diff options
| author | Ahmad Fatoum <a.fatoum@pengutronix.de> | 2022-05-13 16:57:02 +0200 |
|---|---|---|
| committer | Jarkko Sakkinen <jarkko@kernel.org> | 2022-05-23 17:47:50 +0200 |
| commit | 007c3ff11f38d83cc95b0f402e432cbf484e3c31 (patch) | |
| tree | 3da2d7cbca86e9595d43b917211dfd7675d67864 /security | |
| parent | crypto: caam - determine whether CAAM supports blob encap/decap (diff) | |
| download | linux-007c3ff11f38d83cc95b0f402e432cbf484e3c31.tar.xz linux-007c3ff11f38d83cc95b0f402e432cbf484e3c31.zip | |
crypto: caam - add in-kernel interface for blob generator
The NXP Cryptographic Acceleration and Assurance Module (CAAM)
can be used to protect user-defined data across system reboot:
- When the system is fused and boots into secure state, the master
key is a unique never-disclosed device-specific key
- random key is encrypted by key derived from master key
- data is encrypted using the random key
- encrypted data and its encrypted random key are stored alongside
- This blob can now be safely stored in non-volatile memory
On next power-on:
- blob is loaded into CAAM
- CAAM writes decrypted data either into memory or key register
Add functions to realize encrypting and decrypting into memory alongside
the CAAM driver.
They will be used in a later commit as a source for the trusted key
seal/unseal mechanism.
Reviewed-by: David Gstir <david@sigma-star.at>
Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Tested-by: Tim Harvey <tharvey@gateworks.com>
Tested-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Tested-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Tested-by: Michael Walle <michael@walle.cc> # on ls1028a (non-E and E)
Tested-by: John Ernberg <john.ernberg@actia.se> # iMX8QXP
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions