From cf34014064ff745ad7385032a476107b7b9bafc4 Mon Sep 17 00:00:00 2001
From: Daniel Kristensen <daniel.kristensen@garmin.com>
Date: Mon, 7 Jun 2021 16:26:24 -0500
Subject: [PATCH] Add hardware-backed crypto support

Add build-time support for platforms that support hardware-backed
crypto keys using a non-standard extension found in some Android
kernels.  To enable this, set HW_CRYPTO_SUPPORT prior to building:

 HW_CRYPTO_SUPPORT=1 make

Signed-off-by: Daniel Kristensen <dpk5081@gmail.com>
Change-Id: Idc17d90d0c3aafccf6e6620514e699fe1143f88e
---
 Makefile       |  4 ++++
 fscrypt_uapi.h |  7 +++++++
 fscryptctl.c   | 30 ++++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/Makefile b/Makefile
index 0480f3d..daeb421 100644
--- a/Makefile
+++ b/Makefile
@@ -28,6 +28,8 @@ PREFIX ?= /usr/local
 # Directory where the binary gets installed
 BINDIR ?= $(PREFIX)/bin
 
+HW_CRYPTO_SUPPORT ?= 0
+
 # C compiler flags
 CFLAGS ?= -O2 -Wall
 
@@ -37,6 +39,8 @@ CPPFLAGS ?=
 # Linker flags
 LDFLAGS ?=
 
+CFLAGS += -DHW_CRYPTO_SUPPORT=$(HW_CRYPTO_SUPPORT)
+
 # Pass the version to the command line program (pulled from tags).
 VERSION ?= $(shell git describe --tags 2>/dev/null)
 override CPPFLAGS += $(if $(VERSION),-DVERSION="\"$(VERSION)\"")
diff --git a/fscrypt_uapi.h b/fscrypt_uapi.h
index e5de603..ca337f9 100644
--- a/fscrypt_uapi.h
+++ b/fscrypt_uapi.h
@@ -125,7 +125,14 @@ struct fscrypt_add_key_arg {
 	struct fscrypt_key_specifier key_spec;
 	__u32 raw_size;
 	__u32 key_id;
+#if HW_CRYPTO_SUPPORT
+	__u32 __reserved[7];
+	/* N.B.: "temporary" flag, not reserved upstream */
+#define __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED		0x00000001
+	__u32 __flags;
+#else
 	__u32 __reserved[8];
+#endif
 	__u8 raw[];
 };
 
diff --git a/fscryptctl.c b/fscryptctl.c
index 7d9883c..e8cb93d 100644
--- a/fscryptctl.c
+++ b/fscryptctl.c
@@ -82,6 +82,7 @@ enum {
   OPT_CONTENTS,
   OPT_DIRECT_KEY,
   OPT_FILENAMES,
+  OPT_HW_BACKED,
   OPT_IV_INO_LBLK_32,
   OPT_IV_INO_LBLK_64,
   OPT_PADDING,
@@ -112,6 +113,11 @@ static void __attribute__((__noreturn__)) usage(FILE *out) {
       "        print this help screen\n"
       "    -v, --version\n"
       "        print the version of fscrypt\n"
+#if HW_CRYPTO_SUPPORT
+      "    add_key\n"
+      "        --hw-backed\n"
+      "            Use a hardware-backed crypto engine\n"
+#endif
       "    remove_key\n"
       "        --all-users\n"
       "            force-remove all users' claims to the key (requires root)\n"
@@ -370,7 +376,27 @@ static bool set_policy(const char *path,
 // -----------------------------------------------------------------------------
 
 static int cmd_add_key(int argc, char *const argv[]) {
+#if HW_CRYPTO_SUPPORT
+  static const struct option add_key_options[] = {
+      {"hw-backed", no_argument, NULL, OPT_HW_BACKED},
+      {NULL, 0, NULL, 0}};
+
+  __u32 flags = 0;
+  int ch;
+  while ((ch = getopt_long(argc, argv, "", add_key_options, NULL)) != -1) {
+    switch (ch) {
+      case OPT_HW_BACKED:
+        flags |= __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED;
+        break;
+      default:
+        usage(stderr);
+    }
+  }
+  argc -= optind;
+  argv += optind;
+#else
   handle_no_options(&argc, &argv);
+#endif
   if (argc != 1) {
     fputs("error: must specify a single mountpoint\n", stderr);
     return EXIT_FAILURE;
@@ -391,6 +417,10 @@ static int cmd_add_key(int argc, char *const argv[]) {
   }
   arg->key_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
 
+#if HW_CRYPTO_SUPPORT
+  arg->__flags = flags;
+#endif
+
   int fd = open(mountpoint, O_RDONLY | O_CLOEXEC);
   if (fd < 0) {
     fprintf(stderr, "error: opening %s: %s\n", mountpoint, strerror(errno));