Skip to content

Add support for hardware-wrapped inline crypto keys #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ebiggers merged 10 commits into from
Oct 29, 2025
Merged

Add support for hardware-wrapped inline crypto keys #48

ebiggers merged 10 commits into from
Oct 29, 2025

Conversation

@ebiggers
Copy link
Collaborator

@ebiggers ebiggers commented Apr 22, 2025
edited
Loading

Add support for hardware-wrapped inline crypto keys to fscryptctl.

This consists of:

  • New commands that wrap the BLKCRYPTOIMPORTKEY, BLKCRYPTOGENERATEKEY, BLKCRYPTOPREPAREKEY ioctls that were added in Linux 6.15.
  • Support for passing a wrapped key to fscryptctl add_key. This relies on the support for FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED which was added in Linux 6.16.

@ebiggers ebiggers mentioned this pull request Apr 22, 2025
Closed
@ebiggers
Update kernel.org links
7787db3 
Link to docs.kernel.org/ instead of www.kernel.org/doc/html/latest/.  It
makes the links shorter, and they point to the latest version.
@ebiggers
Fix a typo and a format inconsistency in the Makefile
2f081f2
@ebiggers
Fix the usage text for --version
b1b9917 
It should say fscryptctl, not fscrypt.
@ebiggers
Add xzalloc() function
69258d7 
Add a xzalloc() helper function to simplify error-checked allocations.
@ebiggers
Make read_key() take a max_size parameter
d8e1d50 
In preparation for supporting both raw keys (max size 64) and wrapped
keys (max size 128), make read_key() take a max_size parameter.
Also introduce a wipe_and_free() helper function.
@ebiggers
Add full_write() function
7852250 
The upcoming commands import_hw_wrapped_key, generate_hw_wrapped_key,
and prepare_hw_wrapped_key will write the wrapped keys they produce to
standard output.  Add a full_write() helper function for them to use.
@ebiggers
Import the latest <linux/fscrypt.h>
a0f4042 
Import <linux/fscrypt.h> from Linux v6.16.

This is needed to support adding hardware-wrapped keys.
@ebiggers
Import <linux/blk-crypto.h>
d6f2db5 
Import <linux/blk-crypto.h> from Linux v6.16.

Needed for the definition of the blk-crypto ioctls.
@ebiggers
Add support for adding hardware-wrapped keys
e9ef440 
Update the 'fscryptctl add_key' command to accept hardware-wrapped keys.
Previously, it only accepted raw keys.

This relies on the support for FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED which is
available in Linux 6.16 and later.  For more details, see the Linux
kernel commit https://git.kernel.org/linus/c07d3aede2b26830
@ebiggers ebiggers force-pushed the wrapped-keys branch 3 times, most recently from 8ebbd97 to b433594 Compare October 29, 2025 23:09
@ebiggers
Add support for creating and preparing hardware-wrapped keys
9b84dc5 
Add fscryptctl commands that wrap the BLKCRYPTOIMPORTKEY,
BLKCRYPTOGENERATEKEY, and BLKCRYPTOPREPAREKEY ioctls that were added in
Linux 6.15.  These are needed to use hardware-wrapped keys.
@ebiggers ebiggers merged commit 9b84dc5 into master Oct 29, 2025
11 checks passed
@ebiggers ebiggers deleted the wrapped-keys branch October 29, 2025 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ebiggers