Skip to content

Add hardware-backed crypto support #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dpkristensen wants to merge 1 commit into from
Closed

Add hardware-backed crypto support #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ PREFIX ?= /usr/local
# Directory where the binary gets installed
BINDIR ?= $(PREFIX)/bin

HW_CRYPTO_SUPPORT ?= 0

# C compiler flags
CFLAGS ?= -O2 -Wall

Expand All @@ -37,6 +39,8 @@ CPPFLAGS ?=
# Linker flags
LDFLAGS ?=

CFLAGS += -DHW_CRYPTO_SUPPORT=$(HW_CRYPTO_SUPPORT)

# Pass the version to the command line program (pulled from tags).
VERSION ?= $(shell git describe --tags 2>/dev/null)
override CPPFLAGS += $(if $(VERSION),-DVERSION="\"$(VERSION)\"")
Expand Down
7 changes: 7 additions & 0 deletions fscrypt_uapi.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,14 @@ struct fscrypt_add_key_arg {
struct fscrypt_key_specifier key_spec;
__u32 raw_size;
__u32 key_id;
#if HW_CRYPTO_SUPPORT
__u32 __reserved[7];
/* N.B.: "temporary" flag, not reserved upstream */
#define __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED 0x00000001
__u32 __flags;
#else
__u32 __reserved[8];
#endif
__u8 raw[];
};

Expand Down
30 changes: 30 additions & 0 deletions fscryptctl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ enum {
OPT_CONTENTS,
OPT_DIRECT_KEY,
OPT_FILENAMES,
OPT_HW_BACKED,
OPT_IV_INO_LBLK_32,
OPT_IV_INO_LBLK_64,
OPT_PADDING,
Expand Down Expand Up @@ -112,6 +113,11 @@ static void __attribute__((__noreturn__)) usage(FILE *out) {
" print this help screen\n"
" -v, --version\n"
" print the version of fscrypt\n"
#if HW_CRYPTO_SUPPORT
" add_key\n"
" --hw-backed\n"
" Use a hardware-backed crypto engine\n"
#endif
" remove_key\n"
" --all-users\n"
" force-remove all users' claims to the key (requires root)\n"
Expand Down Expand Up @@ -370,7 +376,27 @@ static bool set_policy(const char *path,
// -----------------------------------------------------------------------------

static int cmd_add_key(int argc, char *const argv[]) {
#if HW_CRYPTO_SUPPORT
static const struct option add_key_options[] = {
{"hw-backed", no_argument, NULL, OPT_HW_BACKED},
{NULL, 0, NULL, 0}};

__u32 flags = 0;
int ch;
while ((ch = getopt_long(argc, argv, "", add_key_options, NULL)) != -1) {
switch (ch) {
case OPT_HW_BACKED:
flags |= __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED;
break;
default:
usage(stderr);
}
}
argc -= optind;
argv += optind;
#else
handle_no_options(&argc, &argv);
#endif
if (argc != 1) {
fputs("error: must specify a single mountpoint\n", stderr);
return EXIT_FAILURE;
Expand All @@ -391,6 +417,10 @@ static int cmd_add_key(int argc, char *const argv[]) {
}
arg->key_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;

#if HW_CRYPTO_SUPPORT
arg->__flags = flags;
#endif

int fd = open(mountpoint, O_RDONLY | O_CLOEXEC);
if (fd < 0) {
fprintf(stderr, "error: opening %s: %s\n", mountpoint, strerror(errno));
Expand Down