/* SPDX-License-Identifier: GPL-2.0 */ /* * Copyright 2019 Google LLC */ #ifndef __LINUX_KEYSLOT_MANAGER_H #define __LINUX_KEYSLOT_MANAGER_H #include /* Inline crypto feature bits. Must set at least one. */ enum { /* Support for standard software-specified keys */ BLK_CRYPTO_FEATURE_STANDARD_KEYS = BIT(0), /* Support for hardware-wrapped keys */ BLK_CRYPTO_FEATURE_WRAPPED_KEYS = BIT(1), }; #ifdef CONFIG_BLK_INLINE_ENCRYPTION struct keyslot_manager; /** * struct keyslot_mgmt_ll_ops - functions to manage keyslots in hardware * @keyslot_program: Program the specified key into the specified slot in the * inline encryption hardware. * @keyslot_evict: Evict key from the specified keyslot in the hardware. * The key is provided so that e.g. dm layers can evict * keys from the devices that they map over. * Returns 0 on success, -errno otherwise. * @derive_raw_secret: (Optional) Derive a software secret from a * hardware-wrapped key. Returns 0 on success, -EOPNOTSUPP * if unsupported on the hardware, or another -errno code. * * This structure should be provided by storage device drivers when they set up * a keyslot manager - this structure holds the function ptrs that the keyslot * manager will use to manipulate keyslots in the hardware. */ struct keyslot_mgmt_ll_ops { int (*keyslot_program)(struct keyslot_manager *ksm, const struct blk_crypto_key *key, unsigned int slot); int (*keyslot_evict)(struct keyslot_manager *ksm, const struct blk_crypto_key *key, unsigned int slot); int (*derive_raw_secret)(struct keyslot_manager *ksm, const u8 *wrapped_key, unsigned int wrapped_key_size, u8 *secret, unsigned int secret_size); }; struct keyslot_manager *keyslot_manager_create( struct device *dev, unsigned int num_slots, const struct keyslot_mgmt_ll_ops *ksm_ops, unsigned int features, const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX], void *ll_priv_data); void keyslot_manager_set_max_dun_bytes(struct keyslot_manager *ksm, unsigned int max_dun_bytes); int keyslot_manager_get_slot_for_key(struct keyslot_manager *ksm, const struct blk_crypto_key *key); void keyslot_manager_get_slot(struct keyslot_manager *ksm, unsigned int slot); void keyslot_manager_put_slot(struct keyslot_manager *ksm, unsigned int slot); bool keyslot_manager_crypto_mode_supported(struct keyslot_manager *ksm, enum blk_crypto_mode_num crypto_mode, unsigned int dun_bytes, unsigned int data_unit_size, bool is_hw_wrapped_key); int keyslot_manager_evict_key(struct keyslot_manager *ksm, const struct blk_crypto_key *key); void keyslot_manager_reprogram_all_keys(struct keyslot_manager *ksm); void *keyslot_manager_private(struct keyslot_manager *ksm); void keyslot_manager_destroy(struct keyslot_manager *ksm); struct keyslot_manager *keyslot_manager_create_passthrough( struct device *dev, const struct keyslot_mgmt_ll_ops *ksm_ops, unsigned int features, const unsigned int crypto_mode_supported[BLK_ENCRYPTION_MODE_MAX], void *ll_priv_data); void keyslot_manager_intersect_modes(struct keyslot_manager *parent, const struct keyslot_manager *child); int keyslot_manager_derive_raw_secret(struct keyslot_manager *ksm, const u8 *wrapped_key, unsigned int wrapped_key_size, u8 *secret, unsigned int secret_size); #endif /* CONFIG_BLK_INLINE_ENCRYPTION */ #endif /* __LINUX_KEYSLOT_MANAGER_H */