mbox series

[M,0/1] pkey: support EP11 API ordinal 6 for secure guests (LP: 2029390)

Message ID 20230906133031.777653-1-frank.heimes@canonical.com
Headers show
Series pkey: support EP11 API ordinal 6 for secure guests (LP: 2029390) | expand

Message

Frank Heimes Sept. 6, 2023, 1:30 p.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/2029390

Secure Execution guests must use the EP11 API ordinal 6 to create (generate,
unwrap, derive) secure keys which encodes a NULL PIN (no session) as a string
of zero-bytes.
Therefore, the pkey module must be updated to check whether the Linux system
is running as a secure guest and if so modify secure key creating requests
(key(pair) gen, unwrap) to use ordinal 6 API.
As pre-requirement, the PR for LP: 2028937 need to be applied prior to this.

Holger Dengler (1):
  s390/zcrypt_ep11misc: support API ordinal 6 with empty pin-blob

 drivers/s390/crypto/ap_bus.c          |  9 ++++
 drivers/s390/crypto/ap_bus.h          |  1 +
 drivers/s390/crypto/pkey_api.c        | 27 ++++++++----
 drivers/s390/crypto/zcrypt_ep11misc.c | 60 ++++++++++++++++++++-------
 drivers/s390/crypto/zcrypt_ep11misc.h |  4 +-
 5 files changed, 76 insertions(+), 25 deletions(-)

Comments

Andrea Righi Sept. 13, 2023, 3:08 p.m. UTC | #1 
On Wed, Sep 06, 2023 at 03:30:30PM +0200, frank.heimes@canonical.com wrote:
> BugLink: https://bugs.launchpad.net/bugs/2029390
> 
> Secure Execution guests must use the EP11 API ordinal 6 to create (generate,
> unwrap, derive) secure keys which encodes a NULL PIN (no session) as a string
> of zero-bytes.
> Therefore, the pkey module must be updated to check whether the Linux system
> is running as a secure guest and if so modify secure key creating requests
> (key(pair) gen, unwrap) to use ordinal 6 API.
> As pre-requirement, the PR for LP: 2028937 need to be applied prior to this.

For some reasons this email was moved to my spam folder and I'm noticing
it only now.

The patch doesn't apply anymore cleanly anymore to our latest
mantic/linux 6.5 kernel. Frank, Do you have a newer patch for this?

Thanks,
-Andrea
Andrea Righi Sept. 13, 2023, 3:18 p.m. UTC | #2 
On Wed, Sep 13, 2023 at 05:08:30PM +0200, Andrea Righi wrote:
> On Wed, Sep 06, 2023 at 03:30:30PM +0200, frank.heimes@canonical.com wrote:
> > BugLink: https://bugs.launchpad.net/bugs/2029390
> > 
> > Secure Execution guests must use the EP11 API ordinal 6 to create (generate,
> > unwrap, derive) secure keys which encodes a NULL PIN (no session) as a string
> > of zero-bytes.
> > Therefore, the pkey module must be updated to check whether the Linux system
> > is running as a secure guest and if so modify secure key creating requests
> > (key(pair) gen, unwrap) to use ordinal 6 API.
> > As pre-requirement, the PR for LP: 2028937 need to be applied prior to this.
> 
> For some reasons this email was moved to my spam folder and I'm noticing
> it only now.
> 
> The patch doesn't apply anymore cleanly anymore to our latest
> mantic/linux 6.5 kernel. Frank, Do you have a newer patch for this?

Nevermind, as discussed privately, after applying LP: #2028937 this
patch can be also applied cleanly, therefore: applied to mantic/linux.

Thanks,
-Andrea