Skip to content

Add hardware-backed crypto support #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dpkristensen wants to merge 1 commit into from
Closed

Add hardware-backed crypto support #21

dpkristensen wants to merge 1 commit into from

Conversation

@dpkristensen
Copy link

@dpkristensen dpkristensen commented Jun 7, 2021

Add build-time support for platforms that support hardware-backed
crypto keys using a non-standard extension found in some Android
kernels. To enable this, set HW_CRYPTO_SUPPORT prior to building:

HW_CRYPTO_SUPPORT=1 make

Signed-off-by: Daniel Kristensen dpk5081@gmail.com
Change-Id: Idc17d90d0c3aafccf6e6620514e699fe1143f88e

Add hardware-backed crypto support
cf34014 
Add build-time support for platforms that support hardware-backed
crypto keys using a non-standard extension found in some Android
kernels.  To enable this, set HW_CRYPTO_SUPPORT prior to building:

 HW_CRYPTO_SUPPORT=1 make

Signed-off-by: Daniel Kristensen <dpk5081@gmail.com>
Change-Id: Idc17d90d0c3aafccf6e6620514e699fe1143f88e
@dpkristensen
Copy link
Author

dpkristensen commented Jun 7, 2021

I tested this in both configurations on an Android-based Kernel (5.4) with hardware crypto engine support (CONFIG_BLK_INLINE_ENCRYPTION=y and CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y).

@ebiggers
Copy link
Collaborator

ebiggers commented Jun 7, 2021

I don't think we should add this to fscryptctl, as this feature (hardware-wrapped keys) is not yet part of the upstream Linux kernel. And when it does get upstreamed it will use a slightly different interface.

Also, there is no upstream-ready development platform that actually supports this feature yet (which is why it hasn't been upstreamed yet), so it currently isn't usable outside of the context of Android anyway. So there should be no need to support this feature in fscryptctl yet. Or if you are using fscryptctl on Android for some reason, you can just carry this change locally...

I would be happy to add support for this once the upstream Linux kernel supports it.

@ebiggers ebiggers closed this Jun 7, 2021
@josephlr
Copy link
Member

josephlr commented Jun 7, 2021

Agreed w/ @ebiggers here, I'd love to see a fscryptctl add_key --hw-backed option, but would want to make sure we were using a UAPI compatible with the eventual upstream kernel.

We would likely also want to have this be built w/ fscryptctl unconditionally, and have the tool fail if --hw-backed is requested but unsupported by the kernel.

@dpkristensen
Copy link
Author

dpkristensen commented Jun 8, 2021

Yes, I agree it would be best to have it as a consistently available feature. Since the format of the ioctl is incompatible with the upstream implementation, I had made it a compile-time only flag. I guess it'll have to wait until Android fixes its implementation.

@ebiggers
Copy link
Collaborator

ebiggers commented Apr 22, 2025

This feature is finally on its way to the upstream kernel. #48 adds support for it to fscryptctl.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dpkristensen @ebiggers @josephlr