diff options
| author | Linlin Zhang <linlin.zhang@oss.qualcomm.com> | 2026-05-25 05:13:48 -0700 |
|---|---|---|
| committer | Mikulas Patocka <mpatocka@redhat.com> | 2026-05-25 17:56:56 +0200 |
| commit | f9f57971da38afbcfa82a9502fb3eb5f1f100e73 (patch) | |
| tree | 077282f5c50f9582fceb5fdf9db25c28b0b530cc /Documentation | |
| parent | 5aa0f9231cbacade065cedd8e9b5ebd067231171 (diff) | |
| download | linux-next-history-f9f57971da38afbcfa82a9502fb3eb5f1f100e73.tar.gz | |
dm-inlinecrypt: add support for hardware-wrapped keys
Add support for hardware-wrapped encryption keys to the
dm-inlinecrypt target.
Introduce a new optional argument <key_type> to indicate
whether the provided key is a raw key or a hardware-wrapped
key. Based on this flag, the appropriate blk-crypto key type
is selected when initializing the key.
This allows dm-inlinecrypt to work with hardware that requires
keys to be wrapped and managed by the underlying inline
encryption engine.
Update the target argument parsing accordingly and pass the
key type to blk_crypto_init_key(). Documentation is also
updated to reflect the new parameter and usage.
Signed-off-by: Linlin Zhang <linlin.zhang@oss.qualcomm.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: e7f57d2c47e2 ("dm-inlinecrypt: add target for inline block device encryption")
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst b/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst index 9b3069a5ec188..76b3aae21eb4c 100644 --- a/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst +++ b/Documentation/admin-guide/device-mapper/dm-inlinecrypt.rst @@ -39,18 +39,19 @@ Parameters:: <key_string> The kernel keyring key is identified by string in following format: - <key_size>:<key_type>:<key_description>. + <key_size>:<keyring_type>:<key_description>. <key_size> The encryption key size in bytes. The kernel key payload size must match the value passed in <key_size>. -<key_type> - Either 'logon', or 'trusted' kernel key type. +<keyring_type> + The type of the key inside the kernel keyring. It can be either 'logon', + or 'trusted' kernel key type. <key_description> The kernel keyring key description inlinecrypt target should look for - when loading key of <key_type>. + when loading key of <keyring_type>. <iv_offset> The IV offset is a sector count that is added to the sector number @@ -70,7 +71,12 @@ Parameters:: Otherwise #opt_params is the number of following arguments. Example of optional parameters section: - allow_discards sector_size:4096 iv_large_sectors + keytype:raw allow_discards sector_size:4096 iv_large_sectors + +<key_type> + The type of the key as seen by the block layer, either standard or + hardware-wrapped. The string is supplied in the table as <keytype:raw> + or <keytype:hw-wrapped>. allow_discards Block discard requests (a.k.a. TRIM) are passed through the inlinecrypt @@ -113,11 +119,11 @@ using dmsetup #!/bin/sh # Create a inlinecrypt device using dmsetup - dmsetup create inlinecrypt1 --table "0 `blockdev --getsz $1` inlinecrypt aes-xts-plain64 babebabebabebabebabebabebabebabebabebabebabebabebabebabebabebabe 0 $1 0" + dmsetup create inlinecrypt1 --table "0 `blockdev --getsz $1` inlinecrypt aes-xts-plain64 babebabebabebabebabebabebabebabebabebabebabebabebabebabebabebabe 0 0 $1 0 1 keytype:raw" :: #!/bin/sh # Create a inlinecrypt device using dmsetup when encryption key is stored in keyring service - dmsetup create inlinecrypt2 --table "0 `blockdev --getsz $1` inlinecrypt aes-xts-plain64 :64:logon:fde:dminlinecrypt_test_key 0 $1 0" + dmsetup create inlinecrypt2 --table "0 `blockdev --getsz $1` inlinecrypt aes-xts-plain64 :64:logon:fde:dminlinecrypt_test_key 0 0 $1 0 1 keytype:raw" |