31  * Whenever a new trusted key using DCP is generated, we generate a random 128-bit
32  * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are used to
33  * encrypt the trusted key payload using AES-128-GCM.
36  * encryption engine with AES-128-ECB. The encrypted BEK, generated nonce,
45  * @blob_key: Random AES 128 key which is used to encrypt @payload,
47  *            AES-128-ECB mode by DCP.
50  * @payload: The payload itself, encrypted using AES-128-GCM and @blob_key,
202 	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;  in trusted_dcp_seal()  local
210 	b->fmt_version = DCP_BLOB_VERSION;  in trusted_dcp_seal()
211 	get_random_bytes(b->nonce, AES_KEYSIZE_128);  in trusted_dcp_seal()
214 	ret = do_aead_crypto(p->key, b->payload, p->key_len, plain_blob_key,  in trusted_dcp_seal()
215 			     b->nonce, true);  in trusted_dcp_seal()
221 	ret = encrypt_blob_key(plain_blob_key, b->blob_key);  in trusted_dcp_seal()
227 	put_unaligned_le32(p->key_len, &b->payload_len);  in trusted_dcp_seal()
239 	struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;  in trusted_dcp_unseal()  local
243 	if (b->fmt_version != DCP_BLOB_VERSION) {  in trusted_dcp_unseal()
245 		       b->fmt_version, DCP_BLOB_VERSION);  in trusted_dcp_unseal()
250 	p->key_len = le32_to_cpu(b->payload_len);  in trusted_dcp_unseal()
259 	ret = decrypt_blob_key(b->blob_key, plain_blob_key);  in trusted_dcp_unseal()
265 	ret = do_aead_crypto(b->payload, p->key, p->key_len + DCP_BLOB_AUTHLEN,  in trusted_dcp_unseal()
266 			     plain_blob_key, b->nonce, false);  in trusted_dcp_unseal()