summaryrefslogtreecommitdiffstats
path: root/Documentation/security/keys
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-07 13:17:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-07 13:17:46 +0000
commit7f3a4257159dea8e7ef66d1a539dc6df708b8ed3 (patch)
treebcc69b5f4609f348fac49e2f59e210b29eaea783 /Documentation/security/keys
parentAdding upstream version 6.9.12. (diff)
downloadlinux-7f3a4257159dea8e7ef66d1a539dc6df708b8ed3.tar.xz
linux-7f3a4257159dea8e7ef66d1a539dc6df708b8ed3.zip
Adding upstream version 6.10.3.upstream/6.10.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'Documentation/security/keys')
-rw-r--r--Documentation/security/keys/trusted-encrypted.rst53
1 files changed, 53 insertions, 0 deletions
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index e989b9802f..f4d7e162d5 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -42,6 +42,14 @@ safe.
randomly generated and fused into each SoC at manufacturing time.
Otherwise, a common fixed test key is used instead.
+ (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
+
+ Rooted to a one-time programmable key (OTP) that is generally burnt
+ in the on-chip fuses and is accessible to the DCP encryption engine only.
+ DCP provides two keys that can be used as root of trust: the OTP key
+ and the UNIQUE key. Default is to use the UNIQUE key, but selecting
+ the OTP key can be done via a module parameter (dcp_use_otp_key).
+
* Execution isolation
(1) TPM
@@ -57,6 +65,12 @@ safe.
Fixed set of operations running in isolated execution environment.
+ (4) DCP
+
+ Fixed set of cryptographic operations running in isolated execution
+ environment. Only basic blob key encryption is executed there.
+ The actual key sealing/unsealing is done on main processor/kernel space.
+
* Optional binding to platform integrity state
(1) TPM
@@ -79,6 +93,11 @@ safe.
Relies on the High Assurance Boot (HAB) mechanism of NXP SoCs
for platform integrity.
+ (4) DCP
+
+ Relies on Secure/Trusted boot process (called HAB by vendor) for
+ platform integrity.
+
* Interfaces and APIs
(1) TPM
@@ -94,6 +113,11 @@ safe.
Interface is specific to silicon vendor.
+ (4) DCP
+
+ Vendor-specific API that is implemented as part of the DCP crypto driver in
+ ``drivers/crypto/mxs-dcp.c``.
+
* Threat model
The strength and appropriateness of a particular trust source for a given
@@ -129,6 +153,13 @@ selected trust source:
CAAM HWRNG, enable CRYPTO_DEV_FSL_CAAM_RNG_API and ensure the device
is probed.
+ * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
+
+ The DCP hardware device itself does not provide a dedicated RNG interface,
+ so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have
+ a dedicated hardware RNG that is independent from DCP which can be enabled
+ to back the kernel RNG.
+
Users may override this by specifying ``trusted.rng=kernel`` on the kernel
command-line to override the used RNG with the kernel's random number pool.
@@ -231,6 +262,19 @@ Usage::
CAAM-specific format. The key length for new keys is always in bytes.
Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
+Trusted Keys usage: DCP
+-----------------------
+
+Usage::
+
+ keyctl add trusted name "new keylen" ring
+ keyctl add trusted name "load hex_blob" ring
+ keyctl print keyid
+
+"keyctl print" returns an ASCII hex copy of the sealed key, which is in format
+specific to this DCP key-blob implementation. The key length for new keys is
+always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
+
Encrypted Keys usage
--------------------
@@ -426,3 +470,12 @@ string length.
privkey is the binary representation of TPM2B_PUBLIC excluding the
initial TPM2B header which can be reconstructed from the ASN.1 octed
string length.
+
+DCP Blob Format
+---------------
+
+.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
+ :doc: dcp blob format
+
+.. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
+ :identifiers: struct dcp_blob_fmt