trusted-encrypted.rst - OpenGrok cross reference for /linux/Documentation/security/keys/trusted-encrypted.rst

Lines Matching +full:hardware +full:- +full:protected
13 Trusted Keys as Protected key
15 It is the secure way of keeping the keys in the kernel key-ring as Trusted-Key,
18 - Key-blob, an encrypted key-data, created to be stored, loaded and seen by
20 - Key-data, the plain-key text in the system memory, to be used by
23 Though key-data is not accessible to the user-space in plain-text, but it is in
24 plain-text in system memory, when used in kernel space. Even though kernel-space
25 attracts small surface attack, but with compromised kernel or side-channel
29 In order to protect the key in kernel space, the concept of "protected-keys" is
30 introduced which will act as an added layer of protection. The key-data of the
31 protected keys is encrypted with Key-Encryption-Key(KEK), and decrypted inside
32 the trust source boundary. The plain-key text never available out-side in the
34 protected key, can only be done by the trust source, which generated the
37 Hence, if the protected-key is leaked or compromised, it is of no use to the
40 Trusted keys as protected keys, with trust source having the capability of
43 - Key-Blob, to be loaded, stored and seen by user-space.
59      (1) TPM (Trusted Platform Module: hardware device)
64      (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
66          Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip
72          mode, trust is rooted to the OTPMK, a never-disclosed 256-bit key
76      (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
78          Rooted to a one-time programmable key (OTP) that is generally burnt
79          in the on-chip fuses and is accessible to the DCP encryption engine only.
136          TPMs have well-documented, standardized interfaces and APIs.
140          TEEs have well-documented, standardized client interface and APIs. For
141          more details refer to ``Documentation/driver-api/tee.rst``.
149          Vendor-specific API that is implemented as part of the DCP crypto driver in
150          ``drivers/crypto/mxs-dcp.c``.
155      purpose must be assessed when using them to protect security-relevant data.
162 ------------
166 child key must be protected by a strong access control policy within the
170   *  TPM: hardware device based RNG
175   *  TEE: OP-TEE based on Arm TrustZone based RNG
178      from platform specific hardware RNG or a software based Fortuna CSPRNG
187   *  DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
189      The DCP hardware device itself does not provide a dedicated RNG interface,
191      a dedicated hardware RNG that is independent from DCP which can be enabled
195 command-line to override the used RNG with the kernel's random number pool.
198 --------------
201 for encryption/decryption. New keys are created either from kernel-generated
202 random numbers or user-provided decrypted data, and are encrypted/decrypted
203 using a specified ‘master’ key. The ‘master’ key can either be a trusted-key or
204 user-key type. The main disadvantage of encrypted keys is that if they are not
214 -----------------------
218 time with the TrouSerS utility: "tpm_takeownership -u -z".
225   #> tsscreateprimary -hi o -st
227   #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
231   #> tpm2_createprimary --hierarchy o -G rsa2048 -c key.ctxt
233   #> tpm2_evictcontrol -c key.ctxt 0x81000001
257                      are sha1, sha256, sha384, sha512 and sm3-256.
267 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
271 -----------------------
281 in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
284 ------------------------
293 CAAM-specific format.  The key length for new keys is always in bytes.
294 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
296 Trusted Keys as Protected Keys Usage::
302     where, 'pk' is used to direct trust source to generate protected key.
308 CAAM-specific format.  The key length for new keys is always in bytes.
309 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
312 -----------------------
321 specific to this DCP key-blob implementation.  The key length for new keys is
322 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
325 --------------------
333     keyctl add encrypted name "new [format] key-type:master-key-name keylen"
335     keyctl add encrypted name "new [format] key-type:master-key-name keylen
336         decrypted-data" ring
338     keyctl update keyid "update key-type:master-key-name"
343 	key-type:= 'trusted' | 'user'
346 -------------------------------------------
361            -3 --alswrv    500   500  keyring: _ses
362      97833714 --alswrv    500    -1   \_ keyring: _uid.500
363     440502848 --alswrv    500   500       \_ trusted: kmk
392 Create and save a trusted key as protected key named "kmk" of length 32 bytes.
401            -3 --alswrv    500   500  keyring: _ses
402      97833714 --alswrv    500    -1   \_ keyring: _uid.500
403     440502848 --alswrv    500   500       \_ trusted: kmk
481 Instantiate an encrypted key "evm" using user-provided decrypted data::
483     $ evmkey=$(dd if=/dev/urandom bs=1 count=32 | xxd -c32 -p)
504 ------------------------
561 ---------------
563 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
566 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c