ANDROID: dm: Add wrapped key support in dm-default-key
To prevent keys from being compromised if an attacker acquires read access to kernel memory, some inline encryption hardware supports protecting the keys in hardware without software having access to or the ability to set the plaintext keys. Instead, software only sees "wrapped keys", which may differ on every boot. The keys can be initially generated either by software (in which case they need to be imported to hardware to be wrapped), or directly by the hardware. Add support for this type of hardware by allowing keys to be flagged as hardware-wrapped. When used, dm-default-key will pass the wrapped key to the inline encryption hardware to encryption metadata. The hardware will internally unwrap the key and derive the metadata encryption key. Bug: 147209885 Test: Validate metadata encryption & FBE with wrapped keys. Change-Id: I8078b116dab9e04d7f3f15f29f11823185ea5d50 Signed-off-by: Barani Muthukumaran <bmuthuku@codeaurora.org>
This commit is contained in:
parent
a1423568e2
commit
0dccdc03e0
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
#define DM_MSG_PREFIX "default-key"
|
#define DM_MSG_PREFIX "default-key"
|
||||||
|
|
||||||
#define DM_DEFAULT_KEY_MAX_KEY_SIZE 64
|
#define DM_DEFAULT_KEY_MAX_WRAPPED_KEY_SIZE 128
|
||||||
|
|
||||||
static const struct dm_default_key_cipher {
|
static const struct dm_default_key_cipher {
|
||||||
const char *name;
|
const char *name;
|
||||||
@ -47,6 +47,7 @@ struct default_key_c {
|
|||||||
unsigned int sector_size;
|
unsigned int sector_size;
|
||||||
unsigned int sector_bits;
|
unsigned int sector_bits;
|
||||||
struct blk_crypto_key key;
|
struct blk_crypto_key key;
|
||||||
|
bool is_hw_wrapped;
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct dm_default_key_cipher *
|
static const struct dm_default_key_cipher *
|
||||||
@ -82,7 +83,7 @@ static int default_key_ctr_optional(struct dm_target *ti,
|
|||||||
struct default_key_c *dkc = ti->private;
|
struct default_key_c *dkc = ti->private;
|
||||||
struct dm_arg_set as;
|
struct dm_arg_set as;
|
||||||
static const struct dm_arg _args[] = {
|
static const struct dm_arg _args[] = {
|
||||||
{0, 3, "Invalid number of feature args"},
|
{0, 4, "Invalid number of feature args"},
|
||||||
};
|
};
|
||||||
unsigned int opt_params;
|
unsigned int opt_params;
|
||||||
const char *opt_string;
|
const char *opt_string;
|
||||||
@ -115,6 +116,8 @@ static int default_key_ctr_optional(struct dm_target *ti,
|
|||||||
}
|
}
|
||||||
} else if (!strcmp(opt_string, "iv_large_sectors")) {
|
} else if (!strcmp(opt_string, "iv_large_sectors")) {
|
||||||
iv_large_sectors = true;
|
iv_large_sectors = true;
|
||||||
|
} else if (!strcmp(opt_string, "wrappedkey_v0")) {
|
||||||
|
dkc->is_hw_wrapped = true;
|
||||||
} else {
|
} else {
|
||||||
ti->error = "Invalid feature arguments";
|
ti->error = "Invalid feature arguments";
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
@ -142,7 +145,8 @@ static int default_key_ctr(struct dm_target *ti, unsigned int argc, char **argv)
|
|||||||
{
|
{
|
||||||
struct default_key_c *dkc;
|
struct default_key_c *dkc;
|
||||||
const struct dm_default_key_cipher *cipher;
|
const struct dm_default_key_cipher *cipher;
|
||||||
u8 raw_key[DM_DEFAULT_KEY_MAX_KEY_SIZE];
|
u8 raw_key[DM_DEFAULT_KEY_MAX_WRAPPED_KEY_SIZE];
|
||||||
|
unsigned int raw_key_size;
|
||||||
unsigned long long tmpll;
|
unsigned long long tmpll;
|
||||||
char dummy;
|
char dummy;
|
||||||
int err;
|
int err;
|
||||||
@ -174,12 +178,15 @@ static int default_key_ctr(struct dm_target *ti, unsigned int argc, char **argv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* <key> */
|
/* <key> */
|
||||||
if (strlen(argv[1]) != 2 * cipher->key_size) {
|
raw_key_size = strlen(argv[1]);
|
||||||
ti->error = "Incorrect key size for cipher";
|
if (raw_key_size > 2 * DM_DEFAULT_KEY_MAX_WRAPPED_KEY_SIZE ||
|
||||||
|
raw_key_size % 2) {
|
||||||
|
ti->error = "Invalid keysize";
|
||||||
err = -EINVAL;
|
err = -EINVAL;
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
if (hex2bin(raw_key, argv[1], cipher->key_size) != 0) {
|
raw_key_size /= 2;
|
||||||
|
if (hex2bin(raw_key, argv[1], raw_key_size) != 0) {
|
||||||
ti->error = "Malformed key string";
|
ti->error = "Malformed key string";
|
||||||
err = -EINVAL;
|
err = -EINVAL;
|
||||||
goto bad;
|
goto bad;
|
||||||
@ -224,7 +231,8 @@ static int default_key_ctr(struct dm_target *ti, unsigned int argc, char **argv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
err = blk_crypto_init_key(&dkc->key, raw_key, cipher->key_size,
|
err = blk_crypto_init_key(&dkc->key, raw_key, cipher->key_size,
|
||||||
false, cipher->mode_num, dkc->sector_size);
|
dkc->is_hw_wrapped, cipher->mode_num,
|
||||||
|
dkc->sector_size);
|
||||||
if (err) {
|
if (err) {
|
||||||
ti->error = "Error initializing blk-crypto key";
|
ti->error = "Error initializing blk-crypto key";
|
||||||
goto bad;
|
goto bad;
|
||||||
@ -317,6 +325,8 @@ static void default_key_status(struct dm_target *ti, status_type_t type,
|
|||||||
num_feature_args += !!ti->num_discard_bios;
|
num_feature_args += !!ti->num_discard_bios;
|
||||||
if (dkc->sector_size != SECTOR_SIZE)
|
if (dkc->sector_size != SECTOR_SIZE)
|
||||||
num_feature_args += 2;
|
num_feature_args += 2;
|
||||||
|
if (dkc->is_hw_wrapped)
|
||||||
|
num_feature_args += 1;
|
||||||
if (num_feature_args != 0) {
|
if (num_feature_args != 0) {
|
||||||
DMEMIT(" %d", num_feature_args);
|
DMEMIT(" %d", num_feature_args);
|
||||||
if (ti->num_discard_bios)
|
if (ti->num_discard_bios)
|
||||||
@ -325,6 +335,8 @@ static void default_key_status(struct dm_target *ti, status_type_t type,
|
|||||||
DMEMIT(" sector_size:%u", dkc->sector_size);
|
DMEMIT(" sector_size:%u", dkc->sector_size);
|
||||||
DMEMIT(" iv_large_sectors");
|
DMEMIT(" iv_large_sectors");
|
||||||
}
|
}
|
||||||
|
if (dkc->is_hw_wrapped)
|
||||||
|
DMEMIT(" wrappedkey_v0");
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -369,7 +381,7 @@ static void default_key_io_hints(struct dm_target *ti,
|
|||||||
|
|
||||||
static struct target_type default_key_target = {
|
static struct target_type default_key_target = {
|
||||||
.name = "default-key",
|
.name = "default-key",
|
||||||
.version = {2, 0, 0},
|
.version = {2, 1, 0},
|
||||||
.module = THIS_MODULE,
|
.module = THIS_MODULE,
|
||||||
.ctr = default_key_ctr,
|
.ctr = default_key_ctr,
|
||||||
.dtr = default_key_dtr,
|
.dtr = default_key_dtr,
|
||||||
|
Loading…
Reference in New Issue
Block a user