mirror of
https://github.com/torvalds/linux.git
synced 2026-06-12 08:43:42 +02:00
c26f08d1d4
To prevent keys from being compromised if an attacker acquires read access to kernel memory, some inline encryption hardware can accept keys which are wrapped by a per-boot hardware-internal key. This avoids needing to keep the plaintext keys in kernel memory, without restricting the number of keys that can be used. Such keys can be initially generated either by software (in which case they must be imported to hardware to be wrapped) or directly by the hardware. There is also a mechanism to derive a "software secret" for cryptographic tasks that can't be handled by inline encryption. To support this hardware, allow struct blk_crypto_key to represent a hardware-wrapped key as an alternative to a standard key, and make drivers set flags in struct blk_crypto_profile to indicate which types of keys they support. Also add the derive_sw_secret() low-level operation, which drivers supporting wrapped keys must implement. For more information, see the detailed documentation which this patch adds to Documentation/block/inline-encryption.rst. This is a reworked version of a patch which was temporily reverted by https://android-review.googlesource.com/c/kernel/common/+/1867367, and which originated from several ANDROID patches that were consolidated by https://android-review.googlesource.com/c/kernel/common-patches/+/1350782. This version of the patch matches the patch in the below "Link:" tag that was sent upstream as an RFC. However, due to its history as ANDROID, it remains tagged as ANDROID rather than FROMLIST. Bug: 160883801 Link: https://lore.kernel.org/r/20211021181608.54127-2-ebiggers@kernel.org Change-Id: I4d18c261c279d606457b33374234c0a037e1d45a Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|---|---|---|
| .. | ||
| ABI | ||
| accounting | ||
| admin-guide | ||
| arm | ||
| arm64 | ||
| block | ||
| bpf | ||
| cdrom | ||
| core-api | ||
| cpu-freq | ||
| crypto | ||
| dev-tools | ||
| device-mapper | ||
| devicetree | ||
| doc-guide | ||
| driver-api | ||
| fault-injection | ||
| fb | ||
| features | ||
| filesystems | ||
| firmware_class | ||
| firmware-guide | ||
| fpga | ||
| gpu | ||
| hid | ||
| hwmon | ||
| i2c | ||
| ia64 | ||
| ide | ||
| iio | ||
| infiniband | ||
| input | ||
| isdn | ||
| kbuild | ||
| kernel-hacking | ||
| leds | ||
| litmus-tests | ||
| livepatch | ||
| locking | ||
| m68k | ||
| maintainer | ||
| mhi | ||
| mips | ||
| misc-devices | ||
| netlabel | ||
| networking | ||
| nios2 | ||
| nvdimm | ||
| openrisc | ||
| parisc | ||
| PCI | ||
| pcmcia | ||
| power | ||
| powerpc | ||
| process | ||
| RCU | ||
| riscv | ||
| s390 | ||
| scheduler | ||
| scsi | ||
| security | ||
| sh | ||
| sound | ||
| sparc | ||
| sphinx | ||
| sphinx-static | ||
| spi | ||
| staging | ||
| target | ||
| timers | ||
| trace | ||
| translations | ||
| usb | ||
| userspace-api | ||
| virt | ||
| vm | ||
| w1 | ||
| watchdog | ||
| x86 | ||
| xtensa | ||
| .gitignore | ||
| arch.rst | ||
| asm-annotations.rst | ||
| atomic_bitops.txt | ||
| atomic_t.txt | ||
| Changes | ||
| CodingStyle | ||
| conf.py | ||
| COPYING-logo | ||
| docutils.conf | ||
| dontdiff | ||
| index.rst | ||
| Kconfig | ||
| logo.gif | ||
| Makefile | ||
| memory-barriers.txt | ||
| SubmittingPatches | ||
| watch_queue.rst | ||
