Add the wrapped key support for sdhci-msm by implementing the needed
methods in struct blk_crypto_ll_ops and setting the appropriate flag in
blk_crypto_profile::key_types_supported.

Tested on SC7280 eMMC variant.

How to test:

Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
fscryptctl that supports generating wrapped keys.

Enable the following config options:
CONFIG_BLK_INLINE_ENCRYPTION=y
CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
CONFIG_MMC_CRYPTO=y

Enable "qcom_ice.use_wrapped_keys" via kernel command line.

$ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
$ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
$ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
$ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
$ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
$ rm -rf /mnt/dir
$ mkdir /mnt/dir
$ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
$ dmesg > /mnt/dir/test.txt
$ sync

Reboot the board

$ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
$ ls /mnt/dir # File should be encrypted
$ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
$ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
$ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
$ cat /mnt/dir/test.txt # File should now be decrypted

Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>

---
This is a reworked version of the patchset
https://lore.kernel.org/all/20241101031539.13285-1-quic_spuppala@quicinc.com/
that was sent by Seshu Madhavi Puppala.

My changes rebase it to use the custom crypto profile support.

Changes in v4:
- Updated the link for fscryptctl tool in commit message to "https://github.com/google/fscryptctl".
- Aligned the indentation at few places.
- Unwrapped few lines of code.

Changes in v3:
- Updated commit message with test details and moved "Signed-off-by" above the
  scissors line.

Changes in v2:
- Updated commit message for clarity.

Changes in v1:
- Added initial support for wrapped keys.
---
 drivers/mmc/host/sdhci-msm.c | 47 +++++++++++++++++++++++++++++++-----
 1 file changed, 41 insertions(+), 6 deletions(-)

diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
index 4e5edbf2fc9b..8ac4aee2cb3b 100644
--- a/drivers/mmc/host/sdhci-msm.c
+++ b/drivers/mmc/host/sdhci-msm.c
@@ -1911,11 +1911,6 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
 	if (IS_ERR_OR_NULL(ice))
 		return PTR_ERR_OR_ZERO(ice);
 
-	if (qcom_ice_get_supported_key_type(ice) != BLK_CRYPTO_KEY_TYPE_RAW) {
-		dev_warn(dev, "Wrapped keys not supported. Disabling inline encryption support.\n");
-		return 0;
-	}
-
 	msm_host->ice = ice;
 
 	/* Initialize the blk_crypto_profile */
@@ -1929,7 +1924,7 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
 
 	profile->ll_ops = sdhci_msm_crypto_ops;
 	profile->max_dun_bytes_supported = 4;
-	profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW;
+	profile->key_types_supported = qcom_ice_get_supported_key_type(ice);
 	profile->dev = dev;
 
 	/*
@@ -2009,9 +2004,49 @@ static int sdhci_msm_ice_keyslot_evict(struct blk_crypto_profile *profile,
 	return qcom_ice_evict_key(msm_host->ice, slot);
 }
 
+static int sdhci_msm_ice_derive_sw_secret(struct blk_crypto_profile *profile,
+					  const u8 *eph_key, size_t eph_key_size,
+					  u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
+{
+	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
+
+	return qcom_ice_derive_sw_secret(msm_host->ice, eph_key, eph_key_size,
+					 sw_secret);
+}
+
+static int sdhci_msm_ice_import_key(struct blk_crypto_profile *profile,
+				    const u8 *raw_key, size_t raw_key_size,
+				    u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
+{
+	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
+
+	return qcom_ice_import_key(msm_host->ice, raw_key, raw_key_size, lt_key);
+}
+
+static int sdhci_msm_ice_generate_key(struct blk_crypto_profile *profile,
+				      u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
+{
+	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
+
+	return qcom_ice_generate_key(msm_host->ice, lt_key);
+}
+
+static int sdhci_msm_ice_prepare_key(struct blk_crypto_profile *profile,
+				     const u8 *lt_key, size_t lt_key_size,
+				     u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
+{
+	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
+
+	return qcom_ice_prepare_key(msm_host->ice, lt_key, lt_key_size, eph_key);
+}
+
 static const struct blk_crypto_ll_ops sdhci_msm_crypto_ops = {
 	.keyslot_program	= sdhci_msm_ice_keyslot_program,
 	.keyslot_evict		= sdhci_msm_ice_keyslot_evict,
+	.derive_sw_secret	= sdhci_msm_ice_derive_sw_secret,
+	.import_key		= sdhci_msm_ice_import_key,
+	.generate_key		= sdhci_msm_ice_generate_key,
+	.prepare_key		= sdhci_msm_ice_prepare_key,
 };
 
 #else /* CONFIG_MMC_CRYPTO */
-- 
2.34.1

On 02/01/2026 14:40, Neeraj Soni wrote:
> Add the wrapped key support for sdhci-msm by implementing the needed
> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
> blk_crypto_profile::key_types_supported.
> 
> Tested on SC7280 eMMC variant.
> 
> How to test:
> 
> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
> fscryptctl that supports generating wrapped keys.
> 
> Enable the following config options:
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> CONFIG_MMC_CRYPTO=y
> 
> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
> 
> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ rm -rf /mnt/dir
> $ mkdir /mnt/dir
> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> $ dmesg > /mnt/dir/test.txt
> $ sync
> 
> Reboot the board
> 
> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> $ ls /mnt/dir # File should be encrypted
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> $ cat /mnt/dir/test.txt # File should now be decrypted
> 
> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>

Doesn't apply cleanly to mmc next.  Otherwise:

Acked-by: Adrian Hunter <adrian.hunter@intel.com>

> 
> ---
> This is a reworked version of the patchset
> https://lore.kernel.org/all/20241101031539.13285-1-quic_spuppala@quicinc.com/
> that was sent by Seshu Madhavi Puppala.
> 
> My changes rebase it to use the custom crypto profile support.
> 
> Changes in v4:
> - Updated the link for fscryptctl tool in commit message to "https://github.com/google/fscryptctl".
> - Aligned the indentation at few places.
> - Unwrapped few lines of code.
> 
> Changes in v3:
> - Updated commit message with test details and moved "Signed-off-by" above the
>   scissors line.
> 
> Changes in v2:
> - Updated commit message for clarity.
> 
> Changes in v1:
> - Added initial support for wrapped keys.
> ---
>  drivers/mmc/host/sdhci-msm.c | 47 +++++++++++++++++++++++++++++++-----
>  1 file changed, 41 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
> index 4e5edbf2fc9b..8ac4aee2cb3b 100644
> --- a/drivers/mmc/host/sdhci-msm.c
> +++ b/drivers/mmc/host/sdhci-msm.c
> @@ -1911,11 +1911,6 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
>  	if (IS_ERR_OR_NULL(ice))
>  		return PTR_ERR_OR_ZERO(ice);
>  
> -	if (qcom_ice_get_supported_key_type(ice) != BLK_CRYPTO_KEY_TYPE_RAW) {
> -		dev_warn(dev, "Wrapped keys not supported. Disabling inline encryption support.\n");
> -		return 0;
> -	}
> -
>  	msm_host->ice = ice;
>  
>  	/* Initialize the blk_crypto_profile */
> @@ -1929,7 +1924,7 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
>  
>  	profile->ll_ops = sdhci_msm_crypto_ops;
>  	profile->max_dun_bytes_supported = 4;
> -	profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW;
> +	profile->key_types_supported = qcom_ice_get_supported_key_type(ice);
>  	profile->dev = dev;
>  
>  	/*
> @@ -2009,9 +2004,49 @@ static int sdhci_msm_ice_keyslot_evict(struct blk_crypto_profile *profile,
>  	return qcom_ice_evict_key(msm_host->ice, slot);
>  }
>  
> +static int sdhci_msm_ice_derive_sw_secret(struct blk_crypto_profile *profile,
> +					  const u8 *eph_key, size_t eph_key_size,
> +					  u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
> +{
> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> +	return qcom_ice_derive_sw_secret(msm_host->ice, eph_key, eph_key_size,
> +					 sw_secret);
> +}
> +
> +static int sdhci_msm_ice_import_key(struct blk_crypto_profile *profile,
> +				    const u8 *raw_key, size_t raw_key_size,
> +				    u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> +	return qcom_ice_import_key(msm_host->ice, raw_key, raw_key_size, lt_key);
> +}
> +
> +static int sdhci_msm_ice_generate_key(struct blk_crypto_profile *profile,
> +				      u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> +	return qcom_ice_generate_key(msm_host->ice, lt_key);
> +}
> +
> +static int sdhci_msm_ice_prepare_key(struct blk_crypto_profile *profile,
> +				     const u8 *lt_key, size_t lt_key_size,
> +				     u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
> +{
> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
> +
> +	return qcom_ice_prepare_key(msm_host->ice, lt_key, lt_key_size, eph_key);
> +}
> +
>  static const struct blk_crypto_ll_ops sdhci_msm_crypto_ops = {
>  	.keyslot_program	= sdhci_msm_ice_keyslot_program,
>  	.keyslot_evict		= sdhci_msm_ice_keyslot_evict,
> +	.derive_sw_secret	= sdhci_msm_ice_derive_sw_secret,
> +	.import_key		= sdhci_msm_ice_import_key,
> +	.generate_key		= sdhci_msm_ice_generate_key,
> +	.prepare_key		= sdhci_msm_ice_prepare_key,
>  };
>  
>  #else /* CONFIG_MMC_CRYPTO */

Hi,

On 1/12/2026 12:35 PM, Adrian Hunter wrote:
> On 02/01/2026 14:40, Neeraj Soni wrote:
>> Add the wrapped key support for sdhci-msm by implementing the needed
>> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
>> blk_crypto_profile::key_types_supported.
>>
>> Tested on SC7280 eMMC variant.
>>
>> How to test:
>>
>> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
>> fscryptctl that supports generating wrapped keys.
>>
>> Enable the following config options:
>> CONFIG_BLK_INLINE_ENCRYPTION=y
>> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
>> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
>> CONFIG_MMC_CRYPTO=y
>>
>> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
>>
>> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>> $ rm -rf /mnt/dir
>> $ mkdir /mnt/dir
>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>> $ dmesg > /mnt/dir/test.txt
>> $ sync
>>
>> Reboot the board
>>
>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>> $ ls /mnt/dir # File should be encrypted
>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>> $ cat /mnt/dir/test.txt # File should now be decrypted
>>
>> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
>> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>
> 
> Doesn't apply cleanly to mmc next.  Otherwise:
> 
> Acked-by: Adrian Hunter <adrian.hunter@intel.com>
> 
Is this a blocker for the patch to get merged? I will anyway see why it is not applying cleanly on mmc next
but wanted to know if this is necessary to resolve for these chagnes to get merged in Linux-next?

>>
>> ---
>> This is a reworked version of the patchset
>> https://lore.kernel.org/all/20241101031539.13285-1-quic_spuppala@quicinc.com/
>> that was sent by Seshu Madhavi Puppala.
>>
>> My changes rebase it to use the custom crypto profile support.
>>
>> Changes in v4:
>> - Updated the link for fscryptctl tool in commit message to "https://github.com/google/fscryptctl".
>> - Aligned the indentation at few places.
>> - Unwrapped few lines of code.
>>
>> Changes in v3:
>> - Updated commit message with test details and moved "Signed-off-by" above the
>>   scissors line.
>>
>> Changes in v2:
>> - Updated commit message for clarity.
>>
>> Changes in v1:
>> - Added initial support for wrapped keys.
>> ---
>>  drivers/mmc/host/sdhci-msm.c | 47 +++++++++++++++++++++++++++++++-----
>>  1 file changed, 41 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
>> index 4e5edbf2fc9b..8ac4aee2cb3b 100644
>> --- a/drivers/mmc/host/sdhci-msm.c
>> +++ b/drivers/mmc/host/sdhci-msm.c
>> @@ -1911,11 +1911,6 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
>>  	if (IS_ERR_OR_NULL(ice))
>>  		return PTR_ERR_OR_ZERO(ice);
>>  
>> -	if (qcom_ice_get_supported_key_type(ice) != BLK_CRYPTO_KEY_TYPE_RAW) {
>> -		dev_warn(dev, "Wrapped keys not supported. Disabling inline encryption support.\n");
>> -		return 0;
>> -	}
>> -
>>  	msm_host->ice = ice;
>>  
>>  	/* Initialize the blk_crypto_profile */
>> @@ -1929,7 +1924,7 @@ static int sdhci_msm_ice_init(struct sdhci_msm_host *msm_host,
>>  
>>  	profile->ll_ops = sdhci_msm_crypto_ops;
>>  	profile->max_dun_bytes_supported = 4;
>> -	profile->key_types_supported = BLK_CRYPTO_KEY_TYPE_RAW;
>> +	profile->key_types_supported = qcom_ice_get_supported_key_type(ice);
>>  	profile->dev = dev;
>>  
>>  	/*
>> @@ -2009,9 +2004,49 @@ static int sdhci_msm_ice_keyslot_evict(struct blk_crypto_profile *profile,
>>  	return qcom_ice_evict_key(msm_host->ice, slot);
>>  }
>>  
>> +static int sdhci_msm_ice_derive_sw_secret(struct blk_crypto_profile *profile,
>> +					  const u8 *eph_key, size_t eph_key_size,
>> +					  u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_derive_sw_secret(msm_host->ice, eph_key, eph_key_size,
>> +					 sw_secret);
>> +}
>> +
>> +static int sdhci_msm_ice_import_key(struct blk_crypto_profile *profile,
>> +				    const u8 *raw_key, size_t raw_key_size,
>> +				    u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_import_key(msm_host->ice, raw_key, raw_key_size, lt_key);
>> +}
>> +
>> +static int sdhci_msm_ice_generate_key(struct blk_crypto_profile *profile,
>> +				      u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_generate_key(msm_host->ice, lt_key);
>> +}
>> +
>> +static int sdhci_msm_ice_prepare_key(struct blk_crypto_profile *profile,
>> +				     const u8 *lt_key, size_t lt_key_size,
>> +				     u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
>> +{
>> +	struct sdhci_msm_host *msm_host = sdhci_msm_host_from_crypto_profile(profile);
>> +
>> +	return qcom_ice_prepare_key(msm_host->ice, lt_key, lt_key_size, eph_key);
>> +}
>> +
>>  static const struct blk_crypto_ll_ops sdhci_msm_crypto_ops = {
>>  	.keyslot_program	= sdhci_msm_ice_keyslot_program,
>>  	.keyslot_evict		= sdhci_msm_ice_keyslot_evict,
>> +	.derive_sw_secret	= sdhci_msm_ice_derive_sw_secret,
>> +	.import_key		= sdhci_msm_ice_import_key,
>> +	.generate_key		= sdhci_msm_ice_generate_key,
>> +	.prepare_key		= sdhci_msm_ice_prepare_key,
>>  };
>>  
>>  #else /* CONFIG_MMC_CRYPTO */
> 
Regards
Neeraj

On Mon, 19 Jan 2026 at 11:19, Neeraj Soni <neeraj.soni@oss.qualcomm.com> wrote:
>
> Hi,
>
> On 1/12/2026 12:35 PM, Adrian Hunter wrote:
> > On 02/01/2026 14:40, Neeraj Soni wrote:
> >> Add the wrapped key support for sdhci-msm by implementing the needed
> >> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
> >> blk_crypto_profile::key_types_supported.
> >>
> >> Tested on SC7280 eMMC variant.
> >>
> >> How to test:
> >>
> >> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
> >> fscryptctl that supports generating wrapped keys.
> >>
> >> Enable the following config options:
> >> CONFIG_BLK_INLINE_ENCRYPTION=y
> >> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
> >> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> >> CONFIG_MMC_CRYPTO=y
> >>
> >> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
> >>
> >> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
> >> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> >> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
> >> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> >> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> >> $ rm -rf /mnt/dir
> >> $ mkdir /mnt/dir
> >> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> >> $ dmesg > /mnt/dir/test.txt
> >> $ sync
> >>
> >> Reboot the board
> >>
> >> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> >> $ ls /mnt/dir # File should be encrypted
> >> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> >> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> >> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> >> $ cat /mnt/dir/test.txt # File should now be decrypted
> >>
> >> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
> >> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>
> >
> > Doesn't apply cleanly to mmc next.  Otherwise:
> >
> > Acked-by: Adrian Hunter <adrian.hunter@intel.com>
> >
> Is this a blocker for the patch to get merged? I will anyway see why it is not applying cleanly on mmc next
> but wanted to know if this is necessary to resolve for these chagnes to get merged in Linux-next?
>

In some cases I decide to resolve the conflict when applying, but
there is no guarantee that I do that, especially during busy periods.

In this case, I prefer that you re-base and send a v5 please.

[...]

Kind regards
Uffe

Hi,

On 1/21/2026 3:56 PM, Ulf Hansson wrote:
> On Mon, 19 Jan 2026 at 11:19, Neeraj Soni <neeraj.soni@oss.qualcomm.com> wrote:
>>
>> Hi,
>>
>> On 1/12/2026 12:35 PM, Adrian Hunter wrote:
>>> On 02/01/2026 14:40, Neeraj Soni wrote:
>>>> Add the wrapped key support for sdhci-msm by implementing the needed
>>>> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
>>>> blk_crypto_profile::key_types_supported.
>>>>
>>>> Tested on SC7280 eMMC variant.
>>>>
>>>> How to test:
>>>>
>>>> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
>>>> fscryptctl that supports generating wrapped keys.
>>>>
>>>> Enable the following config options:
>>>> CONFIG_BLK_INLINE_ENCRYPTION=y
>>>> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
>>>> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
>>>> CONFIG_MMC_CRYPTO=y
>>>>
>>>> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
>>>>
>>>> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
>>>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>>>> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
>>>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>>>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>>>> $ rm -rf /mnt/dir
>>>> $ mkdir /mnt/dir
>>>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>>>> $ dmesg > /mnt/dir/test.txt
>>>> $ sync
>>>>
>>>> Reboot the board
>>>>
>>>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>>>> $ ls /mnt/dir # File should be encrypted
>>>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>>>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>>>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>>>> $ cat /mnt/dir/test.txt # File should now be decrypted
>>>>
>>>> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
>>>> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>
>>>
>>> Doesn't apply cleanly to mmc next.  Otherwise:
>>>
>>> Acked-by: Adrian Hunter <adrian.hunter@intel.com>
>>>
>> Is this a blocker for the patch to get merged? I will anyway see why it is not applying cleanly on mmc next
>> but wanted to know if this is necessary to resolve for these chagnes to get merged in Linux-next?
>>
> 
> In some cases I decide to resolve the conflict when applying, but
> there is no guarantee that I do that, especially during busy periods.
> 
> In this case, I prefer that you re-base and send a v5 please.
Sure. I will resolve and post v5.
> 
> [...]
> 
> Kind regards
> Uffe
> 
Regards
Neeraj

On 19/01/2026 12:19, Neeraj Soni wrote:
> Hi,
> 
> On 1/12/2026 12:35 PM, Adrian Hunter wrote:
>> On 02/01/2026 14:40, Neeraj Soni wrote:
>>> Add the wrapped key support for sdhci-msm by implementing the needed
>>> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
>>> blk_crypto_profile::key_types_supported.
>>>
>>> Tested on SC7280 eMMC variant.
>>>
>>> How to test:
>>>
>>> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
>>> fscryptctl that supports generating wrapped keys.
>>>
>>> Enable the following config options:
>>> CONFIG_BLK_INLINE_ENCRYPTION=y
>>> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
>>> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
>>> CONFIG_MMC_CRYPTO=y
>>>
>>> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
>>>
>>> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
>>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>>> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
>>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>>> $ rm -rf /mnt/dir
>>> $ mkdir /mnt/dir
>>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>>> $ dmesg > /mnt/dir/test.txt
>>> $ sync
>>>
>>> Reboot the board
>>>
>>> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
>>> $ ls /mnt/dir # File should be encrypted
>>> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
>>> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
>>> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
>>> $ cat /mnt/dir/test.txt # File should now be decrypted
>>>
>>> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
>>> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>
>>
>> Doesn't apply cleanly to mmc next.  Otherwise:
>>
>> Acked-by: Adrian Hunter <adrian.hunter@intel.com>
>>
> Is this a blocker for the patch to get merged? I will anyway see why it is not applying cleanly on mmc next
> but wanted to know if this is necessary to resolve for these chagnes to get merged in Linux-next?
In this case, it is up to Ulf, but in general it is inadvisable
to assume a maintainer is willing to fix up patches that don't
apply cleanly.

On Mon, Jan 19, 2026 at 03:49:19PM +0530, Neeraj Soni wrote:
> Hi,
> 
> On 1/12/2026 12:35 PM, Adrian Hunter wrote:
> > On 02/01/2026 14:40, Neeraj Soni wrote:
> >> Add the wrapped key support for sdhci-msm by implementing the needed
> >> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
> >> blk_crypto_profile::key_types_supported.
> >>
> >> Tested on SC7280 eMMC variant.
> >>
> >> How to test:
> >>
> >> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
> >> fscryptctl that supports generating wrapped keys.
> >>
> >> Enable the following config options:
> >> CONFIG_BLK_INLINE_ENCRYPTION=y
> >> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
> >> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> >> CONFIG_MMC_CRYPTO=y
> >>
> >> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
> >>
> >> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
> >> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> >> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
> >> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> >> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> >> $ rm -rf /mnt/dir
> >> $ mkdir /mnt/dir
> >> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> >> $ dmesg > /mnt/dir/test.txt
> >> $ sync
> >>
> >> Reboot the board
> >>
> >> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> >> $ ls /mnt/dir # File should be encrypted
> >> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> >> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> >> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> >> $ cat /mnt/dir/test.txt # File should now be decrypted
> >>
> >> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
> >> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>
> > 
> > Doesn't apply cleanly to mmc next.  Otherwise:
> > 
> > Acked-by: Adrian Hunter <adrian.hunter@intel.com>
> > 
> Is this a blocker for the patch to get merged? I will anyway see why it is not applying cleanly on mmc next
> but wanted to know if this is necessary to resolve for these chagnes to get merged in Linux-next?

Please read the internal documentation on the patch flow. The patches
are not merged into linux-next. They are picked up by maintainers (e.g.
Ulf) into their trees (e.g. mmc).


-- 
With best wishes
Dmitry

On Fri, Jan 02, 2026 at 06:10:18PM +0530, Neeraj Soni wrote:
> Add the wrapped key support for sdhci-msm by implementing the needed
> methods in struct blk_crypto_ll_ops and setting the appropriate flag in
> blk_crypto_profile::key_types_supported.
> 
> Tested on SC7280 eMMC variant.
> 
> How to test:
> 
> Use the "v1.3.0" tag from https://github.com/google/fscryptctl and build
> fscryptctl that supports generating wrapped keys.
> 
> Enable the following config options:
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_QCOM_INLINE_CRYPTO_ENGINE=y
> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> CONFIG_MMC_CRYPTO=y
> 
> Enable "qcom_ice.use_wrapped_keys" via kernel command line.
> 
> $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/vm-data
> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/vm-data > /mnt/key.longterm
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ rm -rf /mnt/dir
> $ mkdir /mnt/dir
> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> $ dmesg > /mnt/dir/test.txt
> $ sync
> 
> Reboot the board
> 
> $ mount /dev/disk/by-partlabel/vm-data -o inlinecrypt /mnt
> $ ls /mnt/dir # File should be encrypted
> $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/vm-data < /mnt/key.longterm > /tmp/key.ephemeral
> $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt)
> $ fscryptctl set_policy --iv-ino-lblk-32 "$KEYID" /mnt/dir
> $ cat /mnt/dir/test.txt # File should now be decrypted
> 
> Tested-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
> Signed-off-by: Neeraj Soni <neeraj.soni@oss.qualcomm.com>

Reviewed-by: Eric Biggers <ebiggers@kernel.org>

- Eric