5da8f890a9
Backport a fix from the v7 inline crypto patchset which ensures that the block layer knows the number of DUN bytes the inline encryption hardware supports, so that hardware isn't used when it shouldn't be. (This unfortunately means introducing some increasing long argument lists; this was all already fixed up in later versions of the patchset.) To avoid breaking the KMI for drivers, don't add a dun_bytes argument to keyslot_manager_create() but rather allow drivers to call keyslot_manager_set_max_dun_bytes() to override the default. Also, don't add dun_bytes as a new field in 'struct blk_crypto_key' but rather pack it into the existing 'hash' field which is for block layer use. Bug: 144046242 Bug: 153512828 Change-Id: I285f36557fb3eafc5f2f64727ef1740938b59dd7 Signed-off-by: Eric Biggers <ebiggers@google.com>
103 lines
3.4 KiB
C
103 lines
3.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright 2019 Google LLC
|
|
*/
|
|
|
|
#ifndef __LINUX_KEYSLOT_MANAGER_H
|
|
#define __LINUX_KEYSLOT_MANAGER_H
|
|
|
|
#include <linux/bio.h>
|
|
|
|
/* Inline crypto feature bits. Must set at least one. */
|
|
enum {
|
|
/* Support for standard software-specified keys */
|
|
BLK_CRYPTO_FEATURE_STANDARD_KEYS = BIT(0),
|
|
|
|
/* Support for hardware-wrapped keys */
|
|
BLK_CRYPTO_FEATURE_WRAPPED_KEYS = BIT(1),
|
|
};
|
|
|
|
#ifdef CONFIG_BLK_INLINE_ENCRYPTION
|
|
|
|
struct keyslot_manager;
|
|
|
|
/**
|
|
* struct keyslot_mgmt_ll_ops - functions to manage keyslots in hardware
|
|
* @keyslot_program: Program the specified key into the specified slot in the
|
|
* inline encryption hardware.
|
|
* @keyslot_evict: Evict key from the specified keyslot in the hardware.
|
|
* The key is provided so that e.g. dm layers can evict
|
|
* keys from the devices that they map over.
|
|
* Returns 0 on success, -errno otherwise.
|
|
* @derive_raw_secret: (Optional) Derive a software secret from a
|
|
* hardware-wrapped key. Returns 0 on success, -EOPNOTSUPP
|
|
* if unsupported on the hardware, or another -errno code.
|
|
*
|
|
* This structure should be provided by storage device drivers when they set up
|
|
* a keyslot manager - this structure holds the function ptrs that the keyslot
|
|
* manager will use to manipulate keyslots in the hardware.
|
|
*/
|
|
struct keyslot_mgmt_ll_ops {
|
|
int (*keyslot_program)(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key,
|
|
unsigned int slot);
|
|
int (*keyslot_evict)(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key,
|
|
unsigned int slot);
|
|
int (*derive_raw_secret)(struct keyslot_manager *ksm,
|
|
const u8 *wrapped_key,
|
|
unsigned int wrapped_key_size,
|
|
u8 *secret, unsigned int secret_size);
|
|
};
|
|
|
|
struct keyslot_manager *keyslot_manager_create(
|
|
struct device *dev,
|
|
unsigned int num_slots,
|
|
const struct keyslot_mgmt_ll_ops *ksm_ops,
|
|
unsigned int features,
|
|
const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX],
|
|
void *ll_priv_data);
|
|
|
|
void keyslot_manager_set_max_dun_bytes(struct keyslot_manager *ksm,
|
|
unsigned int max_dun_bytes);
|
|
|
|
int keyslot_manager_get_slot_for_key(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key);
|
|
|
|
void keyslot_manager_get_slot(struct keyslot_manager *ksm, unsigned int slot);
|
|
|
|
void keyslot_manager_put_slot(struct keyslot_manager *ksm, unsigned int slot);
|
|
|
|
bool keyslot_manager_crypto_mode_supported(struct keyslot_manager *ksm,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int dun_bytes,
|
|
unsigned int data_unit_size,
|
|
bool is_hw_wrapped_key);
|
|
|
|
int keyslot_manager_evict_key(struct keyslot_manager *ksm,
|
|
const struct blk_crypto_key *key);
|
|
|
|
void keyslot_manager_reprogram_all_keys(struct keyslot_manager *ksm);
|
|
|
|
void *keyslot_manager_private(struct keyslot_manager *ksm);
|
|
|
|
void keyslot_manager_destroy(struct keyslot_manager *ksm);
|
|
|
|
struct keyslot_manager *keyslot_manager_create_passthrough(
|
|
struct device *dev,
|
|
const struct keyslot_mgmt_ll_ops *ksm_ops,
|
|
unsigned int features,
|
|
const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX],
|
|
void *ll_priv_data);
|
|
|
|
void keyslot_manager_intersect_modes(struct keyslot_manager *parent,
|
|
const struct keyslot_manager *child);
|
|
|
|
int keyslot_manager_derive_raw_secret(struct keyslot_manager *ksm,
|
|
const u8 *wrapped_key,
|
|
unsigned int wrapped_key_size,
|
|
u8 *secret, unsigned int secret_size);
|
|
|
|
#endif /* CONFIG_BLK_INLINE_ENCRYPTION */
|
|
|
|
#endif /* __LINUX_KEYSLOT_MANAGER_H */
|