wen/luban-lite-t3e-pro
1
0
Fork 0
mirror of https://gitee.com/Vancouver2017/luban-lite-t3e-pro.git synced 2025-12-14 10:28:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fe0b990053fc29df772a4716d8fa9185f28e1283
luban-lite-t3e-pro/doc/topics/sdk/ce/ce-key_design_intro.html
刘可亮 b4033d8696 add doc v1.1.2
2025-01-23 16:37:00 +08:00

350 lines
38 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="zh-cn" lang="zh-cn" data-whc_version="26.0">
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="description" content="算法的分类注册 CE 硬件实现了多组不同类型的加密算法加速单元,分别对应内核加密子系统中的几种类型加密算法。在驱动实现时,根据不同的算法类型,将 CE 硬件抽象出三个不同的算法加速器: 对称密钥算法加速器 非对称密钥算法加速器 消息摘要算法加速器 驱动按照不同的算法加速器进行资源分配和实现,每个算法加速器支持多种不同的具体算法,并且将具体算法注册到加密子系统。 图 1 . CE 算法分类 驱动为 ..."/><meta name="DC.rights.owner" content="(C) 版权 2025"/><meta name="copyright" content="(C) 版权 2025"/><meta name="generator" content="DITA-OT"/><meta name="DC.type" content="concept"/><meta name="DC.creator" content="yan.wang"/><meta name="DC.date.created" content="2024-01-24"/><meta name="DC.date.modified" content="2024-12-04"/><meta name="DC.format" content="HTML5"/><meta name="DC.identifier" content="ce_key_design_intro"/><meta name="DC.language" content="zh-CN"/><title>设计要点</title><!-- Build number 2023110923. --><meta name="wh-path2root" content="../../../"/><meta name="wh-toc-id" content=""/><meta name="wh-source-relpath" content="topics/sdk/ce/ce-key_design_intro.dita"/><meta name="wh-out-relpath" content="topics/sdk/ce/ce-key_design_intro.html"/>
<link rel="stylesheet" type="text/css" href="../../../webhelp/app/commons.css?buildId=2023110923"/>
<link rel="stylesheet" type="text/css" href="../../../webhelp/app/topic.css?buildId=2023110923"/>
<script src="../../../webhelp/app/options/properties.js?buildId=20250121171154"></script>
<script src="../../../webhelp/app/localization/strings.js?buildId=2023110923"></script>
<script src="../../../webhelp/app/search/index/keywords.js?buildId=20250121171154"></script>
<script defer="defer" src="../../../webhelp/app/commons.js?buildId=2023110923"></script>
<script defer="defer" src="../../../webhelp/app/topic.js?buildId=2023110923"></script>
<link rel="stylesheet" type="text/css" href="../../../webhelp/template/aic-styles-web.css?buildId=2023110923"/><link rel="stylesheet" type="text/css" href="../../../webhelp/template/notes.css?buildId=2023110923"/><link rel="stylesheet" type="text/css" href="../../../webhelp/template/aic-common.css?buildId=2023110923"/><link rel="stylesheet" type="text/css" href="../../../webhelp/template/aic-images.css?buildId=2023110923"/><link rel="stylesheet" type="text/css" href="../../../webhelp/template/footnote.css?buildId=2023110923"/><link rel="stylesheet" type="text/css" href="../../../webhelp/template/aic-web-watermark.css?buildId=2023110923"/><link rel="stylesheet" type="text/css" href="../../../webhelp/template/topic-body-list.css?buildId=2023110923"/></head>
<body id="ce_key_design_intro" class="wh_topic_page frmBody">
<a href="#wh_topic_body" class="sr-only sr-only-focusable">
跳转到主要内容
</a>
<header class="navbar navbar-default wh_header">
<div class="container-fluid">
<div class="wh_header_flex_container navbar-nav navbar-expand-md navbar-dark">
<div class="wh_logo_and_publication_title_container">
<div class="wh_logo_and_publication_title">
<a href="http://www.artinchip.com" class=" wh_logo d-none d-sm-block "><img src="../../../company-logo-white.png" alt="RTOS SDK 使用指南SDK 指南文件"/></a>
<div class=" wh_publication_title "><a href="../../../index.html"><span class="booktitle"><span class="ph mainbooktitle">RTOS SDK 使用指南</span><span class="ph booktitlealt">SDK 指南文件</span></span></a></div>
</div>
</div>
<div class="wh_top_menu_and_indexterms_link collapse navbar-collapse" id="wh_top_menu_and_indexterms_link">
</div>
</div>
</div>
</header>
<div class=" wh_search_input navbar-form wh_topic_page_search search " role="form">
<form id="searchForm" method="get" role="search" action="../../../search.html"><div><input type="search" placeholder="搜索 " class="wh_search_textfield" id="textToSearch" name="searchQuery" aria-label="搜索查询" required="required"/><button type="submit" class="wh_search_button" aria-label="搜索"><span class="search_input_text">搜索</span></button></div></form>
</div>
<div class="container-fluid" id="wh_topic_container">
<div class="row">
<nav class="wh_tools d-print-none navbar-expand-md" aria-label="Tools">
<div data-tooltip-position="bottom" class=" wh_breadcrumb "></div>
<div class="wh_right_tools">
<button class="wh_hide_highlight" aria-label="切换搜索突出显示" title="切换搜索突出显示"></button>
<button class="webhelp_expand_collapse_sections" data-next-state="collapsed" aria-label="折叠截面" title="折叠截面"></button>
<div class=" wh_print_link print d-none d-md-inline-block "><button onClick="window.print()" title="打印此页" aria-label="打印此页"></button></div>
</div>
</nav>
</div>
<div class="wh_content_area">
<div class="row">
<div class="col-lg-10 col-md-10 col-sm-10 col-xs-12" id="wh_topic_body">
<button id="wh_close_topic_toc_button" class="close-toc-button d-none" aria-label="Toggle topic table of content" aria-controls="wh_topic_toc" aria-expanded="true">
<span class="close-toc-icon-container">
<span class="close-toc-icon"></span>
</span>
</button>
<div class=" wh_topic_content body "><main role="main"><article class="- topic/topic concept/concept topic concept" role="article" aria-labelledby="ariaid-title1"><span class="edit-link" style="font-size:12px; opacity:0.6; text-align:right; vertical-align:middle"><a target="_blank" href="http://172.16.35.88/tasks/jdssno1uvvbf2mltu9kb9v3if05d5gopuakboe8hlud18rma/edit/F:/aicdita/aicdita-cn/topics/sdk/ce/ce-key_design_intro.dita">Edit online</a></span><h1 class="- topic/title title topictitle1" id="ariaid-title1">设计要点</h1><div class="date inPage">4 Dec 2024</div><div style="color: gray;">
Read time: 4 minute(s)
</div><div class="- topic/body concept/conbody body conbody"><section class="- topic/section section" id="ce_key_design_intro__section_cmg_n1y_21c" data-ofbid="ce_key_design_intro__section_cmg_n1y_21c"><h2 class="- topic/title title sectiontitle">算法的分类注册</h2>
<p class="- topic/p p" data-ofbid="d325014e28__20250121171829">CE 硬件实现了多组不同类型的加密算法加速单元,分别对应内核加密子系统中的几种类型加密算法。在驱动实现时,根据不同的算法类型,将 CE
硬件抽象出三个不同的算法加速器:</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_emg_n1y_21c" data-ofbid="ce_key_design_intro__ol_emg_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e32__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e34__20250121171829">对称密钥算法加速器</p>
</li><li class="- topic/li li" data-ofbid="d325014e37__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e39__20250121171829">非对称密钥算法加速器</p>
</li><li class="- topic/li li" data-ofbid="d325014e42__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e44__20250121171829">消息摘要算法加速器</p>
</li></ol>
<p class="- topic/p p" data-ofbid="d325014e48__20250121171829">驱动按照不同的算法加速器进行资源分配和实现,每个算法加速器支持多种不同的具体算法,并且将具体算法注册到加密子系统。</p>
<figure class="- topic/fig fig fignone" id="ce_key_design_intro__fig_qsj_41y_21c" data-ofbid="ce_key_design_intro__fig_qsj_41y_21c"><br/><div class="imagecenter"><img class="- topic/image image imagecenter" id="ce_key_design_intro__image_fmg_n1y_21c" src="../../../images/ce/ce_alg_and_accel.png" alt="ce_alg_and_accel"/></div><br/><figcaption data-caption-side="bottom" class="- topic/title title figcapcenter"><span class="figtitleprefix fig--title-label"><span class="fig--title-label-number"> 1</span><span class="fig--title-label-punctuation">. </span></span><span class="fig--title">CE 算法分类</span></figcaption></figure>
<div class="- topic/p p" data-ofbid="d325014e59__20250121171829">驱动为 每一个 CE 算法实现一个实例,然后注册到内核加密子系统。 内核加密子系统使用链表的方式管理所有注册的算法,后续的使用者通过两个名字(
<span class="+ topic/keyword pr-d/parmname keyword parmname">cra_name</span>, <span class="+ topic/keyword pr-d/parmname keyword parmname">cra_driver_name</span> )可以查找到对应的算法。
例如:<pre class="+ topic/pre pr-d/codeblock pre codeblock language-c" id="ce_key_design_intro__codeblock_igr_p1y_21c" data-ofbid="ce_key_design_intro__codeblock_igr_p1y_21c"><strong class="hl-keyword">struct</strong> skcipher_alg alg = {
.base.cra_name = <span class="hl-string">"ecb(aes)"</span>,
.base.cra_driver_name = <span class="hl-string">"ecb-aes-aic"</span>,
.base.cra_priority = <span class="hl-number">400</span>,
.base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
.base.cra_blocksize = AES_BLOCK_SIZE,
.base.cra_ctxsize = <strong class="hl-keyword">sizeof</strong>(<strong class="hl-keyword">struct</strong> aic_skcipher_tfm_ctx),
.base.cra_alignmask = <span class="hl-number">0</span>,
.base.cra_module = THIS_MODULE,
.init = aic_skcipher_alg_init,
.exit = aic_skcipher_alg_exit,
.setkey = aic_skcipher_alg_setkey,
.decrypt = aic_skcipher_aes_ecb_decrypt,
.encrypt = aic_skcipher_aes_ecb_encrypt,
.min_keysize = AES_MIN_KEY_SIZE,
.max_keysize = AES_MAX_KEY_SIZE,
.ivsize = <span class="hl-number">0</span>,
};</pre></div>
<p class="- topic/p p" data-ofbid="d325014e70__20250121171829">各驱动和算法实现模块,通过下列接口向加密子系统注册算法。</p>
<pre class="+ topic/pre pr-d/codeblock pre codeblock language-c" id="ce_key_design_intro__codeblock_bwg_q1y_21c" data-ofbid="ce_key_design_intro__codeblock_bwg_q1y_21c"><strong class="hl-keyword">int</strong> crypto_register_skcipher(<strong class="hl-keyword">struct</strong> skcipher_alg *alg);
<strong class="hl-keyword">void</strong> crypto_unregister_skcipher(<strong class="hl-keyword">struct</strong> skcipher_alg *alg);
<strong class="hl-keyword">int</strong> crypto_register_akcipher(<strong class="hl-keyword">struct</strong> akcipher_alg *alg);
<strong class="hl-keyword">void</strong> crypto_unregister_akcipher(<strong class="hl-keyword">struct</strong> akcipher_alg *alg);
<strong class="hl-keyword">int</strong> crypto_register_ahash(<strong class="hl-keyword">struct</strong> ahash_alg *alg);
<strong class="hl-keyword">void</strong> crypto_unregister_ahash(<strong class="hl-keyword">struct</strong> ahash_alg *alg);
<strong class="hl-keyword">int</strong> crypto_register_aead(<strong class="hl-keyword">struct</strong> aead_alg *alg);
<strong class="hl-keyword">void</strong> crypto_unregister_aead(<strong class="hl-keyword">struct</strong> aead_alg *alg);
<strong class="hl-keyword">int</strong> crypto_register_kpp(<strong class="hl-keyword">struct</strong> kpp_alg *alg);
<strong class="hl-keyword">void</strong> crypto_unregister_kpp(<strong class="hl-keyword">struct</strong> kpp_alg *alg);
<strong class="hl-keyword">int</strong> crypto_register_rng(<strong class="hl-keyword">struct</strong> rng_alg *alg);
<strong class="hl-keyword">void</strong> crypto_unregister_rng(<strong class="hl-keyword">struct</strong> rng_alg *alg);</pre>
<figure class="- topic/fig fig fignone" id="ce_key_design_intro__fig_evv_q1y_21c" data-ofbid="ce_key_design_intro__fig_evv_q1y_21c"><br/><div class="imagecenter"><img class="- topic/image image imagecenter" id="ce_key_design_intro__image_img_n1y_21c" src="../../../images/ce/ce_subsystem_alg_list.png" alt="ce_subsystem_alg_list"/></div><br/><figcaption data-caption-side="bottom" class="- topic/title title figcapcenter"><span class="figtitleprefix fig--title-label"><span class="fig--title-label-number"> 2</span><span class="fig--title-label-punctuation">. </span></span><span class="fig--title">加密子系统的算法列表</span></figcaption></figure>
<div class="- topic/p p" data-ofbid="d325014e83__20250121171829">使用时,使用者需要使用对应的
API创建对应算法的数据处理实例然后使用对应类型算法的接口进行数据的处理。如对称密钥算法使用下列的接口。<pre class="+ topic/pre pr-d/codeblock pre codeblock language-c" id="ce_key_design_intro__codeblock_sdm_r1y_21c" data-ofbid="ce_key_design_intro__codeblock_sdm_r1y_21c"><strong class="hl-keyword">struct</strong> crypto_skcipher *
crypto_alloc_skcipher(<strong class="hl-keyword">const</strong> <strong class="hl-keyword">char</strong> *alg_name, u32 type, u32 mask);
<strong class="hl-keyword">struct</strong> skcipher_request *
skcipher_request_alloc(<strong class="hl-keyword">struct</strong> crypto_skcipher *tfm, gfp_t gfp);
<strong class="hl-keyword">int</strong> crypto_skcipher_encrypt(<strong class="hl-keyword">struct</strong> skcipher_request *req);
<strong class="hl-keyword">int</strong> crypto_skcipher_decrypt(<strong class="hl-keyword">struct</strong> skcipher_request *req);</pre></div>
<div class="- topic/note note note note_note" id="ce_key_design_intro__note_srw_r1y_21c" data-ofbid="ce_key_design_intro__note_srw_r1y_21c"><span class="note__title">注:</span>
<p class="- topic/p p" data-ofbid="d325014e90__20250121171829">可以留意,以对对称密钥算法为例,向加密子系统注册算法实例时,使用的结构体为 <span class="+ topic/keyword pr-d/parmname keyword parmname">struct skciper_alg</span> 用户 API
使用时,使用的结构体为 <span class="+ topic/keyword pr-d/parmname keyword parmname">struct crypto_skcipher</span> 。这里的区别是,前者是对内,
是具体算法的实现。后者是对外,代表一个对称密钥算法。</p>
</div>
</section><section class="- topic/section section" id="ce_key_design_intro__section_kmg_n1y_21c" data-ofbid="ce_key_design_intro__section_kmg_n1y_21c"><h2 class="- topic/title title sectiontitle">异步调用和处理</h2>
<p class="- topic/p p" data-ofbid="d325014e105__20250121171829">为了支持更广泛的应用场景CE 的算法驱动需要实现异步调用,即每一个请求调用,都会立刻返回, 然后通过注册的回调函数来获取请求处理完成的通知。</p>
<p class="- topic/p p" data-ofbid="d325014e108__20250121171829">要实现异步调用需要为每一个加速器实现对应的任务队列,以及相应的执行线程。内核加密子系统提供的公共模块 <code class="+ topic/ph pr-d/codeph ph codeph">crypto_engine</code>
已经实现了对应的功能,只需为每个加速器创建 <code class="+ topic/ph pr-d/codeph ph codeph">crypto_engine</code> 即可。</p>
<figure class="- topic/fig fig fignone" id="ce_key_design_intro__fig_tkp_s1y_21c" data-ofbid="ce_key_design_intro__fig_tkp_s1y_21c"><br/><div class="imagecenter"><img class="- topic/image image imagecenter" id="ce_key_design_intro__image_lmg_n1y_21c" src="../../../images/ce/ce_async_call.png" alt="ce_async_call"/></div><br/><figcaption data-caption-side="bottom" class="- topic/title title figcapcenter"><span class="figtitleprefix fig--title-label"><span class="fig--title-label-number"> 3</span><span class="fig--title-label-punctuation">. </span></span><span class="fig--title">Crypto Engine 的异步工作流程</span></figcaption></figure>
<p class="- topic/p p" data-ofbid="d325014e124__20250121171829">如上图所示,当算法驱动接收到一个数据处理请求时,只需做一些基本的标记工作,然后将该请求转发给对应的 <code class="+ topic/ph pr-d/codeph ph codeph">crypto_engine</code>
进行管理。<code class="+ topic/ph pr-d/codeph ph codeph">crypto_engine</code> 包含一个任务队列,以及一个工作线程。</p>
<p class="- topic/p p" data-ofbid="d325014e134__20250121171829">工作线程总是检查当前队列是否有待处理的任务,如果有任务需要处理,则对当前任务按顺序调用对应的回调函数:</p>
<div class="table-container"><table class="- topic/table table frame-all" id="ce_key_design_intro__table_mmg_n1y_21c" data-ofbid="ce_key_design_intro__table_mmg_n1y_21c" data-cols="2"><caption></caption><colgroup><col style="width:50%"/><col style="width:50%"/></colgroup><thead class="- topic/thead thead"><tr class="- topic/row"><th class="- topic/entry entry colsep-1 rowsep-1" id="ce_key_design_intro__table_mmg_n1y_21c__entry__1">回调函数</th><th class="- topic/entry entry colsep-0 rowsep-1" id="ce_key_design_intro__table_mmg_n1y_21c__entry__2">说明</th></tr></thead><tbody class="- topic/tbody tbody"><tr class="- topic/row"><td class="- topic/entry entry colsep-1 rowsep-1" headers="ce_key_design_intro__table_mmg_n1y_21c__entry__1">prepare(…)</td><td class="- topic/entry entry colsep-0 rowsep-1" headers="ce_key_design_intro__table_mmg_n1y_21c__entry__2">准备硬件以及对将要送给硬件的数据进行预处理</td></tr><tr class="- topic/row"><td class="- topic/entry entry colsep-1 rowsep-0" headers="ce_key_design_intro__table_mmg_n1y_21c__entry__1">do_one_request(…)</td><td class="- topic/entry entry colsep-0 rowsep-0" headers="ce_key_design_intro__table_mmg_n1y_21c__entry__2">启动硬件,处理数据</td></tr></tbody></table></div>
<p class="- topic/p p" data-ofbid="d325014e159__20250121171829">硬件完成处理之后,在对一个的 IRQ 处理线程中处理输出数据,并且调用该请求的回调函数,以及释放本次数据处理请求所申请的资源。</p>
<p class="- topic/p p" data-ofbid="d325014e162__20250121171829">CE 的每一个算法处理单元对应一个 <code class="+ topic/ph pr-d/codeph ph codeph">crypto_engine</code>, 即有skcipher engineakcipher
enginehash engine</p>
</section><section class="- topic/section section" id="ce_key_design_intro__section_nmg_n1y_21c" data-ofbid="ce_key_design_intro__section_nmg_n1y_21c"><h2 class="- topic/title title sectiontitle">eFuse 密钥和安全 SRAM</h2>
<p class="- topic/p p" data-ofbid="d325014e173__20250121171829">安全 SRAM 是 CE 中的一块专用 SRAM该 SRAM 与其他模块安全隔离,仅 CE 可以访问, 因此用其保存的密钥和数据可以保证不被其他模块窃取。</p>
<p class="- topic/p p" data-ofbid="d325014e176__20250121171829">安全 SRAM 的设计目的是要解决密钥的本地存储的安全问题。在一些数据加密的应用场景中,用户生成了一个密钥,
并且使用该密钥对数据进行加密。本地存储了加密后的数据,但是密钥要如何保存才安全又成了新的问题。 如果明文保存在本地,则很容易被窃取。</p>
<p class="- topic/p p" data-ofbid="d325014e179__20250121171829">使用安全 SRAM 如何解决密钥的本地存储的安全问题?具体做法是:</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_pmg_n1y_21c" data-ofbid="ce_key_design_intro__ol_pmg_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e183__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e185__20250121171829">本地不保存明文密钥,只保存经过 eFuse 密钥加密后的密钥数据eFuse 密钥 CPU 不可读,仅 CE 可读)</p>
</li><li class="- topic/li li" data-ofbid="d325014e188__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e190__20250121171829">需要使用密钥时,首先将加密后的密钥数据,解密到安全 SRAMCE 再从安全 SRAM 读取密钥明文</p>
</li></ol>
<figure class="- topic/fig fig fignone" id="ce_key_design_intro__fig_kfb_51y_21c" data-ofbid="ce_key_design_intro__fig_kfb_51y_21c"><br/><div class="imagecenter"><img class="- topic/image image imagecenter" id="ce_key_design_intro__image_qmg_n1y_21c" src="../../../images/ce/secure_sram_1.png" alt="secure_sram_1"/></div><br/><figcaption data-caption-side="bottom" class="- topic/title title figcapcenter"><span class="figtitleprefix fig--title-label"><span class="fig--title-label-number"> 4</span><span class="fig--title-label-punctuation">. </span></span><span class="fig--title">安全密钥的生成</span></figcaption></figure>
<p class="- topic/p p" data-ofbid="d325014e202__20250121171829">在需要使用安全 SRAM 进行加解密处理时,需要完成下列操作:</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_smg_n1y_21c" data-ofbid="ce_key_design_intro__ol_smg_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e206__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e208__20250121171829">用户指定一种对称密钥算法,指定 eFuse 密钥,对加密后的密钥数据进行解密</p>
</li><li class="- topic/li li" data-ofbid="d325014e211__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e213__20250121171829">用户指定解密后的明文密钥输出的安全 SRAM 位置</p>
</li><li class="- topic/li li" data-ofbid="d325014e216__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e218__20250121171829">配置 CE 使用特定安全 SRAM 中的明文密钥,对数据进行加解密处理</p>
</li></ol>
<p class="- topic/p p" data-ofbid="d325014e222__20250121171829">问题:</p>
<p class="- topic/p p" data-ofbid="d325014e225__20250121171829">该流程是 AIC CE 特有,用户提供了更多的输入信息,中间多了密钥的解密、安全 SRAM 的管理等。
该处理流程如何融入到内核加密子系统的算法处理流程成为了问题。</p>
<p class="- topic/p p" data-ofbid="d325014e228__20250121171829">为了很好的对接内核加密子系统并且方便用户使用CE 驱动采取的方案是:</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_vmg_n1y_21c" data-ofbid="ce_key_design_intro__ol_vmg_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e233__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e235__20250121171829">将安全 SRAM 的使用场景具体化,限制到具体的应用需求</p>
</li><li class="- topic/li li" data-ofbid="d325014e238__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e240__20250121171829">将使用安全 SRAM 的算法抽象为一种特殊的算法,注册到内核加密子系统中</p>
</li><li class="- topic/li li" data-ofbid="d325014e243__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e245__20250121171829">算法的处理过程中首先进行一个密钥的解密,然后再进行数据的处理</p>
</li></ol>
<p class="- topic/p p" data-ofbid="d325014e249__20250121171829">具体实现是为每一个场景实现一个对应的特殊算法,如为需要使用 eFuse HUK 进行密钥解密的 AES ECB 算法,实现一个名为
<span class="+ topic/keyword pr-d/apiname keyword apiname">huk-protected(ecb(aes))</span> 的算法,并且注册到内核加密子系统中。</p>
<p class="- topic/p p" data-ofbid="d325014e255__20250121171829">当用户指定使用该算法时:</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_xmg_n1y_21c" data-ofbid="ce_key_design_intro__ol_xmg_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e259__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e261__20250121171829">对应的驱动总是先申请一块安全 SRAM 空间</p>
</li><li class="- topic/li li" data-ofbid="d325014e264__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e266__20250121171829">使用 eFuse HUK 对用户所提供的密钥数据进行解密,并输出到安全 SRAM 空间</p>
</li><li class="- topic/li li" data-ofbid="d325014e269__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e271__20250121171829">然后指定 CE 使用安全 SRAM 中生成的明文密钥,对数据进行处理</p>
</li></ol>
<figure class="- topic/fig fig fignone" id="ce_key_design_intro__fig_a1m_v1y_21c" data-ofbid="ce_key_design_intro__fig_a1m_v1y_21c"><br/><div class="imagecenter"><img class="- topic/image image imagecenter" id="ce_key_design_intro__image_ymg_n1y_21c" src="../../../images/ce/secure_sram_2.png" alt="secure_sram_2"/></div><br/><figcaption data-caption-side="bottom" class="- topic/title title figcapcenter"><span class="figtitleprefix fig--title-label"><span class="fig--title-label-number"> 5</span><span class="fig--title-label-punctuation">. </span></span><span class="fig--title">算法使用安全 SRAM 的示意图</span></figcaption></figure>
<p class="- topic/p p" data-ofbid="d325014e282__20250121171829">通过这种方式,既可以让用户选择符合条件的处理算法,又避免了用户参与处理 eFuse 密钥等额外流程,
还与当前内核加密子系统中其他算法的使用流程保持一致,用户只要指定正确的名字即可使用这些特殊算法。</p>
<p class="- topic/p p" data-ofbid="d325014e286__20250121171829">当前 CE 驱动为下列几个应用场景定义了特殊算法。</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_ang_n1y_21c" data-ofbid="ce_key_design_intro__ol_ang_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e290__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e292__20250121171829">数据安全保护:将数据与设备型号加密绑定</p>
<p class="- topic/p p" data-ofbid="d325014e295__20250121171829">eFuse SSK 密钥,一型一密(厂商定义,一个型号共用相同密码),通过
<code class="+ topic/ph pr-d/codeph ph codeph">ssk-protected(ecb(aes))</code>
<code class="+ topic/ph pr-d/codeph ph codeph">ssk-protected(cbc(aes))</code>
算法加密的数据,结合本地密钥可在相同型号的机器上进行解密。</p>
</li><li class="- topic/li li" data-ofbid="d325014e304__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e306__20250121171829">数据安全保护:将数据与具体设备加密绑定</p>
<p class="- topic/p p" data-ofbid="d325014e309__20250121171829">eFuse HUK 密钥,一机一密(芯片出厂时随机生成,每台唯一),通过 <code class="+ topic/ph pr-d/codeph ph codeph">huk-proteced(ecb(aes))</code>
<code class="+ topic/ph pr-d/codeph ph codeph">huk-proteced(cbc(aes))</code> 算法加密的数据,只能在当前设备可以解密。</p>
<p class="- topic/p p" data-ofbid="d325014e318__20250121171829"><code class="+ topic/ph pr-d/codeph ph codeph">huk-proteced(cts(aes))</code>
<code class="+ topic/ph pr-d/codeph ph codeph">huk-proteced(xts(aes))</code> 可用于当前设备的文件系统加密,
保证加密后的文件系统只有当前设备可以解密使用。</p>
</li><li class="- topic/li li" data-ofbid="d325014e326__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e328__20250121171829">设备身份安全认证</p>
<p class="- topic/p p" data-ofbid="d325014e331__20250121171829">RSA 算法可以用于设备身份认证,前提是设备可以安全的保存其特有的私钥。</p>
<p class="- topic/p p" data-ofbid="d325014e334__20250121171829">AIC 的方案中可以使用 eFuse 密钥 PNK、PSK 对私钥进行加密保存在设备本地,然后使用
<code class="+ topic/ph pr-d/codeph ph codeph">pnk-proteced(rsa)</code> 算法,或者
<code class="+ topic/ph pr-d/codeph ph codeph">pskx-proteced(rsa)</code> 算法,将对应的私钥解密到安全 SRAM 中使用。</p>
<p class="- topic/p p" data-ofbid="d325014e343__20250121171829">PNK、PSK 是仅 CE 可访问的安全 eFuse 空间,可根据实际情况,分配给不同的厂商/用户使用。
当用户需要对设备进行身份认证时,可使用这些算法。</p>
</li></ol>
<figure class="- topic/fig fig fignone" id="ce_key_design_intro__fig_tth_w1y_21c" data-ofbid="ce_key_design_intro__fig_tth_w1y_21c"><br/><div class="imagecenter"><img class="- topic/image image imagecenter" id="ce_key_design_intro__image_bng_n1y_21c" src="../../../images/ce/secure_sram_3.png" alt="secure_sram_3"/></div><br/><figcaption data-caption-side="bottom" class="- topic/title title figcapcenter"><span class="figtitleprefix fig--title-label"><span class="fig--title-label-number"> 6</span><span class="fig--title-label-punctuation">. </span></span><span class="fig--title">使用安全 SRAM 的特殊算法</span></figcaption></figure>
</section><section class="- topic/section section" id="ce_key_design_intro__section_cng_n1y_21c" data-ofbid="ce_key_design_intro__section_cng_n1y_21c"><h2 class="- topic/title title sectiontitle">Fallback 机制</h2>
<p class="- topic/p p" data-ofbid="d325014e359__20250121171829">当用户使用指定的 CE 算法时,遇到一些 CE 无法支持的边角情况,此时需要通过 Fallback 机制, 使用软件实现的算法完成用户指定的数据处理任务。</p>
<p class="- topic/p p" data-ofbid="d325014e362__20250121171829">目前可能需要使用 Fallback 机制的是 RSA 算法。</p>
<p class="- topic/p p" data-ofbid="d325014e365__20250121171829">RSA 算法共有 5 种密钥长度,但是目前 CE 仅支持三种512、1024、2048当用户需要使用 3072 4096 比特的密钥时,需要使用 Fallback
机制,使用软件计算。</p>
</section><section class="- topic/section section" id="ce_key_design_intro__section_dng_n1y_21c" data-ofbid="ce_key_design_intro__section_dng_n1y_21c"><h2 class="- topic/title title sectiontitle">内核补丁</h2>
<p class="- topic/p p" data-ofbid="d325014e373__20250121171829">如前面所述,内核加密子系统通过 AF_ALG Socket 接口向用户空间程序提供了部分算法服务,包括下面四中类型的算法:</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_fng_n1y_21c" data-ofbid="ce_key_design_intro__ol_fng_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e377__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e379__20250121171829">SKCIPHER 对称密钥类算法,如 AES、DES 等算法</p>
</li><li class="- topic/li li" data-ofbid="d325014e382__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e384__20250121171829">AEAD 关联数据的认证加密类算法,如 GCM-AES, CCM-AES 等算法</p>
</li><li class="- topic/li li" data-ofbid="d325014e387__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e389__20250121171829">HASH 消息摘要类算法,如 MD5SHA-256 等算法</p>
</li><li class="- topic/li li" data-ofbid="d325014e392__20250121171829">
<p class="- topic/p p" data-ofbid="d325014e394__20250121171829">RNG 随机数类算法</p>
</li></ol>
<p class="- topic/p p" data-ofbid="d325014e398__20250121171829">默认情况下,非对称密钥算法,如 RSA、ECC
等算法内核并没有提供接口给用户空间程序使用。这里有部分原因是这类算法运算量大,在应用中不会用来直接对数据进行处理,仅用于对小量的关键数据进行加解密,因此直接使用用户空间的算法库效率更高,避免了系统调用等的额外开销。</p>
<p class="- topic/p p" data-ofbid="d325014e401__20250121171829">但是提供非对称密钥算法的接口在一些情况下是有意义的,比如平台支持非对称密钥算法的硬件加速,并且运算速度明显比 CPU
计算更快。或者硬件提供基于非对称密钥算法的额外安全功能,比如 AIC 的 CE 可以提供基于 RSA 算法的硬件设备身份安全认证功能,用户空间程序需要有接口可以使用
CE 的 RSA 算法加速器。</p>
<p class="- topic/p p" data-ofbid="d325014e405__20250121171829">虽然主线的内核并没有提供非对称密钥算法的 AF_ALG 接口但是社区中有相关接口的补丁。Libkcapi 是一个对内核加密子系统 AF_ALG
接口进行封装的开源库,该库将 AF_ALG 接口封装成用户空间更容易使用的 API 接口,并且为若干内核版本提供了非对称密钥的 AF_ALG
接口补丁,通过使用这些补丁,用户空间程序可以使用内核中的非对称密钥算法。</p>
<p class="- topic/p p" data-ofbid="d325014e408__20250121171829">相关的信息链接:</p>
<ol class="- topic/ol ol" id="ce_key_design_intro__ol_hng_n1y_21c" data-ofbid="ce_key_design_intro__ol_hng_n1y_21c"><li class="- topic/li li" data-ofbid="d325014e412__20250121171829"><a class="- topic/xref xref" href="https://www.chronox.de/libkcapi.html" target="_blank" rel="external noopener">https://www.chronox.de/libkcapi.html</a></li><li class="- topic/li li" data-ofbid="d325014e414__20250121171829"><a class="- topic/xref xref" href="https://github.com/smuellerDD/libkcapi" target="_blank" rel="external noopener">https://github.com/smuellerDD/libkcapi</a></li></ol>
</section></div></article></main></div>
</div>
<nav role="navigation" id="wh_topic_toc" aria-label="On this page" class="col-lg-2 d-none d-lg-block navbar d-print-none">
<div id="wh_topic_toc_content">
<div class=" wh_topic_toc "><div class="wh_topic_label">在本页上</div><ul><li class="section-item"><div class="section-title"><a href="#ce_key_design_intro__section_cmg_n1y_21c" data-tocid="ce_key_design_intro__section_cmg_n1y_21c">算法的分类注册</a></div></li><li class="section-item"><div class="section-title"><a href="#ce_key_design_intro__section_kmg_n1y_21c" data-tocid="ce_key_design_intro__section_kmg_n1y_21c">异步调用和处理</a></div></li><li class="section-item"><div class="section-title"><a href="#ce_key_design_intro__section_nmg_n1y_21c" data-tocid="ce_key_design_intro__section_nmg_n1y_21c">eFuse 密钥和安全 SRAM</a></div></li><li class="section-item"><div class="section-title"><a href="#ce_key_design_intro__section_cng_n1y_21c" data-tocid="ce_key_design_intro__section_cng_n1y_21c">Fallback 机制</a></div></li><li class="section-item"><div class="section-title"><a href="#ce_key_design_intro__section_dng_n1y_21c" data-tocid="ce_key_design_intro__section_dng_n1y_21c">内核补丁</a></div></li></ul></div>
</div>
</nav>
</div>
</div>
</div>
<footer class="navbar navbar-default wh_footer">
<div class=" footer-container mx-auto ">
<title>footer def</title>
<style><!--
.p1 {
font-family: FangZhengShuSong, Times, serif;
}
.p2 {
font-family: Arial, Helvetica, sans-serif;
}
.p3 {
font-family: "Lucida Console", "Courier New", monospace;
}
--></style>
<div class="webhelp.fragment.footer">
<p class="p1">Copyright © 2019-2024 广东匠芯创科技有限公司. All rights reserved.</p>
</div><div>
<div class="generation_time">
Update Time: 2025-01-21
</div>
</div>
</div>
</footer>
<div id="go2top" class="d-print-none">
<span class="oxy-icon oxy-icon-up"></span>
</div>
<div id="modal_img_large" class="modal">
<span class="close oxy-icon oxy-icon-remove"></span>
<div id="modal_img_container"></div>
<div id="caption"></div>
</div>
<script src="${pd}/publishing/publishing-styles-AIC-template/js/custom.js" defer="defer"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink