diff options
author | David Gstir <david@sigma-star.at> | 2024-04-03 09:21:22 +0200 |
---|---|---|
committer | Jarkko Sakkinen <jarkko@kernel.org> | 2024-05-09 17:29:03 +0200 |
commit | 28c5f596ae3d1790cdc96fa5fc7370f934abfb2e (patch) | |
tree | d5da5c4c38c24acd0d25bb584729439df5cfcc94 /security | |
parent | docs: document DCP-backed trusted keys kernel params (diff) | |
download | linux-28c5f596ae3d1790cdc96fa5fc7370f934abfb2e.tar.xz linux-28c5f596ae3d1790cdc96fa5fc7370f934abfb2e.zip |
docs: trusted-encrypted: add DCP as new trust source
Update the documentation for trusted and encrypted KEYS with DCP as new
trust source:
- Describe security properties of DCP trust source
- Describe key usage
- Document blob format
Co-developed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Co-developed-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: David Gstir <david@sigma-star.at>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Bagas Sanjaya <bagasdotme@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/trusted-keys/trusted_dcp.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c index 16c44aafeab3..b5f81a05be36 100644 --- a/security/keys/trusted-keys/trusted_dcp.c +++ b/security/keys/trusted-keys/trusted_dcp.c @@ -20,6 +20,25 @@ #define DCP_BLOB_AUTHLEN 16 /** + * DOC: dcp blob format + * + * The Data Co-Processor (DCP) provides hardware-bound AES keys using its + * AES encryption engine only. It does not provide direct key sealing/unsealing. + * To make DCP hardware encryption keys usable as trust source, we define + * our own custom format that uses a hardware-bound key to secure the sealing + * key stored in the key blob. + * + * Whenever a new trusted key using DCP is generated, we generate a random 128-bit + * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are used to + * encrypt the trusted key payload using AES-128-GCM. + * + * The BEK itself is encrypted using the hardware-bound key using the DCP's AES + * encryption engine with AES-128-ECB. The encrypted BEK, generated nonce, + * BEK-encrypted payload and authentication tag make up the blob format together + * with a version number, payload length and authentication tag. + */ + +/** * struct dcp_blob_fmt - DCP BLOB format. * * @fmt_version: Format version, currently being %1. |