From patchwork Mon Mar 1 13:11:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sumit Garg X-Patchwork-Id: 12109645 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ECD80C433E0 for ; Mon, 1 Mar 2021 13:13:25 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 869356023C for ; Mon, 1 Mar 2021 13:13:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 869356023C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=25EJ6CW7D2e5AdrIV5LRut4ffj2UPAQGaHRcKJu4KK0=; b=ROxxXTfsNSeesjThVSW4qg4SuU 2vAImSKqOjJqe5i2VUfIU7X7+/U3eM1RLKDwMvyYHkJ7FIsK9sS6bVrYvaaBTmexnGYyTrRU82rFK BC+NO3b3dGMCRBXIv+SEpld4RAYdjmirapnkdMATCAq3T3L96mNaa/BxAWE4umVpsybTe7krFX+Bu a7v8KF3q7X7pBy9Xnhqtj13JBzmAMk/GeIRD8ksb7SHYi5ODwchvjm1GwEY8UgI+kVKpwO1Rp4JQL KcJXrAb5t+PuF2V4kxqj5QHuo5UDctePFWvWvPA2Tx+RsV9udoB5082d0M7fMVEOpEULTna4TekWT WwRzTRig==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1lGiLE-0007Ge-4w; Mon, 01 Mar 2021 13:12:04 +0000 Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1lGiL7-0007GA-K1 for linux-arm-kernel@lists.infradead.org; Mon, 01 Mar 2021 13:12:01 +0000 Received: by mail-pj1-x1034.google.com with SMTP id o6so11782007pjf.5 for ; Mon, 01 Mar 2021 05:11:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=b3ExXcrTKtaMKYTLWvaQqay72x46/EzChsHCCF6qzCU=; b=b7sA/vRm3WrAy3bA3s72thm96GXP3C0iIoAmX4jN9pYjQl0r5bYZemIFYL1D7mdLPO k05WugUa2MpwiovRwKnXYw4IXWJmkcQtuwHQ/n9CHO9ejxb6r6s7bbP7QUQESrItpO6Y oyASWNdvVq3nIil5HSbzF+yQNjV7M2E6+Zv6V9Do8DL85lR7GZjBGXJHSj4kMR7XP30W 6ZqC3zCcKih4QsFHFmeZhdxJPKCHXgVP2uYCmSsqmlCaof0V+65bGCJI0/jFIuztXHeX 1z5ZoImHLP572W4obDz3LssDrMtgDektzGkLh7qZzjB5sfi0F8K8IF2pz3T7yqOWX9YJ YkQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=b3ExXcrTKtaMKYTLWvaQqay72x46/EzChsHCCF6qzCU=; b=HBDQG35PgsB7bM5ql/G8xs5rfZXkRAgjHYR+xlUBFKgtJLQyto210qeYRVqRltbPu7 FPBtx4shcvCsE5vf0QwsoQ4GB5A0FnFhLkk+1ifJbgRWvTVNkaZSU4hXOkyBSLyCrKVG vgMJFIsmJRv7gvGAj3YTnlvalOS0PYkKVgoSMMAY8z31cdlu3q9RMrveahGRHBJ44JwZ h+Dd7ybuhlzBD4LYl5REiGRNG/XA26ehD1DtZzHwuhSHazjd3ZYSgBY9AkbhSvFQQfBP pTvPSuRfcJuqzbiTrIV5wLk8VBSWB7wCYv/4USCVttyCH7DW9ZJSSUou0bf4M+1mFBnc qT4w== X-Gm-Message-State: AOAM533PW5W2HUDwHNSKobzHCHf3YQa8MldjKRbh+TlSGomSZ0bAb3Ww 20QfJ08FEEFLyE8V5fuTjSOl5Q== X-Google-Smtp-Source: ABdhPJzEwXoFW5aHXjckvLnyESk7reRavQszrdC8mYNQ9CxHGgFAhrl6FUGikFWhCrRy8h0bxbZLBg== X-Received: by 2002:a17:90a:1a59:: with SMTP id 25mr16193091pjl.54.1614604312435; Mon, 01 Mar 2021 05:11:52 -0800 (PST) Received: from localhost.localdomain ([110.226.35.200]) by smtp.gmail.com with ESMTPSA id b3sm13964523pjg.41.2021.03.01.05.11.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Mar 2021 05:11:51 -0800 (PST) From: Sumit Garg To: jarkko.sakkinen@linux.intel.com, zohar@linux.ibm.com, jejb@linux.ibm.com Subject: [PATCH v9 0/4] Introduce TEE based Trusted Keys support Date: Mon, 1 Mar 2021 18:41:23 +0530 Message-Id: <20210301131127.793707-1-sumit.garg@linaro.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210301_081157_970955_0CE1EE42 X-CRM114-Status: GOOD ( 14.13 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-security-module@vger.kernel.org, daniel.thompson@linaro.org, a.fatoum@pengutronix.de, Sumit Garg , op-tee@lists.trustedfirmware.org, corbet@lwn.net, janne.karhunen@gmail.com, linux-doc@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, lhinds@redhat.com, keyrings@vger.kernel.org, erpalmer@us.ibm.com, Markus.Wamser@mixed-mode.de, casey@schaufler-ca.com, linux-integrity@vger.kernel.org, jens.wiklander@linaro.org, linux-arm-kernel@lists.infradead.org, serge@hallyn.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Add support for TEE based trusted keys where TEE provides the functionality to seal and unseal trusted keys using hardware unique key. Also, this is an alternative in case platform doesn't possess a TPM device. This patch-set has been tested with OP-TEE based early TA which is already merged in upstream [1]. [1] https://github.com/OP-TEE/optee_os/commit/f86ab8e7e0de869dfa25ca05a37ee070d7e5b86b Changes in v9: 1. Rebased to latest tpmdd/master. 2. Defined pr_fmt() and removed redundant tags. 3. Patch #2: incorporated misc. comments. 4. Patch #3: incorporated doc changes from Elaine and misc. comments from Randy. 5. Patch #4: reverted to separate maintainer entry as per request from Jarkko. 6. Added Jarkko's Tested-by: tag on patch #2. Changes in v8: 1. Added static calls support instead of indirect calls. 2. Documented trusted keys source module parameter. 3. Refined patch #1 commit message discription. 4. Addressed misc. comments on patch #2. 5. Added myself as Trusted Keys co-maintainer instead. 6. Rebased to latest tpmdd master. Changes in v7: 1. Added a trusted.source module parameter in order to enforce user's choice in case a particular platform posses both TPM and TEE. 2. Refine commit description for patch #1. Changes in v6: 1. Revert back to dynamic detection of trust source. 2. Drop author mention from trusted_core.c and trusted_tpm1.c files. 3. Rebased to latest tpmdd/master. Changes in v5: 1. Drop dynamic detection of trust source and use compile time flags instead. 2. Rename trusted_common.c -> trusted_core.c. 3. Rename callback: cleanup() -> exit(). 4. Drop "tk" acronym. 5. Other misc. comments. 6. Added review tags for patch #3 and #4. Changes in v4: 1. Pushed independent TEE features separately: - Part of recent TEE PR: https://lkml.org/lkml/2020/5/4/1062 2. Updated trusted-encrypted doc with TEE as a new trust source. 3. Rebased onto latest tpmdd/master. Changes in v3: 1. Update patch #2 to support registration of multiple kernel pages. 2. Incoporate dependency patch #4 in this patch-set: https://patchwork.kernel.org/patch/11091435/ Changes in v2: 1. Add reviewed-by tags for patch #1 and #2. 2. Incorporate comments from Jens for patch #3. 3. Switch to use generic trusted keys framework. Sumit Garg (4): KEYS: trusted: Add generic trusted keys framework KEYS: trusted: Introduce TEE based Trusted Keys doc: trusted-encrypted: updates with TEE as a new trust source MAINTAINERS: Add entry for TEE based Trusted Keys .../admin-guide/kernel-parameters.txt | 12 + .../security/keys/trusted-encrypted.rst | 171 ++++++-- MAINTAINERS | 8 + include/keys/trusted-type.h | 53 +++ include/keys/trusted_tee.h | 16 + include/keys/trusted_tpm.h | 29 +- security/keys/trusted-keys/Makefile | 2 + security/keys/trusted-keys/trusted_core.c | 358 +++++++++++++++++ security/keys/trusted-keys/trusted_tee.c | 317 +++++++++++++++ security/keys/trusted-keys/trusted_tpm1.c | 366 ++++-------------- 10 files changed, 981 insertions(+), 351 deletions(-) create mode 100644 include/keys/trusted_tee.h create mode 100644 security/keys/trusted-keys/trusted_core.c create mode 100644 security/keys/trusted-keys/trusted_tee.c