[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [PATCH 1/1] virtio-crypto: introduce asym service
Introduce asym service type, several asymmetric algorithms and relevent information: - RSA(padding algorithm, ASN.1 schema definition) - DSA - ECDSA(ecc algorithm) Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> Signed-off-by: Lei He <helei.sig11@bytedance.com> --- virtio-crypto.tex | 214 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 210 insertions(+), 4 deletions(-) diff --git a/virtio-crypto.tex b/virtio-crypto.tex index 74746f9..53339a1 100644 --- a/virtio-crypto.tex +++ b/virtio-crypto.tex @@ -41,6 +41,7 @@ \subsection{Feature bits}\label{sec:Device Types / Crypto Device / Feature bits} supported by the AEAD service. \end{description} +Currently, ASYM service do not support stateless mode. \subsubsection{Feature bit requirements}\label{sec:Device Types / Crypto Device / Feature bit requirements} @@ -67,6 +68,8 @@ \subsection{Supported crypto services}\label{sec:Device Types / Crypto Device / #define VIRTIO_CRYPTO_SERVICE_MAC 2 /* AEAD (Authenticated Encryption with Associated Data) service */ #define VIRTIO_CRYPTO_SERVICE_AEAD 3 +/* ASYM (Asymmetric Key Cipher) service */ +#define VIRTIO_CRYPTO_SERVICE_ASYM 4 \end{lstlisting} The above constants designate bits used to indicate the which of crypto services are @@ -181,6 +184,65 @@ \subsubsection{AEAD services}\label{sec:Device Types / Crypto Device / Supported operation requests, see \ref{sec:Device Types / Crypto Device / Device Operation / Control Virtqueue / Session operation}. \end{enumerate} +\subsection{ASYM services}\label{sec: Device Teypes / Crypto Device / Supported crypto services / ASYM services} + +The following ASYM key types are defined: +\begin{lstlisting} +#define VIRTIO_CRYPTO_ASYM_KEY_TYPE_PUBLIC 1 +#define VIRTIO_CRYPTO_ASYM_KEY_TYPE_PRIVATE 2 +\end{lstlisting} + +The above constants are used to disignate the key types in asymmetric crypto operation requests, +see \ref{sec:Device Types / Crypto Device / Device Operation / Control Virtqueue / Session operation}. + +The following ASYM algorithms are defined: +\begin{lstlisting} +#define VIRTIO_CRYPTO_NO_ASYM 0 +#define VIRTIO_CRYPTO_ASYM_RSA 1 +#define VIRTIO_CRYPTO_ASYM_DSA 2 +#define VIRTIO_CRYPTO_ASYM_ECDSA 3 +\end{lstlisting} + +The above constants have two usages: +\begin{enumerate} +\item As bit numbers, used to tell the driver which ASYM algorithms +are supported by the device, see \ref{sec:Device Types / Crypto Device / Device configuration layout}. +\item As values, used to disignate the algorithm in asymmetric crypto operation requests, +see \ref{sec:Device Types / Crypto Device / Device Operation / Control Virtqueue / Session operation}. +\end{enumerate} + + +For RSA algorithm, the following padding algorithms are defined: +\begin{lstlisting} +#define VIRTIO_CRYPTO_RSA_RAW_PADDING 0 +#define VIRTIO_CRYPTO_RSA_PKCS1_PADDING 1 +\end{lstlisting} + +For RSA algorithm, the following hash algorithms are defined, which is used +to calculate padding result. +\begin{lstlisting} +#define VIRTIO_CRYPTO_RSA_NO_HASH 0 +#define VIRTIO_CRYPTO_RSA_MD2 1 +#define VIRTIO_CRYPTO_RSA_MD3 2 +#define VIRTIO_CRYPTO_RSA_MD4 3 +#define VIRTIO_CRYPTO_RSA_MD5 4 +#define VIRTIO_CRYPTO_RSA_SHA1 5 +#define VIRTIO_CRYPTO_RSA_SHA256 6 +#define VIRTIO_CRYPTO_RSA_SHA384 7 +#define VIRTIO_CRYPTO_RSA_SHA512 8 +#define VIRTIO_CRYPTO_RSA_SHA224 9 +\end{lstlisting} + +For ECC algorithms such as ecdsa, the following curves are defined: +\begin{lstlisting} +#define VIRTIO_CRYPTO_CURVE_UNKNOWN 0 +#define VIRTIO_CRYPTO_CURVE_NIST_P192 1 +#define VIRTIO_CRYPTO_CURVE_NIST_P224 2 +#define VIRTIO_CRYPTO_CURVE_NIST_P256 3 +#define VIRTIO_CRYPTO_CURVE_NIST_P384 4 +#define VIRTIO_CRYPTO_CURVE_NIST_P521 5 +\end{lstlisting} + \subsection{Device configuration layout}\label{sec:Device Types / Crypto Device / Device configuration layout} Crypto device configuration uses the following layout structure: @@ -204,6 +266,7 @@ \subsection{Device configuration layout}\label{sec:Device Types / Crypto Device le32 reserved; /* Maximum size of each crypto request's content in bytes */ le64 max_size; + le32 asym_algo; }; \end{lstlisting} @@ -323,6 +386,7 @@ \subsubsection{Operation Status}\label{sec:Device Types / Crypto Device / Device VIRTIO_CRYPTO_NOTSUPP = 3, VIRTIO_CRYPTO_INVSESS = 4, VIRTIO_CRYPTO_NOSPC = 5, + VIRTIO_CRYPTO_KEY_REJECTED = 6, VIRTIO_CRYPTO_MAX }; \end{lstlisting} @@ -334,6 +398,7 @@ \subsubsection{Operation Status}\label{sec:Device Types / Crypto Device / Device \item VIRTIO_CRYPTO_INVSESS: invalid session ID when executing crypto operations. \item VIRTIO_CRYPTO_NOSPC: no free session ID (only when the VIRTIO_CRYPTO_F_REVISION_1 feature bit is negotiated). +\item VIRTIO_CRYPTO_KEY_REJECTED: signature verify failed (only when akcipher verify). \item VIRTIO_CRYPTO_ERR: any failure not mentioned above occurs. \end{itemize*} @@ -364,6 +429,10 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Crypto Device / Devic VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x02) #define VIRTIO_CRYPTO_AEAD_DESTROY_SESSION \ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x03) +#define VIRTIO_CRYPTO_ASYM_CREATE_SESSION \ + VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_ASYM, 0x04) +#define VIRTIO_CRYPTO_ASYM_DESTROY_SESSION \ + VIRTIO_CRYPTO_OPCDE(VIRTIO_CRYPTO_SERVICE_ASYM, 0x05) le32 opcode; /* algo should be service-specific algorithms */ le32 algo; @@ -658,7 +727,6 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Crypto Device / Devic \field{vlf_len} is the size of the specific structure used. - \subparagraph{Session operation: AEAD session}\label{sec:Device Types / Crypto Device / Device Operation / Control Virtqueue / Session operation / Session operation: AEAD session} @@ -690,6 +758,73 @@ \subsubsection{Control Virtqueue}\label{sec:Device Types / Crypto Device / Devic The length of \field{key} is specified in \field{key_len} in struct virtio_crypto_aead_create_session_flf. +\subparagraph{Session operation: ASYM session}\label{sec:Device Types / Crypto Device / Device +Operation / Control Virtqueue / Session operation / Session operation: ASYM session} + +The request of ASYM session could be ASYM algorithms request. +The fixed-length and the variable-length parameters of ASYM session requests are as follows: +\begin{lstlisting} +struct virtio_crypto_asym_create_session_flf { + /* Device read only portion */ + + /* See VIRTIO_CRYPTO_ASYM_* above */ + le32 algo; + /* See VIRTIO_CRYPTO_ASYM_KEY_TYPE_* above */ + le32 key_type; + /* length of key */ + le32 key_len; + /* algothrim specific parameters */ + union { + struct virtio_crypto_rsa_session_para rsa; + struct virtio_crypto_ecdsa_session_para ecdsa; + } u; +}; + +struct virtio_crypto_rsa_session_para { + /* Padding algorithm used for rsa, see VIRTIO_CRYPTO_RSA_* above */ + le32 padding_algo; + /* Hash algorithm used for padding digest, see VIRTIO_CRYPTO_RSA_* above */ + le32 hash_algo; +}; + +struct virtio_crypto_ecdsa_session_para { + /* Known elliptic curves, see VIRTIO_CRYPTO_CURVE_* */ + le32 curve_id; +}; + +struct virtio_crypto_asym_create_session_vlf { + /* Device read only portion */ + u8 key[key_len]; +}; +\end{lstlisting} + +The length of cipher_key is specificed in key_len in the struct virtio_asym_session_flf. +The format of asymmetric keys is defined with ASN.1 schema and is encoded by DER format. + +The schema of RSA keys: +\begin{lstlisting} +RsaPrivateKey ::= SEQUENCE { + version INTEGER + n INTEGER + e INTEGER + d INTEGER + p INTEGER + q INTEGER + e1 INTEGER + e2 INTEGER + u INTEGER +} + +RsaPublicKey ::= SEQUENCE { + n INTEGER + e INTEGER +} +\end{lstlisting} + +The schema of other algothrim currently undefined. + +The length of \field{key} is specified in \field{key_len} in struct +virtio_crypto_asym_create_session_flf. \drivernormative{\subparagraph}{Session operation: create session}{Device Types / Crypto Device / Device Operation / Control Virtqueue / Session operation / Session operation: create session} @@ -764,6 +899,14 @@ \subsubsection{Data Virtqueue}\label{sec:Device Types / Crypto Device / Device O VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x00) #define VIRTIO_CRYPTO_AEAD_DECRYPT \ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x01) +#define VIRTIO_CRYPTO_ASYM_ENCRYPT \ + VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_ASYM, 0x00) +#define VIRTIO_CRYPTO_ASYM_DECRYPT \ + VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_ASYM, 0x01) +#define VIRTIO_CRYPTO_ASYM_SIGN \ + VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_ASYM, 0x02) +#define VIRTIO_CRYPTO_ASYM_VERIFY \ + VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_ASYM, 0x03) le32 opcode; /* algo should be service-specific algorithms */ le32 algo; @@ -1044,7 +1187,7 @@ \subsubsection{MAC Service Operation}\label{sec:Device Types / Crypto Device / D \begin{itemize*} \item If the VIRTIO_CRYPTO_F_MAC_STATELESS_MODE feature bit is negotiated, the device MUST parse \field{flag} field in struct virtio_crypto_op_header in order to decide - which mode the driver uses. + which mode the driver uses. \item The device MUST copy the results of MAC operations in the hash_result[] if HASH operations success. \item The device MUST set \field{status} in struct virtio_crypto_inhdr to one of the @@ -1369,7 +1512,7 @@ \subsubsection{Symmetric algorithms Operation}\label{sec:Device Types / Crypto D \begin{itemize*} \item If the VIRTIO_CRYPTO_F_CIPHER_STATELESS_MODE feature bit is negotiated, the device MUST parse \field{flag} field in struct virtio_crypto_op_header in order to decide - which mode the driver uses. + which mode the driver uses. \item The device MUST parse the virtio_crypto_sym_data_req based on the \field{opcode} field in general header. \item The device MUST parse the fields of struct virtio_crypto_cipher_data_flf in @@ -1518,7 +1661,7 @@ \subsubsection{AEAD Service Operation}\label{sec:Device Types / Crypto Device / \begin{itemize*} \item If the VIRTIO_CRYPTO_F_AEAD_STATELESS_MODE feature bit is negotiated, the device MUST parse the virtio_crypto_aead_data_vlf_stateless based on the \field{opcode} - field in general header. + field in general header. \item The device MUST copy the result of cryptographic operation in the dst_data[]. \item The device MUST copy the authentication tag in the dst_data[] offset the cipher result. \item The device MUST set the \field{status} field in struct virtio_crypto_inhdr to @@ -1533,3 +1676,66 @@ \subsubsection{AEAD Service Operation}\label{sec:Device Types / Crypto Device / \item VIRTIO_CRYPTO_ERR if any failure not mentioned above occurs. \end{itemize*} \end{itemize*} + +\subsubsection{ASYM Service Operation}\label{sec:Device Types / Crypto Device / Device Operation / ASYM Service Operation} + +Session mode requests of asymmetric algorithm are as follows: + +\begin{lstlisting} +struct virtio_crypto_asym_data_flf { + /* + * For Encrypt/Decrypt/Sign, src data is the plaintext/ciphertext/digest, + * and dst data is the ciphertext/plaintext/digest. + * For verify, src data is signature, and dst data is the digest. + */ + /* length of source data */ + le32 src_data_len; + /* length of dst data */ + le32 dst_data_len; +}; + +struct virtio_crypto_asym_data_vlf { + /* Device read only portion */ + + /* + * For Encrypt/Decrypt/Sign, src_data_len equals src_data_len field of struct + * virtio_crypto_asym_data_flf, dst_data_len equals dst_data_len field of struct + * virtio_crypto_asym_data_flf. + * For Verify, src_data_len equals the sum of src_data_len and dst_data_len in + * struct virtio_crypto_asym_data_flf. and dst_data_len always equals zero. + */ + /* Source data */ + u8 src_data[src_data_len]; + + /* Device write only portion */ + /* Pointer to output data */ + u8 dst_data[dst_data_len]; +}; +\end{lstlisting} + +\drivernormative{\paragraph}{ASYM Service Operation}{Device Types / Crypto Device / Device Operation / ASYM Service Operation} + +\begin{itemize*} +\item The driver MUST set \field{session_id} in struct virtio_crypto_op_header to a valid value assigned + by the device when the session was created. +\item The driver MUST set the \field{opcode} field in struct virtio_crypto_op_header + to one of VIRTIO_CRYPTO_ASYM_ENCRYPT, VIRTIO_CRYPTO_ASYM_DESTROY_SESSION, VIRTIO_CRYPTO_ASYM_SIGN and VIRTIO_CRYPTO_ASYM_VERIFY. +\end{itemize*} + +\devicenormative{\paragraph}{ASYM Service Operation}{Device Types / Crypto Device / Device Operation / ASYM Service Operation} + +\begin{itemize*} +\item The device MUST parse the virtio_crypto_aead_data_vlf_stateless based on the \field{opcode} + field in general header. +\item The device MUST copy the result of cryptographic operation in the dst_data[]. +\item The device MUST set the \field{status} field in struct virtio_crypto_inhdr to + one of the following values of enum VIRTIO_CRYPTO_STATUS: +\begin{itemize*} +\item VIRTIO_CRYPTO_OK if the operation success. +\item VIRTIO_CRYPTO_NOTSUPP if the requested algorithm or operation is unsupported. +\item VIRTIO_CRYPTO_BADMSG if the verification result is incorrect. +\item VIRTIO_CRYPTO_INVSESS if the session ID invalid when in session mode. +\item VIRTIO_CRYPTO_KEY_REJECTED if the signature verification failed. +\item VIRTIO_CRYPTO_ERR if any failure not mentioned above occurs. +\end{itemize*} +\end{itemize*} -- 2.11.0
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]