1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Copyright 2019 Google LLC 4 */ 5 6 #ifndef __LINUX_KEYSLOT_MANAGER_H 7 #define __LINUX_KEYSLOT_MANAGER_H 8 9 #include <linux/bio.h> 10 11 /* Inline crypto feature bits. Must set at least one. */ 12 enum { 13 /* Support for standard software-specified keys */ 14 BLK_CRYPTO_FEATURE_STANDARD_KEYS = BIT(0), 15 16 /* Support for hardware-wrapped keys */ 17 BLK_CRYPTO_FEATURE_WRAPPED_KEYS = BIT(1), 18 }; 19 20 #ifdef CONFIG_BLK_INLINE_ENCRYPTION 21 22 struct keyslot_manager; 23 24 /** 25 * struct keyslot_mgmt_ll_ops - functions to manage keyslots in hardware 26 * @keyslot_program: Program the specified key into the specified slot in the 27 * inline encryption hardware. 28 * @keyslot_evict: Evict key from the specified keyslot in the hardware. 29 * The key is provided so that e.g. dm layers can evict 30 * keys from the devices that they map over. 31 * Returns 0 on success, -errno otherwise. 32 * @derive_raw_secret: (Optional) Derive a software secret from a 33 * hardware-wrapped key. Returns 0 on success, -EOPNOTSUPP 34 * if unsupported on the hardware, or another -errno code. 35 * 36 * This structure should be provided by storage device drivers when they set up 37 * a keyslot manager - this structure holds the function ptrs that the keyslot 38 * manager will use to manipulate keyslots in the hardware. 39 */ 40 struct keyslot_mgmt_ll_ops { 41 int (*keyslot_program)(struct keyslot_manager *ksm, 42 const struct blk_crypto_key *key, 43 unsigned int slot); 44 int (*keyslot_evict)(struct keyslot_manager *ksm, 45 const struct blk_crypto_key *key, 46 unsigned int slot); 47 int (*derive_raw_secret)(struct keyslot_manager *ksm, 48 const u8 *wrapped_key, 49 unsigned int wrapped_key_size, 50 u8 *secret, unsigned int secret_size); 51 }; 52 53 struct keyslot_manager *keyslot_manager_create( 54 struct device *dev, 55 unsigned int num_slots, 56 const struct keyslot_mgmt_ll_ops *ksm_ops, 57 unsigned int features, 58 const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX], 59 void *ll_priv_data); 60 61 void keyslot_manager_set_max_dun_bytes(struct keyslot_manager *ksm, 62 unsigned int max_dun_bytes); 63 64 int keyslot_manager_get_slot_for_key(struct keyslot_manager *ksm, 65 const struct blk_crypto_key *key); 66 67 void keyslot_manager_get_slot(struct keyslot_manager *ksm, unsigned int slot); 68 69 void keyslot_manager_put_slot(struct keyslot_manager *ksm, unsigned int slot); 70 71 bool keyslot_manager_crypto_mode_supported(struct keyslot_manager *ksm, 72 enum blk_crypto_mode_num crypto_mode, 73 unsigned int dun_bytes, 74 unsigned int data_unit_size, 75 bool is_hw_wrapped_key); 76 77 int keyslot_manager_evict_key(struct keyslot_manager *ksm, 78 const struct blk_crypto_key *key); 79 80 void keyslot_manager_reprogram_all_keys(struct keyslot_manager *ksm); 81 82 void *keyslot_manager_private(struct keyslot_manager *ksm); 83 84 void keyslot_manager_destroy(struct keyslot_manager *ksm); 85 86 struct keyslot_manager *keyslot_manager_create_passthrough( 87 struct device *dev, 88 const struct keyslot_mgmt_ll_ops *ksm_ops, 89 unsigned int features, 90 const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX], 91 void *ll_priv_data); 92 93 void keyslot_manager_intersect_modes(struct keyslot_manager *parent, 94 const struct keyslot_manager *child); 95 96 int keyslot_manager_derive_raw_secret(struct keyslot_manager *ksm, 97 const u8 *wrapped_key, 98 unsigned int wrapped_key_size, 99 u8 *secret, unsigned int secret_size); 100 101 #endif /* CONFIG_BLK_INLINE_ENCRYPTION */ 102 103 #endif /* __LINUX_KEYSLOT_MANAGER_H */ 104