err; + + ctx->cdata.key_inline =3D false; + + keylen =3D keylen - CAAM_PKEY_HEADER; + + /* Retrieve the length of key */ + ctx->cdata.plain_keylen =3D pkey_info->plain_key_sz; + + /* Retrieve the length of blob*/ + ctx->cdata.keylen =3D keylen; + + /* Retrieve the address of the blob */ + ctx->cdata.key_virt =3D pkey_info->key_buf; + + /* Validate key length for AES algorithms */ + err =3D aes_check_keylen(ctx->cdata.plain_keylen); + if (err) { + dev_err(jrdev, "bad key length\n"); + return err; + } + + /* set command option */ + ctx->cdata.key_cmd_opt |=3D KEY_ENC; + + /* check if the Protected-Key is CCM key */ + if (pkey_info->key_enc_algo =3D=3D CAAM_ENC_ALGO_CCM) + ctx->cdata.key_cmd_opt |=3D KEY_EKT; + + memcpy(ctx->key, ctx->cdata.key_virt, keylen); + dma_sync_single_for_device(jrdev, ctx->key_dma, keylen, DMA_TO_DEVICE); + ctx->cdata.key_dma =3D ctx->key_dma; + + if (pkey_info->key_enc_algo =3D=3D CAAM_ENC_ALGO_CCM) + ctx->protected_key_dma =3D dma_map_single(jrdev, ctx->protected_key, + ctx->cdata.plain_keylen + + CAAM_CCM_OVERHEAD, + DMA_FROM_DEVICE); + else + ctx->protected_key_dma =3D dma_map_single(jrdev, ctx->protected_key, + ctx->cdata.plain_keylen, + DMA_FROM_DEVICE); + + ctx->cdata.protected_key_dma =3D ctx->protected_key_dma; + ctx->is_blob =3D true; + + return 0; +} + static int aes_skcipher_setkey(struct crypto_skcipher *skcipher, const u8 *key, unsigned int keylen) { @@ -1254,7 +1321,9 @@ static void init_skcipher_job(struct skcipher_request= *req, struct caam_ctx *ctx =3D crypto_skcipher_ctx_dma(skcipher); struct device *jrdev =3D ctx->jrdev; int ivsize =3D crypto_skcipher_ivsize(skcipher); - u32 *desc =3D edesc->hw_desc; + u32 *desc =3D !ctx->is_blob ? edesc->hw_desc : + (u32 *)((u8 *)edesc->hw_desc + CAAM_DESC_BYTES_MAX); + dma_addr_t desc_dma; u32 *sh_desc; u32 in_options =3D 0, out_options =3D 0; dma_addr_t src_dma, dst_dma, ptr; @@ -1269,11 +1338,6 @@ static void init_skcipher_job(struct skcipher_reques= t *req, DUMP_PREFIX_ADDRESS, 16, 4, req->src, edesc->src_nents > 1 ? 100 : req->cryptlen, 1); =20 - sh_desc =3D encrypt ? ctx->sh_desc_enc : ctx->sh_desc_dec; - ptr =3D encrypt ? ctx->sh_desc_enc_dma : ctx->sh_desc_dec_dma; - - len =3D desc_len(sh_desc); - init_job_desc_shared(desc, ptr, len, HDR_SHARE_DEFER | HDR_REVERSE); =20 if (ivsize || edesc->mapped_src_nents > 1) { src_dma =3D edesc->sec4_sg_dma; @@ -1283,8 +1347,6 @@ static void init_skcipher_job(struct skcipher_request= *req, src_dma =3D sg_dma_address(req->src); } =20 - append_seq_in_ptr(desc, src_dma, req->cryptlen + ivsize, in_options); - if (likely(req->src =3D=3D req->dst)) { dst_dma =3D src_dma + !!ivsize * sizeof(struct sec4_sg_entry); out_options =3D in_options; @@ -1296,7 +1358,25 @@ static void init_skcipher_job(struct skcipher_reques= t *req, out_options =3D LDST_SGF; } =20 - append_seq_out_ptr(desc, dst_dma, req->cryptlen + ivsize, out_options); + if (ctx->is_blob) { + cnstr_desc_skcipher_enc_dec(desc, &ctx->cdata, + src_dma, dst_dma, req->cryptlen + ivsize, + in_options, out_options, + ivsize, encrypt); + + desc_dma =3D dma_map_single(jrdev, desc, desc_bytes(desc), DMA_TO_DEVICE= ); + + cnstr_desc_protected_blob_decap(edesc->hw_desc, &ctx->cdata, desc_dma); + } else { + sh_desc =3D encrypt ? ctx->sh_desc_enc : ctx->sh_desc_dec; + ptr =3D encrypt ? ctx->sh_desc_enc_dma : ctx->sh_desc_dec_dma; + + len =3D desc_len(sh_desc); + init_job_desc_shared(desc, ptr, len, HDR_SHARE_DEFER | HDR_REVERSE); + append_seq_in_ptr(desc, src_dma, req->cryptlen + ivsize, in_options); + + append_seq_out_ptr(desc, dst_dma, req->cryptlen + ivsize, out_options); + } } =20 /* @@ -1817,6 +1897,7 @@ static inline int skcipher_crypt(struct skcipher_requ= est *req, bool encrypt) struct caam_drv_private *ctrlpriv =3D dev_get_drvdata(jrdev->parent); u32 *desc; int ret =3D 0; + int len; =20 /* * XTS is expected to return an error even for input length =3D 0 @@ -1842,8 +1923,12 @@ static inline int skcipher_crypt(struct skcipher_req= uest *req, bool encrypt) crypto_skcipher_decrypt(&rctx->fallback_req); } =20 + len =3D DESC_JOB_IO_LEN * CAAM_CMD_SZ; + if (ctx->is_blob) + len +=3D CAAM_DESC_BYTES_MAX; + /* allocate extended descriptor */ - edesc =3D skcipher_edesc_alloc(req, DESC_JOB_IO_LEN * CAAM_CMD_SZ); + edesc =3D skcipher_edesc_alloc(req, len); if (IS_ERR(edesc)) return PTR_ERR(edesc); =20 @@ -1885,6 +1970,27 @@ static int skcipher_decrypt(struct skcipher_request = *req) } =20 static struct caam_skcipher_alg driver_algs[] =3D { + { + .skcipher.base =3D { + .base =3D { + .cra_name =3D "cbc(paes)", + .cra_driver_name =3D "cbc-paes-caam", + .cra_blocksize =3D AES_BLOCK_SIZE, + }, + .setkey =3D paes_skcipher_setkey, + .encrypt =3D skcipher_encrypt, + .decrypt =3D skcipher_decrypt, + .min_keysize =3D AES_MIN_KEY_SIZE + CAAM_BLOB_OVERHEAD + + CAAM_PKEY_HEADER, + .max_keysize =3D AES_MAX_KEY_SIZE + CAAM_BLOB_OVERHEAD + + CAAM_PKEY_HEADER, + .ivsize =3D AES_BLOCK_SIZE, + }, + .skcipher.op =3D { + .do_one_request =3D skcipher_do_one_req, + }, + .caam.class1_alg_type =3D OP_ALG_ALGSEL_AES | OP_ALG_AAI_CBC, + }, { .skcipher.base =3D { .base =3D { diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caama= lg_desc.c index 7571e1ac913b..04c1105eb1f5 100644 --- a/drivers/crypto/caam/caamalg_desc.c +++ b/drivers/crypto/caam/caamalg_desc.c @@ -2,12 +2,13 @@ /* * Shared descriptors for aead, skcipher algorithms * - * Copyright 2016-2019 NXP + * Copyright 2016-2019, 2025 NXP */ =20 #include "compat.h" #include "desc_constr.h" #include "caamalg_desc.h" +#include =20 /* * For aead functions, read payload and write payload, @@ -1364,6 +1365,84 @@ static inline void skcipher_append_src_dst(u32 *desc) append_seq_fifo_store(desc, 0, FIFOST_TYPE_MESSAGE_DATA | KEY_VLF); } =20 +void cnstr_desc_skcipher_enc_dec(u32 * const desc, struct alginfo *cdata, + dma_addr_t src, dma_addr_t dst, unsigned int data_sz, + unsigned int in_options, unsigned int out_options, + unsigned int ivsize, const bool encrypt) +{ + u32 options =3D cdata->algtype | OP_ALG_AS_INIT; + + if (encrypt) + options |=3D OP_ALG_ENCRYPT; + else + options |=3D OP_ALG_DECRYPT; + + init_job_desc(desc, 0); + + append_jump(desc, JUMP_JSL | JUMP_TYPE_LOCAL | + JUMP_COND_NOP | JUMP_TEST_ALL | 1); + + append_key(desc, cdata->protected_key_dma, cdata->plain_keylen, + CLASS_1 | KEY_DEST_CLASS_REG | cdata->key_cmd_opt); + + append_seq_in_ptr(desc, src, data_sz, in_options); + + append_seq_out_ptr(desc, dst, data_sz, out_options); + + /* Load IV, if there is one */ + if (ivsize) + append_seq_load(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT | + LDST_CLASS_1_CCB); + + append_operation(desc, options); + + skcipher_append_src_dst(desc); + + /* Store IV */ + if (ivsize) + append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT | + LDST_CLASS_1_CCB); + + print_hex_dump_debug("skcipher_enc_dec job desc@" __stringify(__LINE__)":= ", + DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc), + 1); +} +EXPORT_SYMBOL(cnstr_desc_skcipher_enc_dec); + +void cnstr_desc_protected_blob_decap(u32 * const desc, struct alginfo *cda= ta, + dma_addr_t next_desc_addr) +{ + u32 protected_store; + + init_job_desc(desc, 0); + + /* Load key modifier */ + append_load_as_imm(desc, KEYMOD, sizeof(KEYMOD) - 1, + LDST_CLASS_2_CCB | LDST_SRCDST_BYTE_KEY); + + append_seq_in_ptr_intlen(desc, cdata->key_dma, + cdata->plain_keylen + CAAM_BLOB_OVERHEAD, 0); + + append_seq_out_ptr_intlen(desc, cdata->protected_key_dma, + cdata->plain_keylen, 0); + + protected_store =3D OP_PCLID_BLOB | OP_PCL_BLOB_BLACK; + if ((cdata->key_cmd_opt >> KEY_EKT_OFFSET) & 1) + protected_store |=3D OP_PCL_BLOB_EKT; + + append_operation(desc, OP_TYPE_DECAP_PROTOCOL | protected_store); + + if (next_desc_addr) { + append_jump(desc, JUMP_TYPE_NONLOCAL | JUMP_TEST_ALL); + append_ptr(desc, next_desc_addr); + } + + print_hex_dump_debug("protected blob decap job desc@" __stringify(__LINE_= _) ":", + DUMP_PREFIX_ADDRESS, 16, 4, desc, + desc_bytes(desc), 1); +} +EXPORT_SYMBOL(cnstr_desc_protected_blob_decap); + /** * cnstr_shdsc_skcipher_encap - skcipher encapsulation shared descriptor * @desc: pointer to buffer used for descriptor construction @@ -1391,7 +1470,8 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, str= uct alginfo *cdata, =20 /* Load class1 key only */ append_key_as_imm(desc, cdata->key_virt, cdata->keylen, - cdata->keylen, CLASS_1 | KEY_DEST_CLASS_REG); + cdata->plain_keylen, CLASS_1 | KEY_DEST_CLASS_REG + | cdata->key_cmd_opt); =20 /* Load nonce into CONTEXT1 reg */ if (is_rfc3686) { @@ -1466,7 +1546,8 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, str= uct alginfo *cdata, =20 /* Load class1 key only */ append_key_as_imm(desc, cdata->key_virt, cdata->keylen, - cdata->keylen, CLASS_1 | KEY_DEST_CLASS_REG); + cdata->plain_keylen, CLASS_1 | KEY_DEST_CLASS_REG + | cdata->key_cmd_opt); =20 /* Load nonce into CONTEXT1 reg */ if (is_rfc3686) { diff --git a/drivers/crypto/caam/caamalg_desc.h b/drivers/crypto/caam/caama= lg_desc.h index f2893393ba5e..323490a4a756 100644 --- a/drivers/crypto/caam/caamalg_desc.h +++ b/drivers/crypto/caam/caamalg_desc.h @@ -2,7 +2,7 @@ /* * Shared descriptors for aead, skcipher algorithms * - * Copyright 2016 NXP + * Copyright 2016, 2025 NXP */ =20 #ifndef _CAAMALG_DESC_H_ @@ -48,6 +48,9 @@ #define DESC_SKCIPHER_DEC_LEN (DESC_SKCIPHER_BASE + \ 16 * CAAM_CMD_SZ) =20 +/* Key modifier for CAAM Protected blobs */ +#define KEYMOD "SECURE_KEY" + void cnstr_shdsc_aead_null_encap(u32 * const desc, struct alginfo *adata, unsigned int icvsize, int era); =20 @@ -113,4 +116,12 @@ void cnstr_shdsc_xts_skcipher_encap(u32 * const desc, = struct alginfo *cdata); =20 void cnstr_shdsc_xts_skcipher_decap(u32 * const desc, struct alginfo *cdat= a); =20 +void cnstr_desc_protected_blob_decap(u32 * const desc, struct alginfo *cda= ta, + dma_addr_t next_desc); + +void cnstr_desc_skcipher_enc_dec(u32 * const desc, struct alginfo *cdata, + dma_addr_t src, dma_addr_t dst, unsigned int data_sz, + unsigned int in_options, unsigned int out_options, + unsigned int ivsize, const bool encrypt); + #endif /* _CAAMALG_DESC_H_ */ diff --git a/drivers/crypto/caam/desc_constr.h b/drivers/crypto/caam/desc_c= onstr.h index 824c94d44f94..2a29dd2c9c8a 100644 --- a/drivers/crypto/caam/desc_constr.h +++ b/drivers/crypto/caam/desc_constr.h @@ -3,7 +3,7 @@ * caam descriptor construction helper functions * * Copyright 2008-2012 Freescale Semiconductor, Inc. - * Copyright 2019 NXP + * Copyright 2019, 2025 NXP */ =20 #ifndef DESC_CONSTR_H @@ -498,17 +498,23 @@ do { \ * @keylen: length of the provided algorithm key, in bytes * @keylen_pad: padded length of the provided algorithm key, in bytes * @key_dma: dma (bus) address where algorithm key resides + * @protected_key_dma: dma (bus) address where protected key resides * @key_virt: virtual address where algorithm key resides * @key_inline: true - key can be inlined in the descriptor; false - key is * referenced by the descriptor + * @plain_keylen: size of the key to be loaded by the CAAM + * @key_cmd_opt: optional parameters for KEY command */ struct alginfo { u32 algtype; unsigned int keylen; unsigned int keylen_pad; dma_addr_t key_dma; + dma_addr_t protected_key_dma; const void *key_virt; bool key_inline; + u32 plain_keylen; + u32 key_cmd_opt; }; =20 /** --=20 2.25.1