mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
synced 2025-08-28 18:10:32 +00:00
1ebd4a3c09
Until this point, the kernel can use hardware-wrapped keys to do encryption if userspace provides one -- specifically a key in ephemerally-wrapped form. However, no generic way has been provided for userspace to get such a key in the first place. Getting such a key is a two-step process. First, the key needs to be imported from a raw key or generated by the hardware, producing a key in long-term wrapped form. This happens once in the whole lifetime of the key. Second, the long-term wrapped key needs to be converted into ephemerally-wrapped form. This happens each time the key is "unlocked". In Android, these operations are supported in a generic way through KeyMint, a userspace abstraction layer. However, that method is Android-specific and can't be used on other Linux systems, may rely on proprietary libraries, and also misleads people into supporting KeyMint features like rollback resistance that make sense for other KeyMint keys but don't make sense for hardware-wrapped inline encryption keys. Therefore, this patch provides a generic kernel interface for these operations by introducing new block device ioctls: - BLKCRYPTOIMPORTKEY: convert a raw key to long-term wrapped form. - BLKCRYPTOGENERATEKEY: have the hardware generate a new key, then return it in long-term wrapped form. - BLKCRYPTOPREPAREKEY: convert a key from long-term wrapped form to ephemerally-wrapped form. These ioctls are implemented using new operations in blk_crypto_ll_ops. Signed-off-by: Eric Biggers <ebiggers@google.com> Tested-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> # sm8650 Link: https://lore.kernel.org/r/20250204060041.409950-4-ebiggers@kernel.org Signed-off-by: Jens Axboe <axboe@kernel.dk>
45 lines
1.2 KiB
C
45 lines
1.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
#ifndef _UAPI_LINUX_BLK_CRYPTO_H
|
|
#define _UAPI_LINUX_BLK_CRYPTO_H
|
|
|
|
#include <linux/ioctl.h>
|
|
#include <linux/types.h>
|
|
|
|
struct blk_crypto_import_key_arg {
|
|
/* Raw key (input) */
|
|
__u64 raw_key_ptr;
|
|
__u64 raw_key_size;
|
|
/* Long-term wrapped key blob (output) */
|
|
__u64 lt_key_ptr;
|
|
__u64 lt_key_size;
|
|
__u64 reserved[4];
|
|
};
|
|
|
|
struct blk_crypto_generate_key_arg {
|
|
/* Long-term wrapped key blob (output) */
|
|
__u64 lt_key_ptr;
|
|
__u64 lt_key_size;
|
|
__u64 reserved[4];
|
|
};
|
|
|
|
struct blk_crypto_prepare_key_arg {
|
|
/* Long-term wrapped key blob (input) */
|
|
__u64 lt_key_ptr;
|
|
__u64 lt_key_size;
|
|
/* Ephemerally-wrapped key blob (output) */
|
|
__u64 eph_key_ptr;
|
|
__u64 eph_key_size;
|
|
__u64 reserved[4];
|
|
};
|
|
|
|
/*
|
|
* These ioctls share the block device ioctl space; see uapi/linux/fs.h.
|
|
* 140-141 are reserved for future blk-crypto ioctls; any more than that would
|
|
* require an additional allocation from the block device ioctl space.
|
|
*/
|
|
#define BLKCRYPTOIMPORTKEY _IOWR(0x12, 137, struct blk_crypto_import_key_arg)
|
|
#define BLKCRYPTOGENERATEKEY _IOWR(0x12, 138, struct blk_crypto_generate_key_arg)
|
|
#define BLKCRYPTOPREPAREKEY _IOWR(0x12, 139, struct blk_crypto_prepare_key_arg)
|
|
|
|
#endif /* _UAPI_LINUX_BLK_CRYPTO_H */
|