Confessions of a security hardware driver maintainer Gilad Ben-Yossef © 2017 Arm Limited Principal Software Engineer About me My name is Gilad Ben-Yossef. I work on upstream Linux kernel cryptography and security in genera,l and arm® TrustZone® CryptoCell® support in particular. I’ve been working in various forms with and on the Linux kernel and other Open Source projects for close to twenty years – i.e. I’m an old bugger… ☺ I co-authored “Building Embedded Linux Systems” 2nd edition from O’Reilly. I’m a co-founder of HaMakor, an Israeli NPO for free and open source software and of August Penguin, the longest running Israeli FOSS conference. 2 © 2017 Arm Limited What I am NOT going to talk about today The CryptoCell out-of-tree device driver went into staging commit abefd6741d540fc624e73a2a3bdef2397bcbd064 Author: Gilad Ben-Yossef <[email protected]> Date: Sun Apr 23 12:26:09 2017 +0300 staging: ccree: introduce CryptoCell HW driver Introduce basic low level Arm TrustZone CryptoCell HW support. This first patch doesn't actually register any Crypto API transformations, these will follow up in the next patch. This first revision supports the CC 712 REE component. Signed-off-by: Gilad Ben-Yossef <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> 3 © 2017 Arm Limited What I am going to talk about… Kernel software and security hardware integration mismatches ? 4 © 2017 Arm Limited Android Secure boot sequence 2 Boot loader verifies kernel 1 Firmware verifies the boot loader image and boot file system “For verifying boot and recovery partitions, the bootloader has a fixed OEM key available to it. It always attempts to verify the boot 1 partition using the OEM key.” 2 3 OS verifies the system and additional partitions “Once execution has moved to the boot 3 partition, the software there is responsible for setting up verification of further partitions. “Bootloader integrity is always verified Due to its large size, the system partition using a hardware root of trust.” typically cannot be verified similarly to previous parts but is verified as it’s being accessed instead using the dm-verity kernel driver or a similar solution.” 5 © 2017 Arm Limited The quotes are from taken from https://source.android.com/security/verifiedboot/verified-boot on . 8/5/2017 under the Creative Commons Attribution 3.0 License DM-Verity Device-Mapper's "verity" target provides transparent integrity checking of block devices using a cryptographic digest provided by the kernel crypto API. EXT4 Super Block EXT4 File System Meta Data Hash Tree 6 © 2017 Arm Limited What is Arm® TrustZone® CryptoCell? The ARM® TrustZone® CryptoCell solution is a comprehensive collectionReaders of silicon -Digestproven security version: modules that provide platform level security services. Its multi-layered hardware and software architecture combines hardware accelerators, hardware roots-of-trust control with a rich layer of security software and off chip tools. The high performance TrustZone CryptoCell-700 family is focused at providing platform security for devices serving data intensive use cases. It provides the system with various cryptography related services (implementation of symmetric and asymmetric schemes, HASH and Keyed HASH functions, Random number generation) as well as platform security services required to assure the integrity, authenticity and confidentiality of code and data belonging to different stakeholders (e.g. an OEM, a service provider or the user). 7 © 2017 Arm Limited Allowing DM-Verity to use async. transformations The upstream DM-Verity implementation was using the synchronous crypto API designed for in- core based implementations. This caused customers to use various unspeakable hacks to get it to work. We changed the implementation to use the asynchronous API that allows use of off core crypto accelerators. Patch accepted for 4.12. 8 © 2017 Arm Limited But how did we get here? crypto_alloc_ahash(“md5”, 0, CRYPTO_ALG_ASYNC); 9 © 2017 Arm Limited Rusty Russel's API Design Manifesto http://ozlabs.org/~rusty/index.cgi/tech/2008-03-30.html How Do I Make This Hard to Misuse? What If I Don't Actually Like My Users? 10. It's impossible to get wrong. -1. Read the mailing list thread and you'll get it 9. The compiler/linker won't let you get it wrong. wrong. 8. The compiler will warn if you get it wrong. -2. Read the implementation and you'll get it wrong. 7. The obvious use is (probably) the correct one. -3. Read the documentation and you'll get it wrong. 6. The name tells you how to use it. -4. Follow common convention and you'll get it 5. Do it right or it will always break at runtime. wrong. 4. Follow common convention and you'll get it -5. Do it right and it will sometimes break at right. runtime. 3. Read the documentation and you'll get it right. -6. The name tells you how not to use it. 2. Read the implementation and you'll get it right. -7. The obvious use is wrong. 1. Read the correct mailing list thread and you'll -8. The compiler will warn if you get it right. get it right. -9. The compiler/linker won't let you get it right. -10. It's impossible to get right. 10 © 2017 Arm Limited Symmetric cryptography code example struct tcrypt_result { /* Perform cipher operation */ struct completion completion; static unsigned int test_skcipher_encdec(struct skcipher_def *sk, int err; int enc) }; { int rc = 0; /* tie all data structures together */ struct skcipher_def { if (enc) struct scatterlist sg; rc = crypto_skcipher_encrypt(sk->req); struct crypto_skcipher *tfm; else struct skcipher_request *req; rc = crypto_skcipher_decrypt(sk->req); struct tcrypt_result result; }; switch (rc) { case 0: /* Callback function */ break; static void test_skcipher_cb(struct crypto_async_request *req, int error) case -EINPROGRESS: { case -EBUSY: struct tcrypt_result *result = req->data; rc = wait_for_completion_interruptible( &sk->result.completion); if (error == -EINPROGRESS) if (!rc && !sk->result.err) { return; reinit_completion(&sk->result.completion); result->err = error; break; complete(&result->completion); } pr_info("Encryption finished successfully\n"); default: } pr_info("skcipher encrypt returned with %d result %d\n", rc, sk->result.err); break; } init_completion(&sk->result.completion); return rc; } 11 © 2017 Arm Limited The good, the bad and the ugly struct tcrypt_result { /* Perform cipher operation */ struct completion completion; static unsigned int test_skcipher_encdec(struct skcipher_def *sk, int err; int enc) }; { int rc = 0; /* tie all data structures together */ Boilerplate struct skcipher_def { if (enc) struct scatterlist sg; rc = crypto_skcipher_encrypt(sk->req); struct crypto_skcipher *tfm; else struct skcipher_request *req; rc = crypto_skcipher_decrypt(sk->req); struct tcrypt_result result; }; switch (rc) { case 0: /* Callback function */ break; static void test_skcipher_cb(struct crypto_async_request *req, int error) case -EINPROGRESS: { case -EBUSY: struct tcrypt_result *result = req->data; rc = wait_for_completion_interruptible( &sk->result.completion); if (error == -EINPROGRESS) if (!rc && !sk->result.err) { return; reinit_completion(&sk->result.completion); result->err = error; break; complete(&result->completion); } pr_info("Encryption finished successfully\n"); default: } pr_info("skcipher encrypt returned with %d result %d\n", rc, sk->result.err); break; } init_completion(&sk->result.completion); return rc; } 12 © 2017 Arm Limited -3. Read the documentation and you'll get it wrong. Symmetric cryptography code example – after change /* tie all data structures together */ /* Perform cipher operation */ struct skcipher_def { static unsigned int test_skcipher_encdec(struct skcipher_def *sk, struct scatterlist sg; int enc) struct crypto_skcipher *tfm; { struct skcipher_request *req; int rc = 0; struct crypto_wait wait; }; if (enc) rc = crypto_skcipher_encrypt(sk->req); else rc = crypto_skcipher_decrypt(sk->req); rc = crypto_wait_req(sk->req, rc); if (rc) pr_info("skcipher encrypt returned with %d result %d\n", rc, sk->result.err); crypto_init_wait(&sk->wait); return rc; } 36 files changed, 310 insertions(+), 737 deletions(-) 13 © 2017 Arm Limited Latency hiding via parallelism “Hardware is parallel” Decoding DMA In Encryption DMA Out Decoding DMA In Encryption DMA Out Decoding DMA In Encryption DMA Out Decoding DMA In Encryption DMA Out Decoding DMA In Encryption DMA Out Decoding DMA In Encryption DMA Out Decoding DMA In Encryption DMA Out Time 14 © 2017 Arm Limited Effect of parallelism on latency Latency in cycles for one CBC(AES-128) encryption operation 700 600 500 400 300 200 100 0 16 byte 64 byte 256 byte 1024 byte 4096 bytes 8192 bytes Multiple Buffers Single Buffer 15 © 2017 Arm Limited Parallelism status in-kernel crypto users Already doing a very good job of parallelism: • DM-Crypt • IPsec code Working on improving: • DM-Verity • Fscrypt • Probably more 16 © 2017 Arm Limited Effect of buffer sizes on efficiency Bytes per cycle of latency for one 128 bit key CBC(AES-128) encryption operation 25 20 15 10 5 0 16 byte 64 byte 256 byte 1024 byte 4096 bytes 8192 bytes Bytes per cycle 17 © 2017 Arm Limited DM-Crypt XTS/ESSIV generation handling 4K page of file data in RAM • DM-Crypt (and fscrypt) implements IV generation internally. • Two separate different implementations. • Limiting ability to use hardware AES/XTS acceleration for … storage. 8 9 10 11 • Working with Binoy 12 13 14 15 Jayan from Linaro on … separating IV code. 512 bytes Sector Number Sector of Ciphertext provided as IV 18 © 2017 Arm Limited