KEYS: trusted: Introduce NXP DCP-backed trusted keys
DCP (Data Co-Processor) is the little brother of NXP's CAAM IP. Beside of accelerated crypto operations, it also offers support for hardware-bound keys. Using this feature it is possible to implement a blob mechanism similar to what CAAM offers. Unlike on CAAM, constructing and parsing the blob has to happen in software (i.e. the kernel). The software-based blob format used by DCP trusted keys encrypts the payload using AES-128-GCM with a freshly generated random key and nonce. The random key itself is AES-128-ECB encrypted using the DCP unique or OTP key. The DCP trusted key blob format is: /* * struct dcp_blob_fmt - DCP BLOB format. * * @fmt_version: Format version, currently being %1 * @blob_key: Random AES 128 key which is used to encrypt @payload, * @blob_key itself is encrypted with OTP or UNIQUE device key in * AES-128-ECB mode by DCP. * @nonce: Random nonce used for @payload encryption. * @payload_len: Length of t...
Showing
- include/keys/trusted_dcp.h 11 additions, 0 deletionsinclude/keys/trusted_dcp.h
- security/keys/trusted-keys/Kconfig 8 additions, 0 deletionssecurity/keys/trusted-keys/Kconfig
- security/keys/trusted-keys/Makefile 2 additions, 0 deletionssecurity/keys/trusted-keys/Makefile
- security/keys/trusted-keys/trusted_core.c 5 additions, 1 deletionsecurity/keys/trusted-keys/trusted_core.c
- security/keys/trusted-keys/trusted_dcp.c 313 additions, 0 deletionssecurity/keys/trusted-keys/trusted_dcp.c
Please register or sign in to comment