aac6c3decd
Inline Encryption hardware allows software to specify an encryption context (an encryption key, crypto algorithm, data unit num, data unit size, etc.) along with a data transfer request to a storage device, and the inline encryption hardware will use that context to en/decrypt the data. The inline encryption hardware is part of the storage device, and it conceptually sits on the data path between system memory and the storage device. Inline Encryption hardware implementations often function around the concept of "keyslots". These implementations often have a limited number of "keyslots", each of which can hold an encryption context (we say that an encryption context can be "programmed" into a keyslot). Requests made to the storage device may have a keyslot associated with them, and the inline encryption hardware will en/decrypt the data in the requests using the encryption context programmed into that associated keyslot. As keyslots are limited, and programming keys may be expensive in many implementations, and multiple requests may use exactly the same encryption contexts, we introduce a Keyslot Manager to efficiently manage keyslots. The keyslot manager also functions as the interface that upper layers will use to program keys into inline encryption hardware. For more information on the Keyslot Manager, refer to documentation found in block/keyslot-manager.c and linux/keyslot-manager.h. Bug: 137270441 Test: tested as series; see Ie1b77f7615d6a7a60fdc9105c7ab2200d17636a8 Change-Id: Iea1ee5a7eec46cb50d33cf1e2d20dfb7335af4ed Signed-off-by: Satya Tangirala <satyat@google.com> Link: https://patchwork.kernel.org/patch/11214713/
98 lines
3.2 KiB
C
98 lines
3.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright 2019 Google LLC
|
|
*/
|
|
|
|
#include <linux/bio.h>
|
|
|
|
#ifdef CONFIG_BLOCK
|
|
|
|
#ifndef __LINUX_KEYSLOT_MANAGER_H
|
|
#define __LINUX_KEYSLOT_MANAGER_H
|
|
|
|
/**
|
|
* struct keyslot_mgmt_ll_ops - functions to manage keyslots in hardware
|
|
* @keyslot_program: Program the specified key and algorithm into the
|
|
* specified slot in the inline encryption hardware.
|
|
* @keyslot_evict: Evict key from the specified keyslot in the hardware.
|
|
* The key, crypto_mode and data_unit_size are also passed
|
|
* down so that e.g. dm layers can evict keys from
|
|
* the devices that they map over.
|
|
* Returns 0 on success, -errno otherwise.
|
|
* @crypto_mode_supported: Check whether a crypto_mode and data_unit_size
|
|
* combo is supported.
|
|
* @keyslot_find: Returns the slot number that matches the key,
|
|
* or -ENOKEY if no match found, or -errno on
|
|
* error.
|
|
*
|
|
* This structure should be provided by storage device drivers when they set up
|
|
* a keyslot manager - this structure holds the function ptrs that the keyslot
|
|
* manager will use to manipulate keyslots in the hardware.
|
|
*/
|
|
struct keyslot_mgmt_ll_ops {
|
|
int (*keyslot_program)(void *ll_priv_data, const u8 *key,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size,
|
|
unsigned int slot);
|
|
int (*keyslot_evict)(void *ll_priv_data, const u8 *key,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size,
|
|
unsigned int slot);
|
|
bool (*crypto_mode_supported)(void *ll_priv_data,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size);
|
|
int (*keyslot_find)(void *ll_priv_data, const u8 *key,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size);
|
|
};
|
|
|
|
#ifdef CONFIG_BLK_INLINE_ENCRYPTION
|
|
struct keyslot_manager;
|
|
|
|
extern struct keyslot_manager *keyslot_manager_create(unsigned int num_slots,
|
|
const struct keyslot_mgmt_ll_ops *ksm_ops,
|
|
void *ll_priv_data);
|
|
|
|
extern int
|
|
keyslot_manager_get_slot_for_key(struct keyslot_manager *ksm,
|
|
const u8 *key,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size);
|
|
|
|
extern void keyslot_manager_get_slot(struct keyslot_manager *ksm,
|
|
unsigned int slot);
|
|
|
|
extern void keyslot_manager_put_slot(struct keyslot_manager *ksm,
|
|
unsigned int slot);
|
|
|
|
extern bool
|
|
keyslot_manager_crypto_mode_supported(struct keyslot_manager *ksm,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size);
|
|
|
|
extern bool
|
|
keyslot_manager_rq_crypto_mode_supported(struct request_queue *q,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size);
|
|
|
|
extern int keyslot_manager_evict_key(struct keyslot_manager *ksm,
|
|
const u8 *key,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size);
|
|
|
|
extern void keyslot_manager_destroy(struct keyslot_manager *ksm);
|
|
|
|
#else /* CONFIG_BLK_INLINE_ENCRYPTION */
|
|
|
|
static inline bool
|
|
keyslot_manager_rq_crypto_mode_supported(struct request_queue *q,
|
|
enum blk_crypto_mode_num crypto_mode,
|
|
unsigned int data_unit_size)
|
|
{
|
|
return false;
|
|
}
|
|
#endif /* CONFIG_BLK_INLINE_ENCRYPTION */
|
|
|
|
#endif /* __LINUX_KEYSLOT_MANAGER_H */
|
|
|
|
#endif /* CONFIG_BLOCK */
|