Lines Matching +full:programmable +full:- +full:security
9 of a Trust Source for greater security, while Encrypted Keys can be used on any
17 A trust source provides the source of security for Trusted Keys. This
18 section lists currently supported trust sources, along with their security
33 (2) TEE (Trusted Execution Environment: OP-TEE based on Arm TrustZone)
35 Rooted to Hardware Unique Key (HUK) which is generally burnt in on-chip
41 mode, trust is rooted to the OTPMK, a never-disclosed 256-bit key
45 (4) DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
47 Rooted to a one-time programmable key (OTP) that is generally burnt
48 in the on-chip fuses and is accessible to the DCP encryption engine only.
105 TPMs have well-documented, standardized interfaces and APIs.
109 TEEs have well-documented, standardized client interface and APIs. For
110 more details refer to ``Documentation/driver-api/tee.rst``.
118 Vendor-specific API that is implemented as part of the DCP crypto driver in
119 ``drivers/crypto/mxs-dcp.c``.
124 purpose must be assessed when using them to protect security-relevant data.
131 ------------
144 * TEE: OP-TEE based on Arm TrustZone based RNG
156 * DCP (Data Co-Processor: crypto accelerator of various i.MX SoCs)
164 command-line to override the used RNG with the kernel's random number pool.
167 --------------
170 for encryption/decryption. New keys are created either from kernel-generated
171 random numbers or user-provided decrypted data, and are encrypted/decrypted
172 using a specified ‘master’ key. The ‘master’ key can either be a trusted-key or
173 user-key type. The main disadvantage of encrypted keys is that if they are not
183 -----------------------
187 time with the TrouSerS utility: "tpm_takeownership -u -z".
194 #> tsscreateprimary -hi o -st
196 #> tssevictcontrol -hi o -ho 80000000 -hp 81000001
200 #> tpm2_createprimary --hierarchy o -G rsa2048 -c key.ctxt
202 #> tpm2_evictcontrol -c key.ctxt 0x81000001
226 are sha1, sha256, sha384, sha512 and sm3-256.
236 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits), the upper limit is to fit
240 -----------------------
250 in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
253 ------------------------
262 CAAM-specific format. The key length for new keys is always in bytes.
263 Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
266 -----------------------
275 specific to this DCP key-blob implementation. The key length for new keys is
276 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
279 --------------------
287 keyctl add encrypted name "new [format] key-type:master-key-name keylen"
289 keyctl add encrypted name "new [format] key-type:master-key-name keylen
290 decrypted-data" ring
292 keyctl update keyid "update key-type:master-key-name"
297 key-type:= 'trusted' | 'user'
300 -------------------------------------------
315 -3 --alswrv 500 500 keyring: _ses
316 97833714 --alswrv 500 -1 \_ keyring: _uid.500
317 440502848 --alswrv 500 500 \_ trusted: kmk
395 Instantiate an encrypted key "evm" using user-provided decrypted data::
397 $ evmkey=$(dd if=/dev/urandom bs=1 count=32 | xxd -c32 -p)
410 ``Documentation/security/keys/ecryptfs.rst``.
413 with payload size of 32 bytes. This will initially be used for nvdimm security
418 ------------------------
475 ---------------
477 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c
480 .. kernel-doc:: security/keys/trusted-keys/trusted_dcp.c